0

hi there,

i've been hijacked... i read other posts, downloaded HijackThis, ran it and produced a log, i didn't want to delete anything until someone had a look at the log for me, the hijacking is quite agressive, every time a browser window opens you get pop-ups a plenty... anyway, here's the log:

>>>>
Logfile of HijackThis v1.97.7
Scan saved at 17:59:57, on 10/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Turtle Beach\Santa Cruz\Drivers\WDM\TbcTray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\DoubleDesktop\dd.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\mdm.exe
C:\Documents and Settings\dug\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dcs.gla.ac.uk/~greend/search_google.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\dug\Application Data\ieuq\ieuq32.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\dug\Application Data\msun\mssearch.dll (file missing)
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\dug\Application Data\ieuq\msiesh.dll
O3 - Toolbar: (no name) - {B20D8A47-9FCA-4E73-8D53-7090CB1204C4} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Msoffice] C:\WINNT\Fonts\msoffice.hta
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
O4 - HKLM\..\Run: [TraySantaCruz] C:\Program Files\Turtle Beach\Santa Cruz\Drivers\WDM\TbcTray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Msoffice] C:\WINNT\Fonts\msoffice.hta
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DoubleDesktop.lnk = C:\Program Files\DoubleDesktop\dd.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Microsoft WFC Forms Designer - file://C:\DOCUME~1\ROOT\DESKTOP\VJAVA\VJ98\wfcforms.cab
O16 - DPF: morfit3dWorld - http://www.3dstate.com/download/plugin3258/morfit3dWorld.CAB
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://C:\DOCUME~1\ROOT\DESKTOP\VJAVA\VJ98\vstudio6.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2AF973E9-21D2-4BCE-AB51-9DE67165A7C4} (ActiveGL Control) - http://nl.mirrors.gtaskins.com/viewer/modelviewer.ocx
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {502D6B74-E970-47B7-A4CB-A09CC799EFE6} (Fly3D Control) - http://www.fly3d.com.br/ocx/flyActiveX.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} (GigexCtrl ActiveX) - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {854CE4DE-C85D-483C-9337-C1692E66ADCE} (pPan3d Control) - http://www.paralelo.com.br/pan3d/pPan3d.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E7E557E-0FF3-42FC-86CA-DBA25E6CB31D} (AvatarMEConsole2 Class) - http://www.avatar-me.com/Install/avatar-mecom/Avatar-MeConsole2.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.2311689815
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245/www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {B038A6C8-441B-11D4-BD8F-000021E2C68B} (ICFViewer Control) - http://www.rapidform.com/english/icfviewer/bin/icfviewer.cab
O16 - DPF: {B3E0F81F-73F8-470B-A56B-D895EFF19260} (ATLF3D Class) - http://www.famous3d.com/viewer/latest/axf3d.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2926D57-2D14-4F13-B71B-27460B106101} (Talker Class) - http://www.lipsinc.com/lipsinctalker.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = virtualclones.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA9D4BE0-C33B-4B42-8B3F-D2D75E2C736B}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = virtualclones.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = virtualclones.com
>>>>

any help would be greatly appreciated...
thanks in advance,
dug.

2
Contributors
1
Reply
2
Views
13 Years
Discussion Span
Last Post by crunchie
0

Hi. Run HJT again & get it to fix these entries;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049

O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\dug\Application Data\ieuq\ieuq32.dll

O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\dug\Application Data\msun\mssearch.dll (file missing)

O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\dug\Application Data\ieuq\msiesh.dll

O3 - Toolbar: (no name) - {B20D8A47-9FCA-4E73-8D53-7090CB1204C4} - (no file)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install

O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

Reboot into safe mode & delete;

C:\WINNT\image.dll,Install

It will not hurt to delete all the 016 entries cos if you need them again they will be downloaded again.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.