problems!

Discussion in 'adware, spyware & hijack cleaning' started by Gerdas, Nov 15, 2003.

Thread Status:
Not open for further replies.
  1. Gerdas

    Gerdas Registered Member

    Joined:
    Nov 15, 2003
    Posts:
    1
    Hi, my system is very slow and I suspect a spyware invasion. Can anyone check this hijack log for me? Thanks:

    Logfile of HijackThis v1.97.6
    Scan saved at 21:38:50, on 15-11-2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Gerda.SCHERPEN-1I8W0O.000\Local Settings\Temp\Tijdelijke map 1 voor hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.nl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {b6b82c13-414b-43ba-a31e-f05e624d35c3} - C:\DOCUME~1\GERDAS~1.000\APPLIC~1\gstbkcriez.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: toaxwktreoo - {1a57dcb8-bfc8-4a8b-ae6e-a0001cb94e62} - C:\DOCUME~1\GERDAS~1.000\APPLIC~1\gstbkcriez.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.nl
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37940.4865393518
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\Software\..\Telephony: DomainName = tdmy.com
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Gerdas,

    Welcome at Wilders. :)

    You should have least have an ugly Toolbar. ;)
    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {b6b82c13-414b-43ba-a31e-f05e624d35c3} - C:\DOCUME~1\GERDAS~1.000\APPLIC~1\gstbkcriez.dll

    O3 - Toolbar: toaxwktreoo - {1a57dcb8-bfc8-4a8b-ae6e-a0001cb94e62} - C:\DOCUME~1\GERDAS~1.000\APPLIC~1\gstbkcriez.dll

    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx

    O17 - HKLM\Software\..\Telephony: DomainName = tdmy.com

    Then reboot.

    Regards,

    Pieter
     
  3. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Okee Pieter!

    Thanks again for a flash respons! All is clear now eccept for this system too I need to update to sp1 and all patches after that!
    Several computers I run into these days are from home users who are not aware af the risks when not updating their system.
    Most home users i see don't even know about the updates and run a severe risk at invection in all sort of ways.
    This system is 24/7 online, runs without sp1, firewall or AV software.
    I'll go back tomorrow and install just all that.

    I would not know what to do without this site! Thanks to all volonteers at wilders! ;)

    Frans
     
Thread Status:
Not open for further replies.