hijacked by porn - here's log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

cbwhited

Thread Starter
Joined
Sep 21, 2003
Messages
2
Hi all,
Consistently, while surfing (like google searches and nypost), my browser is rerouted to porn sites, one after another. I can't close down these sites fast enough to keep the images from loading.

I have installed, updated and run spybot and adware as suggested with your recommended settings, rebooted and here is the most recent log. I would appreciate any help you could offer. Thanks so much!

Logfile of HijackThis v1.97.2
Scan saved at 5:00:41 AM, on 9/21/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\DIRECWAY\bin\DPCNAV.EXE
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Microsoft Publisher\Office10\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\All Users\My Documents\Cathy\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Publisher\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.2617824074
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F9E9FEC-30F8-4B98-A314-E1DDEF51BE44}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F9E9FEC-30F8-4B98-A314-E1DDEF51BE44}: NameServer = 198.77.116.8
 
Joined
Aug 30, 2003
Messages
1,281
I am new to reading and understanding the logs, however one thing I have noticed is something called direcway. I did a little research and found this page you may wish to read.

http://www.spywareinfo.com/articles/direcway/

If they were my server I would be looking at terminating the contract ASAP

Now that I've alarmed you, it shouldn't be too long before someone else checks out your log and advises on whats safe to remove.
I will look on with interest as I have kept a copy of what I think needs removing so I can see if I get it right or not.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
there is nothing showing in the log to account for the porn

if you ran spybot/adaware befor posting the log, then it is almost guaranteed that one or both of them have cured your problem
 

cbwhited

Thread Starter
Joined
Sep 21, 2003
Messages
2
Thanks for looking. EvileYe - sigh - I live in the country and it is Direcway or email via dial-up smoke signals. I didn't notice the issues discussed in the article on our computer. And, of course, we all acknowledge Direcway can be a big pain in the b*tt.
Regards from Texas!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top