SpyWare VOL System error #384

Discussion in 'adware, spyware & hijack cleaning' started by Roman, Feb 25, 2004.

Thread Status:
Not open for further replies.
  1. Roman

    Roman Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 4:12:44, on 26.2.2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINXP\Explorer.EXE
    C:\PCIRADIO\Radiotray.exe
    C:\WINXP\System32\Fmctrl.EXE
    D:\Software\CloneCD\CloneCDTray.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\WINXP\reg32.exe
    C:\WINXP\System32\rundll32.exe
    C:\WINXP\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Zaloha\Roman\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINXP\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINXP\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINXP\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINXP\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
    O4 - HKLM\..\Run: [RadioTray] C:\PCIRADIO\Radiotray.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\Software\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "D:\Software\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Reg32] C:\WINXP\reg32.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Eyeball Chat] "D:\HRY\EYEBAL~1\EyeballChat.exe" -min
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.redbox.cz/
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Roman :)

    Welcome to Wilders.

    Iam not a HijackThis expert but i know u can fix the following entries.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINXP\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINXP\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINXP\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINXP\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\secure.html

    Then reboot and delete:
    C:\WINDOWS\secure.html

    When this is done, wait for the experts to give u further recommendations on your log.


    snowbound
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Sorry, i also notice u have NewDotNet in your log.

    Here is a link on how to uninstall it,

    http://www.doxdesk.com/parasite/NewDotNet.html

    Remember to check back later for answers from the experts.




    snowbound
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Roman,

    After you have followed snowbound's instructions above for removing New.Net, add these entries to the list of R0-R1 that snowbound listed in his previous post.

    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINXP\reg32.exe
    O4 - Startup: PowerReg Scheduler.exe

    (if you do not recognize this site and did not set it yourself, then fix it too)
    O14 - IERESET.INF: START_PAGE_URL=http://www.redbox.cz/


    You also have the Blaster Worm.
    Download the FixBlast.exe tool from: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Follow the instructions at the above site for removing the blaster worm from your computer.

    Then reboot your computer, find and delete:
    CWINXP\reg32.exe <--the file

    Now go to Microsoft Update Site and get all the Critical Updates for XP and IE6.

    Reboot your computer and do another scan with HijackThis, and past a new log here to be checked.

    Regards,

    snap
     
Thread Status:
Not open for further replies.