1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Hitpointer redirects IE to "Adult" site

Discussion in 'Virus & Other Malware Removal' started by Frankie107, Sep 14, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Frankie107

    Frankie107 Thread Starter

    Joined:
    Sep 14, 2004
    Messages:
    107
    Occasionally when I click a link or type a web address a Hitpointer address appears instead which is a portal to an Adult Web site. I have run an up to date version of Ad-Aware but it does not help. How do I get rid of this malware? I have run HijakThis and the log is given below.

    Any help would be much appreciated.

    Logfile of HijackThis v1.98.2
    Scan saved at 17:59:38, on 14/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    c:\windows\system32\mhqpohru.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [MHQPOHRU] c:\windows\system32\mhqpohru.exe /install
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Search with The Coolbar - res://C:\WINDOWS\Downloaded Program Files\toolbar2.dll/SEARCH.HTML
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Win32 Classes -
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
    O16 - DPF: {200B9822-FDDD-4635-A8A4-066AC69ECF8A} ({200B9822-FDDD-4635-A8A4-066AC69ECF8A}) - http://gateway.ptssa.net/ws/ws.cab
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1822f4ef29e76bd1b122/netzip/RdxIE601.cab
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://80.38.134.70:2000/activex/AxisCamControl.cab
    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.sexyplugin.com/diallerfiles/039848.exe
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE13} (TIBSLoader Class) - http://www.go-in-now.com/tl3000.dll
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://www.real-euros.com/EPlugin_GB.cab
    O18 - Filter: text/html - {C5C07E0F-2186-4E24-BC24-1BFB42CFD6F5} - C:\Documents and Settings\Frank Kinghorn\Application Data\microsoft\internet explorer\V0.15.dat
     
  2. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    I suggest you do this:

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O4 - HKLM\..\Run: [MHQPOHRU] c:\windows\system32\mhqpohru.exe /install
    O16 - DPF: Win32 Classes -
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
    O16 - DPF: {200B9822-FDDD-4635-A8A4-066AC69ECF8A} ({200B9822-FDDD-4635-A8A4-066AC69ECF8A}) - http://gateway.ptssa.net/ws/ws.cab
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1822f4e...ip/RdxIE601.cab
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://80.38.134.70:2000/activex/AxisCamControl.cab
    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.sexyplugin.com/diallerfiles/039848.exe
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE13} (TIBSLoader Class) - http://www.go-in-now.com/tl3000.dll
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://www.real-euros.com/EPlugin_GB.cab

    Restart in Safe Mode:
    Restart your computer.

    Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
    Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.


    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Open c:\windows\system32\mhqpohru.exe <---Delete File

    If these exist in with your OS.

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


    Next navigate to the C:\Documents and Settings\(EVERY USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    Empty the Recycle Bin

    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer, turn it back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After cleanup". Click Create and you're done.

    Post a new HijackThis Log
     
  3. Frankie107

    Frankie107 Thread Starter

    Joined:
    Sep 14, 2004
    Messages:
    107
    Many thanks. These actions all seemed to go OK.
    New log is below.
    Logfile of HijackThis v1.98.2
    Scan saved at 22:44:26, on 15/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Search with The Coolbar - res://C:\WINDOWS\Downloaded Program Files\toolbar2.dll/SEARCH.HTML
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Filter: text/html - {C5C07E0F-2186-4E24-BC24-1BFB42CFD6F5} - C:\Documents and Settings\Frank Kinghorn\Application Data\microsoft\internet explorer\V0.15.dat
     
  4. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Log looks pretty good to me. How's running?

    Open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane. Now click Tools, then hosts file the Add Spybot -S&D Hosts List. Click the link below for SpywareBlaster, download, install and update. Check for updates weekly. Still in Spybot, click tools in the left pane, HOSTS File and Add Spybot S&D Hosts List.

    That will give you an added layer of protection against unwanted parasites.
     
  5. Frankie107

    Frankie107 Thread Starter

    Joined:
    Sep 14, 2004
    Messages:
    107
    My pc seems to be fine now - I've clicked on some of the links from which I was previously redirected and have deliberately mistyped some web addresses, in every case I got the correct link or was correctly directed to the "This web site does not exist" message. Thank you very much for your help - and for such prompt responses.

    You suggest downloading SypBot and SpywareBlaster but do I need to do this if I continue to use Ad-Aware? Are these better than Ad-Aware, do they complement it, or are they just an extra level of security (two or three heads being better than one!).

    Thanks again.
     
  6. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    They all perform many of the same things but also protect against different. So I'd say extra level. Myself, I run a registery protect program and a firewall along with the above. Can't have enough protection :D

    Glad we were able to help (y)
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,853
    There are a couple of other entries that need to go.

    Please rescan with Hijack This and have it fix:

    O8 - Extra context menu item: &Search with The Coolbar - res://C:\WINDOWS\Downloaded Program Files\toolbar2.dll/SEARCH.HTML

    O18 - Filter: text/html - {C5C07E0F-2186-4E24-BC24-1BFB42CFD6F5} - C:\Documents and Settings\Frank Kinghorn\Application Data\microsoft\internet explorer\V0.15.dat


    Do a couple of on-line virus scans at these links:

    http://housecall.trendmicro.com/ http://www.pandasoftware.com/activescan/

    Then reboot and post another log please
     
  8. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    CookieGal:
    Good catch Cookie. Bad miss by me. Looks like CWShredder removed it in this thread.

    http://forums.techguy.org/showthread.php?t=266662

    Thanks ;)
     
  9. Frankie107

    Frankie107 Thread Starter

    Joined:
    Sep 14, 2004
    Messages:
    107
    Thanks to both of you. Apologies for the delay in responding but I have been overseas for 2 weeks.
    I've done as CookieGal suggested and run the 2 anti-virus programs and the subsequent HijackThis log is pasted below.
    Logfile of HijackThis v1.98.2
    Scan saved at 13:42:24, on 02/10/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,853
    The log looks fine. How's everything running?
     
  11. Frankie107

    Frankie107 Thread Starter

    Joined:
    Sep 14, 2004
    Messages:
    107
    Everything seems OK with regard to security now, thanks. I do have a problem with my IDE-CD R/RW not functioning. Although this occured around the time I first contacted the TSG it was also the first time I had tried to use it after installing SP2 so I suspect it is something to do with that or it is a coincidental physical fault in the hardware. However I'll post a query on that in the Hardware section of Techguy as I presume I should not confuse this thread - but after I've sent off my donation in thanks for all your help so far!
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,853
  13. Frankie107

    Frankie107 Thread Starter

    Joined:
    Sep 14, 2004
    Messages:
    107
    Sorry to bother you again, but I've run Spybot several times and it keeps coming up with DSO Exploit and DyFuCA items. It "fixes" the former but not the latter but, on rebooting, both reappear. I've disabled System Restore after running Spybot and before rebooting but this makes no difference. I've attached the Spybot log. What have I done wrong?!

    --- Search result list ---
    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\S-1-5-21-583907252-507921405-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DyFuCA: RAS profile (Registry key, fixing failed)
    HKEY_USERS\S-1-5-18\Software\FCI

    DyFuCA: RAS profile (Registry key, fixing failed)
    HKEY_USERS\S-1-5-20\Software\FCI

    DyFuCA: RAS profile (Registry key, fixing failed)
    HKEY_USERS\S-1-5-19\Software\FCI

    DyFuCA: RAS profile (Registry key, fixing failed)
    HKEY_USERS\.DEFAULT\Software\FCI


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-05-12 Includes\LSP.sbi
    2004-08-11 Includes\Cookies.sbi
    2004-09-16 Includes\Dialer.sbi
    2004-09-16 Includes\Hijackers.sbi
    2004-09-16 Includes\Keyloggers.sbi
    2004-09-16 Includes\Malware.sbi
    2004-08-12 Includes\Revision.sbi
    2004-09-16 Includes\Security.sbi
    2004-09-16 Includes\Spybots.sbi
    2004-09-16 Includes\Trojans.sbi
    2004-08-30 Includes\Tracks.uti


    --- System information ---
    Windows XP (Build: 2600) Service Pack 2
    / DataAccess: Microsoft Data Access Components KB870669
    / DataAccess: Patch Available For XMLHTTP Vulnerability
    / DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
    / DataAccess: Security Update for Microsoft Data Access Components
    / DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
    / Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
    / Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
    / Windows Media Player: Windows Media Update Q308567
    / Windows Media Player: Windows Media Update 320920
    / Windows Media Player: Windows Media Update 320920
    / Windows Media Player: Windows Media Update 819639
    / Windows Media Player: Windows Media Update 828026
    / Windows XP / SP2: Windows XP Service Pack 2


    --- Startup entries list ---
    Located: HK_LM:Run, AVG_CC
    command: C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    file: C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    size: 345661
    MD5: a21829ad1ff2db8b77f3d6e42d76b9e1

    Located: HK_LM:Run, EM_EXEC
    command: C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    file: C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    size: 28672
    MD5: bcdbcd110dae1abca8f3787c8fcd3166

    Located: HK_LM:Run, NvCplDaemon
    command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    file: C:\WINDOWS\system32\RUNDLL32.EXE
    size: 33280
    MD5: da285490bbd8a1d0ce6623577d5ba1ff

    Located: HK_LM:Run, SystemTray
    command: SysTray.Exe
    file: C:\WINDOWS\system32\SysTray.Exe
    size: 3072
    MD5: 46e07fd3a40760fda18cf6b4fc691742

    Located: HK_LM:Run, TkBellExe
    command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    size: 180269
    MD5: 7237366a57a26b7ed71c9b081fbdd6eb

    Located: HK_LM:Run, Adaptec DirectCD (DISABLED)
    command: C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE

    Located: HK_LM:Run, CreateCD (DISABLED)
    command: C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r

    Located: HK_LM:Run, InstantAccess (DISABLED)
    command: C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
    file: C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE
    size: 37376
    MD5: ef5fe31ef2a0c741de3c5650de0f5e91

    Located: HK_LM:Run, LexmarkPrinTray (DISABLED)
    command: PrinTray.exe
    file: C:\WINDOWS\system32\PrinTray.exe
    size: 36864
    MD5: f6fbdf4b44ee9e5c58ac8d0508ae373a

    Located: HK_LM:Run, LexStart (DISABLED)
    command: Lexstart.exe

    Located: HK_LM:Run, LoadQM (DISABLED)
    command: loadqm.exe
    file: C:\WINDOWS\loadqm.exe
    size: 7536
    MD5: 69d7217f9d7f49d6706baf90f52b472b

    Located: HK_LM:Run, PCHealth (DISABLED)
    command: C:\Windows\PCHealth\Support\PCHSchd.exe -s

    Located: HK_LM:Run, RegisterDropHandler (DISABLED)
    command: C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    file: C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    size: 23040
    MD5: ebea065b4a6932c83059c190d1516e4c

    Located: HK_LM:RunServices, Avgserv9.exe (DISABLED)
    command: C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

    Located: HK_LM:RunServices, LoadPowerProfile (DISABLED)
    command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    file: C:\WINDOWS\system32\Rundll32.exe
    size: 33280
    MD5: da285490bbd8a1d0ce6623577d5ba1ff

    Located: HK_LM:RunServices, SchedulingAgent (DISABLED)
    command: mstask.exe

    Located: HK_LM:RunServices, StillImageMonitor (DISABLED)
    command: C:\WINDOWS\SYSTEM32\STIMON.EXE
    file: C:\WINDOWS\SYSTEM32\STIMON.EXE
    size: 14848
    MD5: 8b9a897ba5db04aa59dc32bd2a112563

    Located: HK_CU:Run, H/PC Connection Agent
    command: "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    file: C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    size: 413775
    MD5: e729abbad56fe6a7142abbe1743c80bb

    Located: HK_CU:Run, MSMSGS
    command: "C:\Program Files\Messenger\msmsgs.exe" /background
    file: C:\Program Files\Messenger\msmsgs.exe
    size: 1667584
    MD5: b53343fe60a33ee765c2476d50d27b26

    Located: HK_CU:Run, MoneyAgent (DISABLED)
    command: "C:\Program Files\Microsoft Money\System\Money Express.exe"
    file: C:\Program Files\Microsoft Money\System\Money Express.exe
    size: 127040
    MD5: 0fb524b7b50e5913b2b52315cf1613f0

    Located: HK_CU:Run, PopUpStopperFreeEdition (DISABLED)
    command: "C:\Documents and Settings\Frank Kinghorn\My Documents\Internet\Pop-Up Stopper Free Edition\PSFree.exe"
    file: C:\Documents and Settings\Frank Kinghorn\My Documents\Internet\Pop-Up Stopper Free Edition\PSFree.exe
    size: 524288
    MD5: e436db5d972bdbb83aed402f9024602e

    Located: Startup (common), Microsoft Office.lnk
    command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
    file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
    size: 65588
    MD5: 2ff8eebba2c04e619038d65dba422d15

    Located: Startup (disabled), Logitech Desktop Messenger (DISABLED)
    command: C:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\LDMConf.exe /start
    file: C:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\LDMConf.exe
    size: 169472
    MD5: 91291ca1490f952d977618544d540b87



    --- Browser helper object list ---
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    BHO name:
    CLSID name: AcroIEHlprObj Class
    description: Adobe Acrobat reader
    classification: Legitimate
    known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
    info link: http://www.adobe.com/products/acrobat/readstep2.html
    info source: TonyKlein
    Path: C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\
    Long name: AcroIEHelper.dll
    Short name: ACROIE~1.DLL
    Date (created): 15/05/2003 00:47:54
    Date (last access): 04/10/2004
    Date (last write): 15/05/2003 00:47:54
    Filesize: 50376
    Attributes: archive
    MD5: 0C0E1B2BCAED8DF401BE94D538BCB412
    CRC32: 1D771322
    Version: 0.6.0.0

    {53707962-6F74-2D53-2644-206D7942484F} ()
    BHO name:
    CLSID name:
    description: Spybot-S&D IE Browser plugin
    classification: Legitimate
    known filename: SDhelper.dll
    info link: http://spybot.eon.net.au/
    info source: Patrick M. Kolla
    Path: C:\PROGRA~1\SPYBOT~1\
    Long name: SDHelper.dll
    Short name: SDHELPER.DLL
    Date (created): 12/05/2004 01:03:00
    Date (last access): 04/10/2004
    Date (last write): 12/05/2004 01:03:00
    Filesize: 744960
    Attributes: archive
    MD5: ABF5BA518C6A5ED104496FF42D19AD88
    CRC32: 5587736E
    Version: 0.1.0.3



    --- ActiveX list ---
    DirectAnimation Java Classes (DirectAnimation Java Classes)
    DPF name: DirectAnimation Java Classes
    CLSID name:
    description:
    classification: Legitimate
    known filename: %WINDIR%\Java\classes\dajava.cab
    info link:
    info source: Patrick M. Kolla

    Internet Explorer Classes for Java (Internet Explorer Classes for Java)
    DPF name: Internet Explorer Classes for Java
    CLSID name:
    description:
    classification: Legitimate
    known filename: %WINDIR%\Java\classes\iejava.cab
    info link:
    info source: Patrick M. Kolla

    Microsoft XML Parser for Java (Microsoft XML Parser for Java)
    DPF name: Microsoft XML Parser for Java
    CLSID name:
    description:
    classification: Legitimate
    known filename: %WINDIR%\Java\classes\xmldso.cab
    info link:
    info source: Patrick M. Kolla

    {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control)
    DPF name:
    CLSID name: Microsoft Office Template and Media Control
    Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\
    Long name: IEAWSDC.DLL
    Short name:
    Date (created): 14/05/2004 18:01:46
    Date (last access): 04/10/2004
    Date (last write): 14/05/2004 18:01:46
    Filesize: 87240
    Attributes: archive
    MD5: DCDD3DC308DAE40F09C9135FB8C2D7BF
    CRC32: B9855495
    Version: 0.11.0.0

    {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
    DPF name:
    CLSID name: Office Update Installation Engine
    Path: C:\WINDOWS\
    Long name: opuc.dll
    Short name:
    Date (created): 27/08/2003 04:10:30
    Date (last access): 04/10/2004
    Date (last write): 27/08/2003 04:10:30
    Filesize: 314368
    Attributes: archive
    MD5: 1E32EC4A8A17B19926B49EA5F6B79A76
    CRC32: E98FC293
    Version: 0.11.0.0

    {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
    DPF name:
    CLSID name: HouseCall Control
    description: Trend Micro Antivirus online scanner
    classification: Legitimate
    known filename: XSCAN53.OCX
    info link:
    info source: Patrick M. Kolla
    Path: C:\WINDOWS\DOWNLO~1\
    Long name: xscan53.ocx
    Short name:
    Date (created): 24/03/2004 18:22:12
    Date (last access): 04/10/2004
    Date (last write): 24/03/2004 18:22:12
    Filesize: 435712
    Attributes: archive
    MD5: 99A67AEE9A6E3EFD2126AFA0840ECBED
    CRC32: 9198FA39
    Version: 0.5.0.70

    {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
    DPF name:
    CLSID name: ActiveScan Installer Class
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: asinst.dll
    Short name:
    Date (created): 07/08/2003 09:02:50
    Date (last access): 04/10/2004
    Date (last write): 07/08/2003 09:02:50
    Filesize: 110592
    Attributes: archive
    MD5: BF100C75EBD536E45B2BE67A685DD39C
    CRC32: 99F54DBA
    Version: 0.55.0.2

    {9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
    DPF name:
    CLSID name:
    description: Windows Update
    classification: Legitimate
    known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
    info link:
    info source: Patrick M. Kolla

    {CEBC955E-58AF-11D2-A30A-00A0C903492B} ()
    DPF name:
    CLSID name:
    description: Windows Update
    classification: Legitimate
    known filename: WUV3IS.DLL
    info link:
    info source: Patrick M. Kolla

    {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
    DPF name:
    CLSID name: Shockwave Flash Object
    description: Macromedia Shockwave Flash Player
    classification: Legitimate
    known filename:
    info link:
    info source: Patrick M. Kolla
    Path: C:\WINDOWS\System32\macromed\flash\
    Long name: Flash.ocx
    Short name: FLASH.OCX
    Date (created): 08/04/2004 17:51:02
    Date (last access): 04/10/2004
    Date (last write): 08/04/2004 17:51:02
    Filesize: 939368
    Attributes: archive
    MD5: 2FB1D6FAB135CEE391AB3D70E1C26347
    CRC32: 488FA4EC
    Version: 0.7.0.0



    --- Process list ---
    Spybot - Search && Destroy process list report, 04/10/2004 17:29:22

    PID: 0 ( 0) [System]
    PID: 4 ( 0) System
    PID: 324 ( 4) \SystemRoot\System32\smss.exe
    PID: 372 ( 324) CSRSS.EXE
    PID: 396 ( 324) \??\C:\WINDOWS\system32\winlogon.exe
    PID: 440 ( 396) C:\WINDOWS\system32\services.exe
    PID: 452 ( 396) C:\WINDOWS\system32\lsass.exe
    PID: 596 ( 440) C:\WINDOWS\system32\svchost.exe
    PID: 644 ( 440) SVCHOST.EXE
    PID: 708 ( 440) C:\WINDOWS\System32\svchost.exe
    PID: 776 ( 440) SVCHOST.EXE
    PID: 860 ( 440) SVCHOST.EXE
    PID: 984 ( 440) C:\WINDOWS\system32\spoolsv.exe
    PID: 1164 ( 440) C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    PID: 1200 ( 440) C:\WINDOWS\System32\nvsvc32.exe
    PID: 1324 ( 440) C:\WINDOWS\System32\svchost.exe
    PID: 1624 (1552) C:\WINDOWS\Explorer.EXE
    PID: 1660 (1624) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    PID: 1860 ( 440) alg.exe


    --- Browser start & search pages list ---
    Spybot - Search && Destroy browser pages report, 04/10/2004 17:29:22

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
    C:\WINDOWS\system32\blank.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.ntlworld.com/
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
    C:\WINDOWS\SYSTEM32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


    --- Winsock Layered Service Provider list ---
    Protocol 0: MSAFD Tcpip [TCP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip [*]

    Protocol 1: MSAFD Tcpip [UDP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip [*]

    Protocol 2: MSAFD Tcpip [RAW/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip [*]

    Protocol 3: RSVP UDP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 4: RSVP TCP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{264A6673-8B13-474E-B2E3-D4F4C592EC35}] SEQPACKET 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{264A6673-8B13-474E-B2E3-D4F4C592EC35}] DATAGRAM 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8791D923-0A16-4A4E-A6D5-88DC415008C3}] SEQPACKET 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8791D923-0A16-4A4E-A6D5-88DC415008C3}] DATAGRAM 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E3FE1CC7-3B00-4E10-9F4A-324AA5333A9F}] SEQPACKET 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E3FE1CC7-3B00-4E10-9F4A-324AA5333A9F}] DATAGRAM 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Namespace Provider 0: Tcpip
    GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: TCP/IP

    Namespace Provider 1: NTDS
    GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
    Filename: %SystemRoot%\System32\winrnr.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\winrnr.dll
    DB protocol: NTDS

    Namespace Provider 2: Network Location Awareness (NLA) Namespace
    GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: NLA-Namespace
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,853
    The DSO exploits are just a bug in SpyBot.

    Please post a current Hijack This log.
     
  15. Frankie107

    Frankie107 Thread Starter

    Joined:
    Sep 14, 2004
    Messages:
    107
    Here is Hijack This log

    Logfile of HijackThis v1.98.2
    Scan saved at 09:37:02, on 05/10/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/274011

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice