Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Duce6 And Other Baddies On My Pc...


  • Please log in to reply
4 replies to this topic

#1 Dawg_Pound

Dawg_Pound

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 04 September 2006 - 02:53 PM

My cousins computer has been hijacked bad while hooked up and left connected in a motel. Ive gone through and was able to install adaware, spybot and spyware blaster. I was able to remove alot of things but it is still not up to snuff. I found it to have the duce6 virus on it, as well as something that causes alot of pop ups to occur. Here is a copy of the hijack this file. Any help would be appreciated

Logfile of HijackThis v1.99.1
Scan saved at 3:32:29 PM, on 9/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\hayjp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,svfmahd.exe
O2 - BHO: InfoDocReader Object - {295BA105-3506-4D25-B0DD-54346320BDC5} - C:\WINDOWS\System32\ddayx.dll
O2 - BHO: (no name) - {F2FA09FB-EE7A-46d8-9145-A1EEF7850052} - C:\WINDOWS\system32\jkhfe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NI.USYP_0001_N69M1703] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FJXT087H\SysProtectScannerInstall[1].exe" -nag
O4 - HKLM\..\Run: [NI.USYP_0001_N76M1005] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\01QXMNOJ\SysProtectScannerInstall[1].exe" -nag
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O15 - Trusted Zone: *.elitemediagroup.net
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - C:\Program Files\Batty2\Batty2.dll
O20 - Winlogon Notify: ddayx - C:\WINDOWS\System32\ddayx.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\m8juli1918.dll
O20 - Winlogon Notify: jkhfe - C:\WINDOWS\SYSTEM32\jkhfe.dll
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\lv4m09h1e.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\lv4m09h1e.dll
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Service Host (SVCHOST) - Unknown owner - C:\WINDOWS\system\svchost.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 Dawg_Pound

Dawg_Pound
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 04 September 2006 - 03:39 PM

I also installed ewido. It keeps catching Downloader.Qoologic.bj trying to connect, I tell it to quarantine it, then it recreates itself and does it again, over and over...

Im trying to get ewido to update itself so I can try to scan, but CPU usage is so loaded its unreal...

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:57 AM

Posted 04 September 2006 - 03:54 PM

Hi Dawg_Pound, :thumbsup:

We're studying your log and will be back to you a.s.a.p.

Thanks for your patience. :flowers:

#4 Dawg_Pound

Dawg_Pound
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 04 September 2006 - 03:56 PM

Thanks=)

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:57 AM

Posted 06 September 2006 - 03:11 AM

Hi Dawg_Pound,

Welcome to BleepingComputer Forums and thanks again for your patience.

1. Install a firewall. There are several good ones and for free available:

Zonelabs
Kerio

2. Download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

3. I can see that you disabled some items in your Startup through Msconfig. We need to see them because sometimes they can be malware.

Click Start > Run > type: msconfig > OK.
Select Normal Startup - load all device drivers and services.
Click OK. And when asked to restart, click No.

Please post the C:\vundofix.txt, together with a fresh HijackThis log for review.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users