I'm a young oldie. Stupidly thought my machine had good defences, till a month ago

Discussion in 'adware, spyware & hijack cleaning' started by Apogean, May 20, 2004.

Thread Status:
Not open for further replies.
  1. Apogean

    Apogean Registered Member

    Joined:
    May 20, 2004
    Posts:
    4
    Location:
    BRIGHTON UK
    Had all the 'right' un's I thought; [AdAw, SpyBotS&D, SpyBlaster, etc], but suddenly found I couldn't System Restore, had changed Browser warnings that immunisation didn't cure, and a lot of 'wrong paths' on SpyBot log. Think I'm going to have to end up restoring Windows XP Pro, and dreading the thought ~ will the fact that I'm awaiting a new XP Pro laptop maybe help the restoration process ~ Here's my HijackThis log! Anyone not mind helping an old geeza?

    Logfile of HijackThis v1.97.7
    Scan saved at 15:29:25, on 20/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\SYSTEM32\tbctray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\DigiGuide\client01.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\MiniPopupKiller\mpk.exe
    C:\AstroWare\SolarFire\SOLFIRE.EXE
    C:\Documents and Settings\E.H.Bayley\Desktop\Downloaded Spyware Programmes\HiJack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\downloaded programs\adobeacrobat\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2645D297-DD4B-4DD3-BAB0-34D4BB8F7EE6} - C:\Program Files\MiniPopupKiller\cpw.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinPatrol PLUS] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: DigiGuide.lnk = C:\Program Files\DigiGuide\client.exe
    O4 - Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Image Transfer.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/eno/x/enscp1x.exe
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058623uk.exe
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://64.156.31.77/058716uk.exe
    O16 - DPF: {469843DD-EBB3-4661-B0A6-E6FE590240C9} - http://olympustele.com/connect/dialer.cab
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager.egg.com/activex/accounttracking.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {7380B862-BA18-4529-8972-C66B82AA5D1D} (AccountTracking Class) - http://moneymanager.egg.com/customer/accounttracking.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37616.4453819444
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - http://livenj01.rightnowtech.com/williamhill_lang/williamhill_lang/rnt/rnl/java/RntX.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.33/EPlugin.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EA2C486B-A9E2-45B2-9DBF-D3A40B1DBB4A}: NameServer = 158.152.1.58,158.152.1.43
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Apogean,

    That log looks ok

    Hope all is well again

    Cheers,
     
  3. Apogean

    Apogean Registered Member

    Joined:
    May 20, 2004
    Posts:
    4
    Location:
    BRIGHTON UK
    Thanks for that Unzy!

    Having said that, I am still perturbed to understand why AdAware daily, on boot-up, still detects:-
    POSSIBLE BROWSER HIJACK ATTEMPT
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[0]=RegData : Software\Microsoft\Internet Explorer\Main
    obj[1]=RegData : Software\Microsoft\Internet Explorer\Main

    which is also daily reported by SpyBot and SpyBlaster as an attempt to change my IE browser, [set by me to about:blank as my preference; and which I daily ask it to be restored to, having quarantined the above AdAw objects]. Spyblaster indicates http://www.microsoft.com/isap/redir.dll?prd={SUB_PRD}&cid={SUB_CLSID}&pver}={SUB_PVER}ar=home is the intended change. I am beginning to wonder whether both refer to about:blank and I am facilitating circular paths?

    Having investigated my inability to System Restore to any date earlier than April this year, and my Event Log, I have realised that my Windows XP Pro registery has been interfered with or is corrupt [COMDLG32.OCX cannot be located, and 0xc0000001 errors], and seemingly will have to be reinstalled. This fills me with some trepidation. Will my, now imminent, receipt of a new Windows XP Pro laptop, maybe enable me to secure such reinstallation on my Desktop PC in, what would decidedly be, a less hazardous route than the norm with just a standalone?

    Your aid is very much appreciated as I am entering upon foreign territory!

    Regards . . . Apogean
     
  4. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Re: I'm a young oldie. Stupidly thought my machine had good defences, till a month ag

    The fact that you have set your homepage to "about:blank" is the cause of these warnings.
    This setting can also be caused by one of the nastiest Coolweb variants, which is identfied, but not totally removed by AdAware. The program is unable to tell that this is a legitimate blank, and not a CW blank!

    There are two alternatives, either live with the warnings, or change you homepage :D
     
  5. Apogean

    Apogean Registered Member

    Joined:
    May 20, 2004
    Posts:
    4
    Location:
    BRIGHTON UK
    Thanks for that Dave!
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Although they are probably under control by SpywareBlaster I would fix these entries:
    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/eno/x/enscp1x.exe

    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058623uk.exe
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binari...dtc32_EN_XP.cab

    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://64.156.31.77/058716uk.exe
    O16 - DPF: {469843DD-EBB3-4661-B0A6-E6FE590240C9} - http://olympustele.com/connect/dialer.cab
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager.egg.com/activex/accounttracking.cab

    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/so...tiveXPlugin.cab

    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.33/EPlugin.cab

    Put a checkmark in front of them in HijackThis, close all IE windows and click Fix checked.

    Regards,

    Pieter
     
  7. Apogean

    Apogean Registered Member

    Joined:
    May 20, 2004
    Posts:
    4
    Location:
    BRIGHTON UK
    Thanks for that Pieter! I'll do it straight away

    ~ Regards

    Apogean
     
Thread Status:
Not open for further replies.