|
Donations |
|
|
|
|
|
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
View previous topic :: View next topic |
Author |
Message |
k_iwi
Trooper
Joined: Mar 08, 2004
Posts: 19
Location: New_Zealand
|
Posted: Tue Jun 01, 2004 4:16 am Post subject: Hijack This Log - Please help |
|
|
My friend has a spyware infection on her computer - symptom is multiple IE window popups for dodgy sites, porn, credit cards, diplomas etc. I ran CWShredder and it corrected 4 bad IE registry settings but the problem is still there. She is running NAV and her virus definitions are current. Here is her HijackThis log. Can someone please check and advise. All help greatly appreciated.
Logfile of HijackThis v1.97.7
Scan saved at 6:01:58 p.m., on 1/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\msbb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\antispy\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://i-lookup.com/search.html
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\lstb4drc.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\System32\windec32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: I-Lookup.com Bar - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - C:\WINDOWS\System32\windec32.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [msbb] c:\windows\system32\msbb.exe
O4 - HKLM\..\Run: [dyngzmb] C:\WINDOWS\dyngzmb.exe
O4 - HKLM\..\Run: [udqzohsh] C:\WINDOWS\udqzohsh.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} (iiittt Class) - file://C:\install.cab |
|
Back to top |
|
|
QuietFusion
1st Responder
Premium Member
Joined: Feb 27, 2004
Posts: 1156
Location: USA
|
Posted: Thu Jun 03, 2004 5:24 pm Post subject: |
|
|
Hi,
Download the following Download the following Ad-aware, & Spy-Bot.
- Updating Ad-aware: Double-Click the Desktop Icon, Click 'Check For Updates Now' > Click 'Connect'
- Updating Spybot: Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'
Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net.
-Open Ad-aware and make the following changes to the settings in Ad-aware.
- Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
Check: "Let Windows remove files in use at next reboot."
Press 'Proceed'
Press 'Start'
- Select option 'Use Custom scanning options'
- Click 'Activate in-depth scan'
- Press 'Select drives\folders to scan' Select the active partition which is usually C:
- Click Customize
- Make the following are all are Checked
*'Scan Within Archives'
*'Scan Active Processes'
*'Scan Registry'
*'Deep Scan Registry'
*'Scan My IE Favorites For Banned URL'S
*'Scan My Hosts File'
- Click Proceed
Now press "Next" to let Ad-aware scan your drives...
Allow the Ad-aware to fix what it finds.
Close Ad-aware and open Spybot.
- Click 'Search & Destroy'
- Click 'Check for problems' (the program will now search your HDD)
- Make sure all finding are checked and click 'Fix Selected Problems'
Close SpyBot and Reboot!
Don't reconnect to the net just yet, run hijackthis and place a check next to the following:
Note: Some items might not return after running the above tasks.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://i-lookup.com/search.html
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\lstb4drc.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\System32\windec32.dll
O3 - Toolbar: I-Lookup.com Bar - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - C:\WINDOWS\System32\windec32.dll
O4 - HKLM\..\Run: [msbb] c:\windows\system32\msbb.exe
O4 - HKLM\..\Run: [dyngzmb] C:\WINDOWS\dyngzmb.exe
O4 - HKLM\..\Run: [udqzohsh] C:\WINDOWS\udqzohsh.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} (iiittt Class) - file://C:\install.cab
and click fix. Reboot into safe mode, find and delete the following files and folders.
Files:
C:\windows\system32\msbb.exe
C:\WINDOWS\dyngzmb.exe
C:\WINDOWS\udqzohsh.exe
Reboot back into normal mode and post a fresh log in your thread.
_________________
You want security? Turn off Javascript & Active X!!! |
|
Back to top |
|
|
k_iwi
Trooper
Joined: Mar 08, 2004
Posts: 19
Location: New_Zealand
|
Posted: Fri Jun 04, 2004 7:41 pm Post subject: |
|
|
thanks so much for your help. My friend tells me that everything looks good now. here is the latest HijackThis log
Logfile of HijackThis v1.97.7
Scan saved at 10:45:39 a.m., on 5/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\antispy\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab |
|
Back to top |
|
|
QuietFusion
1st Responder
Premium Member
Joined: Feb 27, 2004
Posts: 1156
Location: USA
|
Posted: Sat Jun 05, 2004 12:22 am Post subject: |
|
|
Nice clean log. I am glad we could help you out. If you want further information about preventing hijacks in the future, review these two articles.
So How Did I Get Infected in the First Place & Securing IE
_________________
You want security? Turn off Javascript & Active X!!! |
|
Back to top |
|
|
k_iwi
Trooper
Joined: Mar 08, 2004
Posts: 19
Location: New_Zealand
|
Posted: Sat Jun 05, 2004 12:53 am Post subject: |
|
|
thanks QuietFusion for your help.
cheers
|
|
Back to top |
|
|
lilliebet65
Site Moderator
Premium Member
Joined: Dec 03, 2003
Posts: 2131
Location: UK
|
Posted: Tue Jun 08, 2004 2:39 pm Post subject: |
|
|
Glad we were able to help.
NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.
To reduce the chances of future Spyware/Hijacking problems, please follow the suggestions here: http://www.computercops.biz/postt7736.html
_________________
I'm Spartacus! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|