Jump to content


Photo

Major hijack


  • This topic is locked This topic is locked
10 replies to this topic

#1 Duncan Bourne

Duncan Bourne

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 17 May 2004 - 05:17 PM

My home page has been usurped and everytime I log on I recieve a barrage of pop-ups and software trying to enstal.

here is the hijack this log. Hope you can help.

Logfile of HijackThis v1.97.7
Scan saved at 23:03:31, on 17/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Internet Explorer\iexplore.exe
I:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep...rt.cgi?new-hkcu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hklm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\test\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP\wsbho2k0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {7183CF29-F63C-11D2-923F-00600854D3CE} (IEUpdateOSR2 Control) - https://packageswitc...EUpdateOSR2.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8124.5429513889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E5CB5CD-3202-4467-8FFF-6FF053C4957A}: NameServer = 192.168.123.254

#2 Duncan Bourne

Duncan Bourne

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 17 May 2004 - 05:45 PM

Hmm just reset my home page and that seems to have cured the problem, just rebooted and it seems fine. I had to delete notepad though as that had been taken over and seemed to be causing the prob.

#3 narzy

narzy

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 17 May 2004 - 05:55 PM

Hi Duncan,
you've got somthing else going on aswell. please give me a few wile I go through your log.

#4 narzy

narzy

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 17 May 2004 - 11:17 PM

You have a CoolWebSearch infection.
Download and run http://www.spywarein.../CWShredder.exe
from its own folder.
Click Fix and then Next, let it fix everything it asks about.

Then reboot and post another log....

#5 Duncan Bourne

Duncan Bourne

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 18 May 2004 - 07:40 AM

Thanks done that here is the new log

Logfile of HijackThis v1.97.7
Scan saved at 13:38:46, on 18/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
I:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.duncanbourne.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\test\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP\wsbho2k0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {7183CF29-F63C-11D2-923F-00600854D3CE} (IEUpdateOSR2 Control) - https://packageswitc...EUpdateOSR2.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8124.5429513889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E5CB5CD-3202-4467-8FFF-6FF053C4957A}: NameServer = 192.168.123.254

#6 narzy

narzy

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 18 May 2004 - 12:34 PM

you also seem to have the BUGBEAR.F worm I suggest running Stinger from Network Associates here is a direct link to the latest release of the program. http://download.nai....ert/stinger.exe

Please search for the file IEUpdateOSR2.ocx on your computer and send it as an attachment to submissions@tomcoyote.com

AFTER you have submitted that file check the fallowing line in HiJackThis and click Fix.

O16 - DPF: {7183CF29-F63C-11D2-923F-00600854D3CE} (IEUpdateOSR2 Control) - https://packageswitc...EUpdateOSR2.ocx

then rerun HiJackThis and post another log.

#7 Duncan Bourne

Duncan Bourne

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 18 May 2004 - 05:33 PM

no BUGBEAR.F was found by Stinger and file IEUpdate OSR2.ocx could not be found. Here is the new log:-

Logfile of HijackThis v1.97.7
Scan saved at 23:29:56, on 18/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINNT\system32\wuauclt.exe
I:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.duncanbourne.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\test\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP\wsbho2k0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8124.5429513889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E5CB5CD-3202-4467-8FFF-6FF053C4957A}: NameServer = 192.168.123.254

#8 narzy

narzy

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 18 May 2004 - 06:54 PM

everything looks good.


To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard as well as IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being
installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:
SpywareBlaster: http://www.javacools...areblaster.html
SpywareGuard: http://www.wildersse...ywareguard.html


IE/Spyad places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system. It is free.

More info and download is available at:
IE/Spyad:
http://www.staff.uiu...es/resource.htm

visit http://windowsupdate.microsoft.com on a weekly basis and make sure you have all security updates installed.

For Anti-Virus I reccomend NOD32 by Eset, you can get a free fully functional trial at www.eset.com .
My Firewall of choice is Kerio Personal Firewall a free version can be downloaded from http://www.kerio.com...f_download.html

#9 Duncan Bourne

Duncan Bourne

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 19 May 2004 - 06:34 AM

Thanks I have Spyaware on so I will check out the other two. Thanks a lot
Cheers

Duncan

#10 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 19 May 2004 - 12:33 PM

The system is not quite clean yet ...

Close all programs/windows, run HijackThis and delete:
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe

O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe <= Some WMP's (wmplayer.exe) are installed with a worm lately, that startup does not seem right, although the location of wmplayer.exe is correct. WMP should not autostart anyway. My advice is to uninstall (remove) WMP and reinstall it from the official MS site. Click Here.

The following is optional to delete as it is a resource hog:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Please reboot into safe mode - How do I boot into "Safe" mode?

Please cleanup temporary files etc. Browse to and select all contents in the following folders (Windows may be WINNT or WIN98 etc.), and delete (Make sure to delete the sub-folders, but not the Temp folders themselves!):
  • C:\Windows\Temp (all contents)
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files [/color](all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
  • Empty your "Recycle Bin".
Reboot again and log in normally, repost a new HijackThis log into this message for further review.

#11 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 04 October 2004 - 02:07 AM

Due to tno response, I am closing this thread.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button