HijackThis log - Please Help

Discussion in 'adware, spyware & hijack cleaning' started by IQBoy, May 28, 2004.

Thread Status:
Not open for further replies.
  1. IQBoy

    IQBoy Registered Member

    Joined:
    May 28, 2004
    Posts:
    1
    Help! I've been hijacked. Could you please review this log and tell me how to clean up my PC.

    Thank you so much.

    IQBoy

    ---

    Logfile of HijackThis v1.97.7
    Scan saved at 12:27:04 AM, on 27/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\ltcm000c.exe
    C:\WINDOWS\System32\S3tray.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\Program Files\Toshiba\Windows Utilities\FNESSE32.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
    C:\Program Files\Spybot - Search & Destroy 1.1\SpybotSD.exe
    C:\Documents and Settings\Eben\My Documents\Temp\hijackthis\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\daeko.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\daeko.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\daeko.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\daeko.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\daeko.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\daeko.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F0 - system.ini: Shell=explorer.exe winlogin.exe
    F2 - REG:system.ini: Shell=explorer.exe winlogin.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
    O2 - BHO: (no name) - {AE3E543B-C2D5-44F6-A700-BF54DAEFAC45} - C:\WINDOWS\System32\daeko.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
    O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [NDplDeamon] winlogin.exe
    O4 - HKLM\..\Run: [winlogon] winlogin.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunOnce: [winlogon] winlogin.exe
    O4 - Startup: Fn-esse.lnk = C:\Program Files\Toshiba\Windows Utilities\FNESSE32.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Sygate Personal Firewall.lnk = C:\Program Files\Sygate\SPF\smc.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O4 - Global Startup: Image Transfer.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38112.9700462963
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    For starters, this looks like a trojan

    O4 - HKLM\..\Run: [NDplDeamon] winlogin.exe
    O4 - HKLM\..\Run: [winlogon] winlogin.exe
    O4 - HKCU\..\RunOnce: [winlogon] winlogin.exe

    Tick each of those and choose Fix Selected, then reboot. Please email the file winlogin.exe to submit@diamondcs.com.au then delete it

    C:\WINDOWS\System32\daeko.dll is the About:Blank CWS hijacker, I dont have a copy of the latest instructions handy so will have to wait to advise on that. If anyone can jump in please do
     
Thread Status:
Not open for further replies.