Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • This topic is locked This topic is locked
13 replies to this topic

#1 Alex F

Alex F

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 30 June 2004 - 11:01 AM

Logfile of HijackThis v1.97.7
Scan saved at 16:16:10, on 30/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Dell\SolutionCenter\DellSC.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ALEX FORBES\Local Settings\Temp\Répertoire temporaire 1 pour hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\IEsp.mht
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.noos.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B519E07-7824-4adc-8890-93D5EABBF285} - C:\WINDOWS\System32\msadocm32.dll
O2 - BHO: (no name) - {23C891F2-5041-4B0F-9C4D-522481124644} - C:\WINDOWS\1088501132.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int339890.exe -auto
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Sysflg32] c:\windows\system32\sysflg32.exe
O4 - HKLM\..\Run: [kaarfeygsxf] C:\WINDOWS\System32\kpzxpai.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: AOL 8.0 Icône AOL.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: AOL Compagnon.lnk = C:\Program Files\AOL Compagnon\companion.exe
O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: *.mt-download.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083868903015
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/fr/games1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

BC AdBot (Login to Remove)

 


m

#2 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 01 July 2004 - 05:46 PM

Hi, Alex.

You also have a CoolWebSearch hijacker. There is a special tool to remove it called CWShredder.

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Please download and then unzip the program. Close all open browser windows and run the program. Click the "Fix" button and let it fix everything it finds.

Edit - I forgot to tell you to put HijackThis in it's own folder on your hard drive. Anywhere is fine except on your desktop or in a temp directory. This is so it can make the backups of the repairs in makes.

Next, run Hijackthis again and and put checks next the the following items that remain. Make sure you have no open browser windows and click "Fix Checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\IEsp.mht
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0B519E07-7824-4adc-8890-93D5EABBF285} - C:\WINDOWS\System32\msadocm32.dll
O2 - BHO: (no name) - {23C891F2-5041-4B0F-9C4D-522481124644} - C:\WINDOWS\1088501132.dll
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int339890.exe -auto
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [Sysflg32] c:\windows\system32\sysflg32.exe
O4 - HKLM\..\Run: [kaarfeygsxf] C:\WINDOWS\System32\kpzxpai.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

Boot into safe mode http://service1.symantec.com/SUPPORT/tsgen...999101916343139 and delete these files. You may need to show hidden files to find them. http://service1.symantec.com/SUPPORT/tsgen...002092715262339

C:\WINDOWS\1088501132.dll
C:\WINDOWS\secure.html
c:\windows\system\sncntr.exe
C:\WINDOWS\System32\IEsp.mht
C:\WINDOWS\System32\msadocm32.dll
c:\windows\system32\sysflg32.exe
C:\WINDOWS\System32\kpzxpai.exe


and this whole folder
C:\Program Files\websx\

Reboot, run Hijackthis again and post a fresh log please.

Edited by ColdinCbus, 01 July 2004 - 05:50 PM.


#3 Alex F

Alex F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 01 July 2004 - 06:45 PM

I did almost everything you said except the last bit (reboot your computer into safe mode and delete the following files:
Then delete these
C:/WINDOWS/System32/IEsp.mhte
C:/WINDOWS/System32/msadocm32.dll
C:/programe files/websx/
C:/WINDOWS/1088501132.dll
C:/WINDOWS/System32/kpzxpai.exe
c:/windows/system32/sncntr.exe
c:/windows/system32/sysflg32.exe

and the bit about disable system restore.
I did try to reboot my computer and press f8 at the right time but it gave me a menu in French which did not coresspond with your tutorial about going into safe mode.
So I tryed using my internet explorer for the first time in days and the startup page was blank, (not the stupid searchmeup page that was taking over me!)
I reloaded my origenal page and turned off the computer.
When i tryed the exeplorer it was good.
So dose this mean 1: I don't have to do the last bit which i said about above?
2:do the reeenable system restore?
3:Change back the setting for the Hidden Files?
4: Anything else i've forgotten?
As you can see i'm abit of a novice with computers, and i would love for this to be over if i have my exeplorer page back dose this mean it's gone my problem?
One last thing i retested with spybot and the same old problem was there is this normal?
For all of you that have helped me so far a big Thankyou to you all !!!

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:11 PM

Posted 01 July 2004 - 07:07 PM

Please when making a reply keep your posts into the original topic. Do not create a new topic for your reply. I have merge the two topics back into this one.

#5 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 01 July 2004 - 07:22 PM

Hi Alex F.

You definitely need to delete the files I pointed out or eventually it will return.

Try to find and delete those files in normal mode. Please note that some of these files may no longer be on your system.

C:\WINDOWS\1088501132.dll
C:\WINDOWS\secure.html
c:\windows\system\sncntr.exe
C:\WINDOWS\System32\IEsp.mht
C:\WINDOWS\System32\msadocm32.dll
c:\windows\system32\sysflg32.exe
C:\WINDOWS\System32\kpzxpai.exe

and this whole folder
C:\Program Files\websx\

Run HijackThis again and post a new log please.

#6 Alex F

Alex F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 02 July 2004 - 10:54 AM

please could you tell me in which part of the computer i can find these last files to delete. The C:\WINDOWS\System32\IEsp.mhte files
I'm not sure where they are and will wait for anwser before proceeding.
Thank's

#7 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 02 July 2004 - 12:39 PM

Don't worry if you can't find it, AlexF. The "C:\WINDOWS\System32\IEsp.mhte" file was probably deleted by Hijackthis or CWShredder.

Your doing a great job. :thumbsup:

Run HijackThis again and post a fresh log please. I just want to make sure we got everything.

Edited by ColdinCbus, 02 July 2004 - 12:48 PM.


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:11 PM

Posted 02 July 2004 - 01:23 PM

Click on my computer, then click on c drive then follow the paths to the file.

For example for the C:\WINDOWS\System32\IEsp.mht file, you would double-click on my computer, then doubleclick on windows, then double click on system32, then delete the iesp.mht file.

Do the same procedures for the various other files and their locations.

#9 Alex F

Alex F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 02 July 2004 - 02:06 PM

Hi there
could only delete the 1st one on the list;
C:\WINDOWS\SYSTEM32\IEsp.mhte
The others I could not find in windows32 maybe they are already deleted?
I've posted the new list from hijackthis so you can see if the problem is gone.
cheer's lad's



Logfile of HijackThis v1.98.0

Scan saved at 20:58:06, on 02/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ALEX FORBES\Bureau\Raccourcis Bureau non utilisés\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.noos.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: AOL 8.0 Icône AOL.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: AOL Compagnon.lnk = C:\Program Files\AOL Compagnon\companion.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/fr/games1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:11 PM

Posted 03 July 2004 - 10:07 PM

Looks good to me. Good job. You may want to install Spywareblaster and the latest version of spybot. Tutorials for both programs can be found in my tutorial section. You may also want to remove spyware begone as the above two mentioned free programs work better in my opinion

#11 Alex F

Alex F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 06 July 2004 - 11:54 AM

HI again unfortunatly after i used the windows restore. I went on the net and i got a warning from my server spyware hijacker detected then i tryed a new site and a porn page took over i had to turn off the computer to get out of this problem. I have followed the intructions you gave me so i find this most strange. Maybe reseting the computer did this or i have'nt deleted a infected file. Please can you help!





Logfile of HijackThis v1.98.0
Scan saved at 18:32:54, on 06/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ALEX FORBES\Bureau\Raccourcis Bureau non utilisés\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.noos.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: AOL 8.0 Icône AOL.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: AOL Compagnon.lnk = C:\Program Files\AOL Compagnon\companion.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/fr/games1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:11 PM

Posted 06 July 2004 - 01:16 PM

I do not see anything wrong here. Next time you reboot and you get a warning that a hijacker was detected, let it make the changes, do not stop it. That way we can see the infection and advise as to how you should remove it.

#13 Alex F

Alex F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 06 July 2004 - 03:50 PM

I have done all the instructions from the a to z for the clean up process and thing's seem to have gone back to normal BUT when i use spybot it allway's find DSO Exploit in red letters with 5 descreptions like this for example; IHkEY_usersi 5_15_181 software mircosoft\windows

Dose this give you any idea what it could be and how do i get rid of it?
Thank's again
Your help is great!

#14 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 06 July 2004 - 03:56 PM

The DSO Exploit is a bug in Spybot S&D. If you have your system updated with the latest patches, you are fine.

Here is some information from their support forum http://forums.net-integration.net/index.ph...hl=dso+exploits

Edit=

You see, there are several reports of this issue here in the Spybot forum, which shows that it is happening for a lot of people, so in that sense it's normal - meaning your system is reacting like many others...

However, the fact that Spybot isn't properly fixing this is just a simple bug that I'm sure will be fixed soon.

Basically what's happening is that Spybot is finding that the security setting for "Download unsigned ActiveX controls" for the (normally) hidden "My Computer" zone in Internet Explorer is not set to disabled.

Given that anyone who is properly patched (via Windows Update) is not vulnerable to this exploit anymore, this is really not a serious issue, so provided your system is patched, you have nothing to worry about and can just ignore this until the fix comes out.


Edited by ColdinCbus, 06 July 2004 - 04:06 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users