I think im Hijacked!

Discussion in 'adware, spyware & hijack cleaning' started by AztecD, May 10, 2004.

Thread Status:
Not open for further replies.
  1. AztecD

    AztecD Registered Member

    Joined:
    May 10, 2004
    Posts:
    4
    Followed the instructions from this thread
    https://www.wilderssecurity.com/showthread.php?t=15913
    and now im posting the log.

    Thx for any asistance you can provide :doubt:
    ----------------------------------------------------


    Logfile of HijackThis v1.97.7
    Scan saved at 7:47:51 PM, on 5/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\VetMsgNT.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\WildTangent\Apps\GameChannel.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\WINDOWS\System32\sysdll32.exe
    C:\WINDOWS\System32\MicroSoft\MicroSoft.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Documents and Settings\Owner\My Documents\Web Stuff\Hijack 1.0\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.grupok.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.grupok.net/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [WinDriv32] C:\WINDOWS\System32\WinDriv32.exe
    O4 - HKLM\..\Run: [IEXPLORE Loader] sysdll32.exe
    O4 - HKLM\..\Run: [systam32] C:\WINDOWS\System32\MicroSoft\MicroSoft.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKLM\..\RunServices: [IEXPLORE Loader] sysdll32.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [WinDriv32] C:\WINDOWS\System32\WinDriv32.exe
    O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37928.6955324074
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
    (or use Process Explorer)
    C:\WINDOWS\System32\sysdll32.exe
    C:\WINDOWS\System32\MicroSoft\MicroSoft.exe



    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.grupok.net/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [WinDriv32] C:\WINDOWS\System32\WinDriv32.exe
    O4 - HKLM\..\Run: [IEXPLORE Loader] sysdll32.exe
    O4 - HKLM\..\Run: [systam32] C:\WINDOWS\System32\MicroSoft\MicroSoft.exe
    O4 - HKLM\..\RunServices: [IEXPLORE Loader] sysdll32.exe
    O4 - HKCU\..\Run: [WinDriv32] C:\WINDOWS\System32\WinDriv32.exe


    Empty the TIF (Temporary Internet Files)
    To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
    Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

    Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder
    (or go direct to the C:\Documents and Settings\userprofilename\Local Settings\Temp\ folder and delete what can be deleted)

    Set your Explorer up using the info in this link so that hidden and System files are visible
    Also Uncheck the "Hide extensions for known file types" box

    Reboot to SAFE mode
    How to start the computer in Safe mode

    Delete the following files:
    C:\WINDOWS\System32\sysdll32.exe
    C:\WINDOWS\System32\MicroSoft\MicroSoft.exe
    C:\WINDOWS\System32\WinDriv32.exe


    Reboot to normal mode

    Download Spybot - Search and Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer windows, hit 'Check for Problems', and after SpyBotSD has completed it's scan push the 'Fix checked' button for all that it has automatically selected.

    Get a good online virus scan at HouseCall

    ------ some info (for further cleanup)
    sysdll32.exe -- http://it.trendmicro-europe.com/ent...tail.php?id=58073&VName=BKDR_SDBOT.VI&VSect=T
    WinDriv32.exe -- http://it.trendmicro-europe.com/ent...ail.php?id=58962&VName=TROJ_WINDRIV.A&VSect=T
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    These are very suspicious. Please close all windows except Hijack This, and tick these

    O4 - HKLM\..\Run: [WinDriv32] C:\WINDOWS\System32\WinDriv32.exe
    O4 - HKLM\..\Run: [IEXPLORE Loader] sysdll32.exe
    O4 - HKLM\..\Run: [systam32] C:\WINDOWS\System32\MicroSoft\MicroSoft.exe
    O4 - HKLM\..\RunServices: [IEXPLORE Loader] sysdll32.exe
    O4 - HKCU\..\Run: [WinDriv32] C:\WINDOWS\System32\WinDriv32.exe

    Then choose Fix selected, reboot, and please email each of those EXE files to submit@diamondcs.com.au for analysis
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Ahh you beat me.. :D

    AztecD : please submit these files as I'm not sure they they are known adware - but even if they turn out to be, we always appreciate submissions to help build up the collection of known nasties
     
  5. AztecD

    AztecD Registered Member

    Joined:
    May 10, 2004
    Posts:
    4
    Its Clean!!! :D

    Thx guys for all of your help, i sent a zip file with the infected files.

    Thx Again

    AztecD
     
  6. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    :cool:
    and some extra chars to be > 5 ;)
     
Thread Status:
Not open for further replies.