Another Hijack this Scan.....

Discussion in 'Windows Desktop Systems' started by Heeter, Mar 19, 2004.

  1. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Any help will be greatly appreciated


    Logfile of HijackThis v1.97.7
    Scan saved at 10:55:06 PM, on 18/03/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
    C:\PROGRA~1\FLAWBA~1\2 live ref.exe
    C:\Program Files\Common files\updmgr\updmgr.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\system32\ntvdm.exe
    C:\OPLIMIT\ocrawr32.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Erin\My Documents\My Received Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
    R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - (no file)
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {44B421C0-696A-9945-969F-B93BF30067F9} - C:\PROGRA~1\Campuser\Site Roam.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: BoneDriveStop - {028581A1-6EA1-AA3B-8A51-FB6B7D15152A} - C:\PROGRA~1\Campuser\Site Roam.dll
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
    O4 - HKLM\..\Run: [Spam Blocker] C:\Program Files\Safeworld\Spam Blocker\Safeworld Spam Blocker.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
    O4 - HKLM\..\Run: [Anti plus] C:\PROGRA~1\FLAWBA~1\2 live ref.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKCU\..\Run: [cpntmgc] C:\WINDOWS\simcss\simcss.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
    O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.net/download/Object/DialerHTML/DHTMLAccessXP1042.cab
    O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://centraone.ucalgary.ca/main/Install/CentraDownloader.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = k5614.find-quick.com
    O17 - HKLM\Software\..\Telephony: DomainName = k5614.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4729DD2C-5B86-4A21-8BDD-F7E57BEFBD0A}: Domain = k5614.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C10BF4AE-F544-4CFD-B2CD-03D730C24F07}: Domain = k5614.find-quick.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = k5614.find-quick.com


    Heeter
     
  2. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    You've got some dialers, and I see GATOR and some other common spyware in there. Run an updated version of Spybot Search and Destroy and AdAware which will get most of your infections. Then download Firefox and stop using Internet Explorer, most of your problems are ActiveX related.
     
  3. Enyo

    Enyo Moderator

    Messages:
    1,338
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html

    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - (no file)

    O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe

    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe

    O4 - HKLM\..\Run: [Anti plus] C:\PROGRA~1\FLAWBA~1\2 live ref.exe (?)

    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    O4 - HKCU\..\Run: [cpntmgc] C:\WINDOWS\simcss\simcss.exe

    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = k5614.find-quick.com
    O17 - HKLM\Software\..\Telephony: DomainName = k5614.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4729DD2C-5B86-4A21-8BDD-F7E57BEFBD0A}: Domain = k5614.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C10BF4AE-F544-4CFD-B2CD-03D730C24F07}: Domain = k5614.find-quick.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = k5614.find-quick.com

    Get rid of the above and then do as j79zlr suggested.

    Check Anti Plus. I don't know it and the filename is unusual.

    You may also need help from WinsockXPFix. Keep it on hand incase once the items are removed you find yourself without connectivity.

    See: http://members.shaw.ca/techcd/WinsockXPFix.exe
     
  4. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Great, Thanks.

    I will get to work on this right away.

    Heeter