Jump to content


Photo

Suspect Log


  • Please log in to reply
3 replies to this topic

#1 Niantic

Niantic

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 02:56 PM

Hello,

This is my first post. For 24 hours I have been trying to clean my computer. I successfully used Ad Aware, Spy Nuker and CW Shredder. Now when I run any program they say my computer is clean.

But, my computer runs very slowly. Often I cannot move from link to link. The page says: "The program is not responding."

Some basic links even are not responding well (e.g. Yahoo) I cannot download 'Dreamweaver'.

When I click IE on the START Menu, a strange search page still appears.

And so, I think my computer is suspect, even though the Spy Removal Programs say that my computer is clean.

I am posting my log from 'Hijack This' in the hopes that one of you (my new friends) will recognize something.

And so:

Logfile of HijackThis v1.97.7
Scan saved at 3:39:53 PM, on 6/15/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\iemt32.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\documents and settings\michael carroll\local settings\temp\uz7HMki.exe
C:\documents and settings\michael carroll\local settings\temp\L1tQYhodO.exe
C:\WINDOWS\d3qj.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wcpsvsu.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael Carroll\Local Settings\Temporary Internet Files\Content.IE5\PJZRXD8E\HijackThis[1].exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\afwxk.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afwxk.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://afwxk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\afwxk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://afwxk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\afwxk.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A264AC9-2381-8AF5-4412-1FA65E5E70C2} - C:\WINDOWS\atlbb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [uz7HMki] C:\documents and settings\michael carroll\local settings\temp\uz7HMki.exe
O4 - HKLM\..\Run: [L1tQYhodO] C:\documents and settings\michael carroll\local settings\temp\L1tQYhodO.exe
O4 - HKLM\..\Run: [d3qj.exe] C:\WINDOWS\d3qj.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvsu.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenu...WNInstaller.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webrespo...p/TLIEFlash.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...AB?38097.865625
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cybersourcec...bex/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab


Are any of them suspect? Which ones should I Fix? (Delete)
Thank you in advance.
Niantic

#2 Niantic

Niantic

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 03:50 PM

I am just being patient. In the meanwhile, I am reading all the other logs with similar problems. But maybe someone has the vision to spot something.

Thanks,
Niantic

#3 Niantic

Niantic

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 05:03 PM

I am about to take drastic action and begin to prune my registry. But first I want to run it by the pros.

When I check my home page, a strange URL appears: It says:
res://afwxk.dll/index.html#37049

I did a file search for afwxk, found 1 file, turned off System Restore and deleted it. But it came back.

Then I ran 'Hijack This' again. I saw in the suspicious afwxk five times in the registry.

Should I prune (FIX) all of them? Will my computer still work afterwards.

Thanks
Niantic

#4 Niantic

Niantic

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 06:25 PM

I am answering myself.

Well, I pruned them all. At first they seemed to disappear and all was well. But later when I checked, the home page was still hijacked with the afwxk etc. URL.

What do I do?

I ran Spybot again. Found another 5 bad things. (DOS Exploit). Deleted them.

Are the word that are running at the bottom of the page when I run Spybot, on MY computer?? Because a lot of bad words are there. (Like Cool Web Search,). Or are the words just trying to run a match on my computer against these words?

The reason I want to know is because if all the words that I spotted on the bottom of the page when Spybot was running are, in fact, on my computer, then it is seriously infected and all the Spyware is not identifying it.

Thanks,
Niantic




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button