Posting Log

Discussion in 'adware, spyware & hijack cleaning' started by Christy, Jan 4, 2004.

Thread Status:
Not open for further replies.
  1. Christy

    Christy Guest

    You guys and gals ROCK!

    I ran Ad Aware today (1-4-04) and had last run SpyBot 12-31-03

    Before doing anything with hijack this, AdAware fixed my start page being changed to random search pages and got rid of go-advertising.com randomly inserting links.

    I would love to lock my home page in the registry so that it can't be changed, but after all this it seemed that there were many reg entries affecting home page, I couldn't find the right places to set it - any suggestions?

    Is there any conflict I should be aware of with AA and SB?

    Using ZoneAlarm also, but annoyed with Ebay protection because I use a sniping site. Any other freeware firewalls you'd recommend?

    Thanks!
    Be Happy!
    Christy

    ?tey nuf gnivah uoy erA
    http://www.greatestnetworker.com/is/christy




    Logfile of HijackThis v1.97.7
    Scan saved at 10:24:01 AM, on 1/4/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTSvcCDA.exe
    C:\PROGRA~1\Dialogic\bin\ctbbserv.exe
    C:\Program Files\OLYMPUS\DeviceDetector\DM1Service.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\PROGRA~1\Dialogic\bin\dlgc_srv.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Real\Player\realplay.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    C:\Program Files\PopUp Killer\PopUpKiller.EXE
    C:\mssys.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
    C:\WINNT\system32\notepad.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchcomplete.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchcomplete.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchcomplete.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchcomplete.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchcomplete.com/search.html
    R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [w32sup] C:\WINNT\system32\w32sup.exe
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [AdobeFonts] C:\WINNT\Fonts\fonts.hta
    O4 - HKLM\..\Run: [Msoffice] C:\WINNT\Fonts\msoffice.hta
    O4 - HKLM\..\Run: [MsSystem] c:\mssys.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - Startup: Norton System Doctor.lnk.disabled
    O4 - Global Startup: 4D Browser Mouse.lnk.disabled
    O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\2\E_SRCV03.EXE
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
    O4 - Global Startup: RealDownload.lnk.disabled
    O4 - Global Startup: SideACT!.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - http://207.188.7.150/1337a70b56bfbf984f05/netzip/RdxIE.cab
    O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/056b411d04281d7e5f05/netzip/RdxIE601.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.56-deleon/GoogleNav.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4F6E617B-6BF2-4092-BF74-5B8FE212D012}: NameServer = 24.234.0.71,24.234.0.7
    O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Christy.

    One more (specialized cleaner):
    Please download and run CWShredder

    Then check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)

    O4 - HKLM\..\Run: [w32sup] C:\WINNT\system32\w32sup.exe

    O4 - HKLM\..\Run: [AdobeFonts] C:\WINNT\Fonts\fonts.hta
    O4 - HKLM\..\Run: [Msoffice] C:\WINNT\Fonts\msoffice.hta
    O4 - HKLM\..\Run: [MsSystem] c:\mssys.exe

    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - http://207.188.7.150/1337a70b56bfbf984f05/netzip/RdxIE.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/056b411d04281d7e5f05/netzip/RdxIE601.cab

    O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt

    Then reboot and delete:
    C:\WINNT\system32\w32sup.exe
    c:\mssys.exe
    And do a Find Files for Msapin32.dll andf let me know if that is present at your system.

    The rest should be cleaned out by CWShredder.
    Could you please post a new log when you are done?

    Regards,

    Pieter
     
  3. Christy

    Christy Guest

    Hey Pieter,

    Thanks so much for the quick reply!
    I did NOT find Msapin32.dll present.

    I did have to run CWS and restart 3 times to get rid of this: A CWS variant was detected that is still loaded into memory. You need to restart and run CWShredder again to remove it completely.

    I would have removed a LOT more based on the HijackThis log tutorial. But I can, you just had me get rid of the bad ones not the open to user interp, right?

    Yeah! No more nasty porn links! (only beautiful & respectable porn links HA HA!)

    thanks
    ;)
    Christy


    Logfile of HijackThis v1.97.7
    Scan saved at 12:22:48 PM, on 1/4/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTSvcCDA.exe
    C:\PROGRA~1\Dialogic\bin\ctbbserv.exe
    C:\Program Files\OLYMPUS\DeviceDetector\DM1Service.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\PROGRA~1\Dialogic\bin\dlgc_srv.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Real\Player\realplay.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    C:\Program Files\PopUp Killer\PopUpKiller.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
    C:\WINNT\system32\notepad.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [RealTray] C:\Real\Player\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - Startup: Norton System Doctor.lnk.disabled
    O4 - Global Startup: 4D Browser Mouse.lnk.disabled
    O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\2\E_SRCV03.EXE
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
    O4 - Global Startup: RealDownload.lnk.disabled
    O4 - Global Startup: SideACT!.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.56-deleon/GoogleNav.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4F6E617B-6BF2-4092-BF74-5B8FE212D012}: NameServer = 24.234.0.71,24.234.0.7
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Christy,

    The log looks clear.
    I'm afraid I did a wrong analysis for c:\mssys.exe

    I automatically assumed it was this one:
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.myss.b.html

    but the directory is off and the other file mentioned there is not present.

    Did you already delete the file (as I instructed) or do you still have a copy you can send to the address in my profile?

    Regards,

    Pieter
     
  5. Christy

    Christy Guest

    sent you questionables to email in profile

    sorry I didn't check back til today
    I was so happy to have it fixed and my husband is impressed it's finally taken care of!

    thanks
    Christy
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Christy,

    I'm glad it's fixed too. And I didn't doubt that the file was up to no good. I just resent missing out on chances to find new ones. :)

    But I guess I didn't miss much.

    NOD32:    Win32/DDoS.Vanta.A trojan   
    NAV : http://securityresponse.symantec.com/avcenter/venc/data/trojan.a.d.clicker.html

    So it was another one then I originally thought, but feel free to delete that file.

    Thanks,

    Pieter
     
Thread Status:
Not open for further replies.