new hijack variant??

Discussion in 'adware, spyware & hijack cleaning' started by hayduke, May 5, 2004.

Thread Status:
Not open for further replies.
  1. hayduke

    hayduke Registered Member

    Joined:
    May 5, 2004
    Posts:
    4
    Sorry all if this is redundant or covered elsewhere....

    I am totally at wits end after 48 hours of trying to figure out what is wrong with my system. I know i have a hijack/virus/worm of some type but it must be a new variant because after scouring tons of help forums i can't see any messages that indicate others are having the same problem.

    Basically, I can't even download hijackthis, because my computer stops the download at 99%. CWshredder i can download, but i can't unzip the file (i end up with an undeletable and seemingly empty directory where the unzipped cwshredder should be). I'm running my computer in safe mode and at least my IE browser is no longer hijacked. After running NAV today I found (again) hxdefdrv.sys backdoor virus which was apparently removed...but NAV supposedly found and removed it yesterday also..

    I'm going totally nuts with this thing...any help would be appreciated. Getting CWshredder and HJT running would be a good start, but I don't know how to proceed.
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi hayduke,

    Can you see if this direct exe link works for you? :

    http://209.133.47.200/~merijn/files/HijackThis.exe

    You can also try righclicking it and choose save 'save as' if directly clicking it doesn't work

    when successfull, open it -> scan -> save log as hayduke.txt

    A notepad windows will open, copypaste the complete ciontents here please

    Thnx!

    Cheers,
     
  3. hayduke

    hayduke Registered Member

    Joined:
    May 5, 2004
    Posts:
    4
    Got HJT on the desktop, but it will not run. CWS won't run now either.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi hayduke,

    Can you see if you can run HijackThis in safe mode ?

    Regards,

    Pieter
     
  5. hayduke

    hayduke Registered Member

    Joined:
    May 5, 2004
    Posts:
    4

    No, I tried that early on and it didn't work. It starts and then shuts down right away.
     
  6. hayduke

    hayduke Registered Member

    Joined:
    May 5, 2004
    Posts:
    4
    Re: new hijack variant?? HJT log


    Update:
    Actually, on some advice I got over at lurkhere.com I did back to back safe mode runs of CWS (with a windows security patch [fresh: today] inbetween) and was then able to run HJT and get a log out of it.

    Here's the log if your curious...I don't really have a clue what to do with it.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:55:43 PM, on 07/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\Explorer.EXE
    F:\Documents and Settings\Paul\Desktop\ht.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kxoavy.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kxoavy.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://kxoavy.outhost.info/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kxoavy.outhost.info/sp.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://kxoavy.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kxoavy.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kxoavy.outhost.info/sp.php
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 213.159.118.228 collections.inhost.info
    O1 - Hosts: 213.159.118.228 collections.inhost2.info
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - F:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: Zero Popup - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - F:\PROGRA~1\ZEROPO~1\ZERO-P~1.DLL
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - F:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] F:\Program Files\PCI Audio Applications\Mixer.exe /startup
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [TaskMgr] F:\PROGRA~1\INTERN~1\tskmgr32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] F:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [LiveNote] livenote.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [Ad-watch] "F:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [APVXDWIN] "F:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [PestPatrol Control Center] F:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] F:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] F:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Tau Monitor] F:\PROGRA~1\TAUSCA~1.7\taumon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [asustweakenable] F:\Program Files\ASUS\Tweaking Utilities\atweak.exe /start
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: EarthView.lnk = F:\Program Files\EarthView\EarthView.exe
    O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Unknown file in Winsock LSP: f:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O10 - Unknown file in Winsock LSP: f:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O10 - Unknown file in Winsock LSP: f:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...w.scion.com/drive/360_views/drive_xb_360.html
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
    O16 - DPF: {34F592DF-2FA8-4D36-83BA-8EAF679F7D00} (ucButton.UCObjBtn) - http://www.mdg.ca/downloads/IObjButton.ocx
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002111201/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab
     
    Last edited: May 7, 2004
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re: new hijack variant?? HJT log

    Hi hayduke,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. These will now end up on your desktop.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kxoavy.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kxoavy.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://kxoavy.outhost.info/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kxoavy.outhost.info/sp.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://kxoavy.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kxoavy.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kxoavy.outhost.info/sp.php
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 213.159.118.228 collections.inhost.info
    O1 - Hosts: 213.159.118.228 collections.inhost2.info

    Then reboot and get your Windows and IE updated ASAP.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.