Spyware: Hijack This log

Discussion in 'adware, spyware & hijack cleaning' started by zanxtan, Jun 1, 2004.

Thread Status:
Not open for further replies.
  1. zanxtan

    zanxtan Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Everytime I access the internet an error occurs and I can either "send error report" or "don't send" but it won't allow me on the internet unless I move that error out of the way.
    I get loads of pop-ups even on google.co.uk - which isn't right.
    And sometimes programs don't open, like Windows Media Player unless I reset.


    LOG:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:44:45, on 01/06/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AIM95\aim.exe
    C:\WINDOWS\System32\dwwin.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WINDOWS\System32\dwwin.exe
    C:\WINDOWS\System32\dwwin.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\dwwin.exe
    C:\Documents and Settings\Jamie Hurrell\My Documents\Programs\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = btbroadband.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:32
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKLM\..\RunOnce: [z0db56.exe] C:\WINDOWS\System32\z0db56.exe
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
    O4 - HKCU\..\RunOnce: [z0db56.exe] C:\WINDOWS\System32\z0db56.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Money Viewer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi zanxtan,


    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

    O4 - HKLM\..\RunOnce: [z0db56.exe] C:\WINDOWS\System32\z0db56.exe

    O4 - HKCU\..\RunOnce: [z0db56.exe] C:\WINDOWS\System32\z0db56.exe

    Then reboot and try again.

    Could you mail a (preferably zipped up) copy of C:\WINDOWS\System32\z0db56.exe to the address in my profile please?

    Regards,

    Pieter
     
  3. zanxtan

    zanxtan Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    I did what you said and rebooted and I still get the errors and pop-ups...

    I will send you z0db56.exe but I dunno how to zip it up.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Rightclick a an empty space in explorer, create a new zip folder and copy & paste the file in there.
    If you don't succceed try sending it unzipped. In the worst case you will get a return mail stating which virus was found. :)

    Can you run HijackThis again and post a new log?

    Regards,

    Pieter
     
  5. zanxtan

    zanxtan Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    I sent the .exe in a zipped folder...

    Here's a new log:


    Logfile of HijackThis v1.97.7
    Scan saved at 14:33:26, on 01/06/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AIM95\aim.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Jamie Hurrell\My Documents\Programs\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = btbroadband.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:32
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKLM\..\RunOnce: [o9kd5.exe] C:\WINDOWS\System32\o9kd5.exe
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
    O4 - HKCU\..\RunOnce: [o9kd5.exe] C:\WINDOWS\System32\o9kd5.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Money Viewer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Notice what happened?

    Download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot

    After you installed it it will ask permission for some programs you already have. Allow those.

    Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\RunOnce: [o9kd5.exe] C:\WINDOWS\System32\o9kd5.exe

    O4 - HKCU\..\RunOnce: [o9kd5.exe] C:\WINDOWS\System32\o9kd5.exe

    Now if Regprot asks permission for something new, deny it by clicking No and reboot.

    Then post a new log.

    Regards,

    Pieter
     
  7. zanxtan

    zanxtan Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    I did exactly what you said...

    Here's the log:


    Logfile of HijackThis v1.97.7
    Scan saved at 14:57:09, on 01/06/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Jamie Hurrell\My Documents\Programs\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = btbroadband.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:32
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKLM\..\RunOnce: [p9iro.exe] C:\WINDOWS\System32\p9iro.exe
    O4 - HKCU\..\RunOnce: [p9iro.exe] C:\WINDOWS\System32\p9iro.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Money Viewer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Not exactly. You blocked AdAware and the nasty slipped through.

    I will have to have a long look at the file you sent me.
    I'll get back to you by mail.

    You could update Windows and IE in the meantime and please read: Why did I get infected in the first place

    Regards,

    Pieter
     
  9. zanxtan

    zanxtan Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    How do I update Windows and IE?
    The error won't go away... it comes on after I click like 5 links, so I had to add this page to favourites and get to it that way.

    Also, on freewebs.com to add a new page or upload something you need to click a link that opens in a new window. That never opens.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    In IE try Tools > Windows Update.

    Your file is a known baddy so I am looking for removal procedure now:

    Positive identification (in archive): Trojan.Win32.Delf.cf
    File: z0db56.exe (In i:\manege (kijk uit)\oogstweek21\z0db56.exe.zip)

    Brb,

    Pieter
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  12. zanxtan

    zanxtan Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Right I did what you see, in safe mode etc...
    but I still get pop-ups.

    And also, when I go on freewebs.com to edit my site - you click these things that open in a new window... they won't open, but they will on any other computer. :(
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    As I told you before. Install SP 1 for IE and XP and all the updates after that to solve those problems.

    Did you get rid of the Trojan?

    Regards,

    Pieter
     
  14. zanxtan

    zanxtan Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Yep, in safe mode on TDS-3.
    But I still get occassional pop-ups.
    And that damn error! :(
     
  15. zanxtan

    zanxtan Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Right I don't seem to be getting that error anymore or pop-ups.

    But I Installed SP 1 for IE and XP and all the updates and I'm getting pop-ups again. And the thing that pops up on freewebs still doesn't work. Any ideas would be greatly appreciated. :(
    Thanks.
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I'll need to see a fresh log.

    Which version of Jav are you using?

    Regards,

    Pieter
     
  17. zanxtan

    zanxtan Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    FRESH LOG:



    Logfile of HijackThis v1.97.7
    Scan saved at 23:16:18, on 08/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Jamie Hurrell\My Documents\Programs\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = btbroadband.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:32
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKLM\..\RunOnce: [q6ajw.exe] C:\WINDOWS\System32\q6ajw.exe
    O4 - HKCU\..\RunOnce: [q6ajw.exe] C:\WINDOWS\System32\q6ajw.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Money Viewer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk





    Sorry to sound stupid but whats Java?
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi zanxtan,

    Here we go again.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll

    O4 - HKLM\..\RunOnce: [q6ajw.exe] C:\WINDOWS\System32\q6ajw.exe
    O4 - HKCU\..\RunOnce: [q6ajw.exe] C:\WINDOWS\System32\q6ajw.exe

    Then run TDS in safe mode to get rid of C:\WINDOWS\System32\q6ajw.exe and anything like it.

    I see you found Java in the meantime:
    C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe

    Regards,

    Pieter
     
  19. zanxtan

    zanxtan Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    How'd you mean by that?

    I deleted them files on TDS-3 in safe mode.
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That I could now see your Java version in your log.

    Good. Did that solve the problem?

    Regards,

    Pieter
     
  21. zanxtan

    zanxtan Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    I think so. Thanks!!
     
Thread Status:
Not open for further replies.