1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijacked by porn - here's log

Discussion in 'Virus & Other Malware Removal' started by cbwhited, Sep 21, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. cbwhited

    cbwhited Thread Starter

    Joined:
    Sep 21, 2003
    Messages:
    2
    Hi all,
    Consistently, while surfing (like google searches and nypost), my browser is rerouted to porn sites, one after another. I can't close down these sites fast enough to keep the images from loading.

    I have installed, updated and run spybot and adware as suggested with your recommended settings, rebooted and here is the most recent log. I would appreciate any help you could offer. Thanks so much!

    Logfile of HijackThis v1.97.2
    Scan saved at 5:00:41 AM, on 9/21/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\ImageMate CompactFlash USB\SandIcon.Exe
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\slrundll.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\DIRECWAY\bin\DPCNAV.EXE
    C:\Program Files\Browser Hijack Blaster\bhblaster.exe
    C:\WINDOWS\notepad.exe
    C:\Program Files\Microsoft Publisher\Office10\OUTLOOK.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Documents and Settings\All Users\My Documents\Cathy\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Publisher\Office10\OSA.EXE
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.2617824074
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5F9E9FEC-30F8-4B98-A314-E1DDEF51BE44}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5F9E9FEC-30F8-4B98-A314-E1DDEF51BE44}: NameServer = 198.77.116.8
     
  2. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    I am new to reading and understanding the logs, however one thing I have noticed is something called direcway. I did a little research and found this page you may wish to read.

    http://www.spywareinfo.com/articles/direcway/

    If they were my server I would be looking at terminating the contract ASAP

    Now that I've alarmed you, it shouldn't be too long before someone else checks out your log and advises on whats safe to remove.
    I will look on with interest as I have kept a copy of what I think needs removing so I can see if I get it right or not.
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,192
    First Name:
    Derek
    there is nothing showing in the log to account for the porn

    if you ran spybot/adaware befor posting the log, then it is almost guaranteed that one or both of them have cured your problem
     
  4. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    But, but, but, Ohh never mind

    ;)
     
  5. cbwhited

    cbwhited Thread Starter

    Joined:
    Sep 21, 2003
    Messages:
    2
    Thanks for looking. EvileYe - sigh - I live in the country and it is Direcway or email via dial-up smoke signals. I didn't notice the issues discussed in the article on our computer. And, of course, we all acknowledge Direcway can be a big pain in the b*tt.
    Regards from Texas!
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166317

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice