homepage hijacked by spyware system error #384

Discussion in 'adware, spyware & hijack cleaning' started by Karan Kapoor, Mar 28, 2004.

Thread Status:
Not open for further replies.
  1. Karan Kapoor

    Karan Kapoor Guest

    Needing urgent help here...
    I am unable to change my internet explorer homepage and the default page has been hijacked by spyware. The site is titled "spyWare! system error #384

    Attached is my log file when i ran hiJackThis
    Can you please help me?
    Many thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 2:35:27 PM, on 3/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Novell\ZENworks\nalntsrv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
    C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\Program Files\Novell\ZENworks\wm.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\dpmw32.exe
    C:\WINDOWS\System32\NWTRAY.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
    C:\WINDOWS\reg32.exe
    C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
    C:\Documents and Settings\kapoork\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\hijackthis.exe
    C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-find.com/sp.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://scheo.com/srchasst/srchcust.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://scheo.com/srchasst/srchasst.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Whitefriars College Term 1 2004
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-find.com/index.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.whitefriars.vic.edu.au:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet.whitefriars.vic.edu.au;datacentral.whitefriars.vic.edu.au; mail1.whitefriars.vic.edu.au;mail2.whitefriars.vic.edu.au;172.16.*.*;library.whitefriars.vic.edu.au; toptools.whitefriars.vic.edu.au;172.17.*.*;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg32.exe
    O4 - HKLM\..\Run: [Regsvc] C:\WINDOWS\system\regsv.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Novell delivered applications (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://intranet.whitefriars.vic.edu.au
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = whitefriars.vic.edu.au
    O17 - HKLM\Software\..\Telephony: DomainName = whitefriars.vic.edu.au
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = whitefriars.vic.edu.au


    edited to prevent the sideways scrolling by DVK01
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Karan Kapoor,

    Welcome to Wilders.

    Some of the items are from viruses. I would strongly suggest you do an online virus scan as some of the entries are caused bt viruses. Some good online scans can be found HERE.

    Before you start, please unzip or move HijackThis to a separate folder. The program will make backups in the folder it's in. These easily get lost in a temporary folder.

    Check the following items in HijackThis. Pkease note that the on-line AV scan may have removed some of these entries.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-find.com/sp.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://scheo.com/srchasst/srchcust.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://scheo.com/srchasst/srchasst.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-find.com/index.htm

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/

    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg32.exe
    O4 - HKLM\..\Run: [Regsvc] C:\WINDOWS\system\regsv.exe

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    Then reboot in Safe Mode and delete the following:

    C:\WINDOWS\reg32.exe
    C:\WINDOWS\system\regsv.exe

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.