Spyware: Hijack This log

Everytime I access the internet an error occurs and I can either "send error report" or "don't send" but it won't allow me on the internet unless I move that error out of the way.
I get loads of pop-ups even on google.co.uk - which isn't right.
And sometimes programs don't open, like Windows Media Player unless I reset.


LOG:

Logfile of HijackThis v1.97.7
Scan saved at 12:44:45, on 01/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM95\aim.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\dwwin.exe
C:\Documents and Settings\Jamie Hurrell\My Documents\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = btbroadband.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:32
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [z0db56.exe] C:\WINDOWS\System32\z0db56.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKCU\..\RunOnce: [z0db56.exe] C:\WINDOWS\System32\z0db56.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk

 

Hi zanxtan,


Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O4 - HKLM\..\RunOnce: [z0db56.exe] C:\WINDOWS\System32\z0db56.exe

O4 - HKCU\..\RunOnce: [z0db56.exe] C:\WINDOWS\System32\z0db56.exe

Then reboot and try again.

Could you mail a (preferably zipped up) copy of C:\WINDOWS\System32\z0db56.exe to the address in my profile please?

Regards,

Pieter

 

I did what you said and rebooted and I still get the errors and pop-ups...

I will send you z0db56.exe but I dunno how to zip it up.

 

Rightclick a an empty space in explorer, create a new zip folder and copy & paste the file in there.
If you don't succceed try sending it unzipped. In the worst case you will get a return mail stating which virus was found.

Can you run HijackThis again and post a new log?

Regards,

Pieter

 

I sent the .exe in a zipped folder...

Here's a new log:


Logfile of HijackThis v1.97.7
Scan saved at 14:33:26, on 01/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Jamie Hurrell\My Documents\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = btbroadband.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:32
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [o9kd5.exe] C:\WINDOWS\System32\o9kd5.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKCU\..\RunOnce: [o9kd5.exe] C:\WINDOWS\System32\o9kd5.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk

 

Notice what happened?

Download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot

After you installed it it will ask permission for some programs you already have. Allow those.

Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\RunOnce: [o9kd5.exe] C:\WINDOWS\System32\o9kd5.exe

O4 - HKCU\..\RunOnce: [o9kd5.exe] C:\WINDOWS\System32\o9kd5.exe

Now if Regprot asks permission for something new, deny it by clicking No and reboot.

Then post a new log.

Regards,

Pieter

 

I did exactly what you said...

Here's the log:


Logfile of HijackThis v1.97.7
Scan saved at 14:57:09, on 01/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Jamie Hurrell\My Documents\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = btbroadband.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:32
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [p9iro.exe] C:\WINDOWS\System32\p9iro.exe
O4 - HKCU\..\RunOnce: [p9iro.exe] C:\WINDOWS\System32\p9iro.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk

 

Not exactly. You blocked AdAware and the nasty slipped through.

I will have to have a long look at the file you sent me.
I'll get back to you by mail.

You could update Windows and IE in the meantime and please read: Why did I get infected in the first place

Regards,

Pieter

 

How do I update Windows and IE?
The error won't go away... it comes on after I click like 5 links, so I had to add this page to favourites and get to it that way.

Also, on freewebs.com to add a new page or upload something you need to click a link that opens in a new window. That never opens.

 

In IE try Tools > Windows Update.

Your file is a known baddy so I am looking for removal procedure now:

Positive identification (in archive): Trojan.Win32.Delf.cf
File: z0db56.exe (In i:\manege (kijk uit)\oogstweek21\z0db56.exe.zip)

Brb,

Pieter

 

Please download a free trial of TDS3 from here:
http://tds.diamondcs.com.au/index.php?page=home
Update as described here:
http://tds.diamondcs.com.au/index.php?page=update
When that is ready reboot into safe mode and Start TDS-3
Click System Testing > Full sytem scan
In the bottom part of the program Windows select the file(s) identified as Trojan.Win32.Delf.cf and select delete.

Regards,

Pieter

 

Right I did what you see, in safe mode etc...
but I still get pop-ups.

And also, when I go on freewebs.com to edit my site - you click these things that open in a new window... they won't open, but they will on any other computer.

 

As I told you before. Install SP 1 for IE and XP and all the updates after that to solve those problems.

Did you get rid of the Trojan?

Regards,

Pieter

 

Yep, in safe mode on TDS-3.
But I still get occassional pop-ups.
And that damn error!

 

Right I don't seem to be getting that error anymore or pop-ups.

But I Installed SP 1 for IE and XP and all the updates and I'm getting pop-ups again. And the thing that pops up on freewebs still doesn't work. Any ideas would be greatly appreciated.
Thanks.

 

I'll need to see a fresh log.

Which version of Jav are you using?

Regards,

Pieter

 

FRESH LOG:



Logfile of HijackThis v1.97.7
Scan saved at 23:16:18, on 08/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Jamie Hurrell\My Documents\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = btbroadband.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:32
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [q6ajw.exe] C:\WINDOWS\System32\q6ajw.exe
O4 - HKCU\..\RunOnce: [q6ajw.exe] C:\WINDOWS\System32\q6ajw.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk





Sorry to sound stupid but whats Java?

 

Hi zanxtan,

Here we go again.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll

O4 - HKLM\..\RunOnce: [q6ajw.exe] C:\WINDOWS\System32\q6ajw.exe
O4 - HKCU\..\RunOnce: [q6ajw.exe] C:\WINDOWS\System32\q6ajw.exe

Then run TDS in safe mode to get rid of C:\WINDOWS\System32\q6ajw.exe and anything like it.

I see you found Java in the meantime:
C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe

Regards,

Pieter

 

How'd you mean by that?

I deleted them files on TDS-3 in safe mode.

 

That I could now see your Java version in your log.

Good. Did that solve the problem?

Regards,

Pieter

 

I think so. Thanks!!