Hijack This Logfile Help (NetSpry.com Problem)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Kazel, Jun 12, 2004.

  1. Kazel

    Kazel Private E-2

    I'm sure you have gotten this many times before, but my browser has been hijacked by NetSpry.com or whatever. I've run AdAware 6, Spybot Search & Destroy, CWShredder, and Norton 2004 to no avail. Here's the Hijack This log file, thanx in advance for the help:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:24:00 PM, on 6/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Stardock\TrayServer.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp\winampa.exe
    C:\documents and settings\kazel\local settings\temp\fUG57A.exe
    C:\documents and settings\kazel\local settings\temp\fUG57A.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\ttd.exe
    C:\Program Files\support.com\bin\tgcmd.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\WINDOWS\System32\aoltwh32.exe
    C:\Program Files\America Online 9.0a\aoltray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\mIRC\mirc.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
    C:\Documents and Settings\Kazel\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.netspry.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    O2 - BHO: WinPage Blocker - {12DF6E3E-6272-4AE8-880B-2158D60791C0} - C:\Program Files\Homepage\WinPage.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [cupdate] C:\DOCUME~1\Kazel\LOCALS~1\Temp\SFXCE.tmp\cupdate.exe
    O4 - HKLM\..\Run: [bcray] C:\DOCUME~1\Kazel\LOCALS~1\Temp\SFXCE.tmp\1001\bcray.exe
    O4 - HKLM\..\Run: [fUG57A.exe] C:\documents and settings\kazel\local settings\temp\fUG57A.exe
    O4 - HKLM\..\Run: [fUG57A] C:\documents and settings\kazel\local settings\temp\fUG57A.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [ttd.exe] C:\WINDOWS\System32\ttd.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
    O4 - HKCU\..\Run: [ttd.exe] C:\WINDOWS\System32\ttd.exe
    O4 - HKCU\..\Run: [Kw24Rki2T] aoltwh32.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: ComcastHSI (HKLM)
    O9 - Extra button: Support (HKLM)
    O9 - Extra button: Help (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab
    O16 - DPF: {AFCC55FE-70FA-474C-A90C-A6803817B7A7} (myregistry_checker Class) - http://68.47.160.12/servlet/WebCIDER?cmd=showpage&sid=086896786584&html=/WebCIDER/RegistryReader.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/dlaccell.CAB
     
    Kazel, Jun 12, 2004
    #1
  2. DanTekGeek

    DanTekGeek Master Sergeant

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.netspry.com

    fix that
     
    DanTekGeek, Jun 12, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First I'm going to assume two items are for mouse and logon screen control and a
    game and that you want them so I'm going to ignore them.
    These two items are the StarDock stuff and the TTD stuff (Is that
    Transport Tycoon Deluxe?).

    First you should try uninstalling netspry. see this link: http://www.netspry.com/uninstall.html
    Check Add/Remove programs to see if there is an uninstall for VirtualBouncer. If so, uninstall it.


    Okay so first the things to definitely have Hijaak Fix (if still there):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.netspry.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    O2 - BHO: WinPage Blocker - {12DF6E3E-6272-4AE8-880B-2158D60791C0} - C:\Program Files\Homepage\WinPage.dll

    O4 - HKLM\..\Run: [cupdate] C:\DOCUME~1\Kazel\LOCALS~1\Temp\SFXCE.tmp\cupdate.exe
    O4 - HKLM\..\Run: [bcray] C:\DOCUME~1\Kazel\LOCALS~1\Temp\SFXCE.tmp\1001\bcray.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...stx/install.cab
    O16 - DPF: {AFCC55FE-70FA-474C-A90C-A6803817B7A7} (myregistry_checker Class) - http://68.47.160.12/servlet/WebCIDE...istryReader.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/dlaccell.CAB

    Then boot in safe mode and remove the following (if still there):
    C:\Program Files\AutoUpdate <--- The whole directory
    C:\Program Files\VBouncer <--- The whole directory
    C:\DOCUME~1\Kazel\LOCALS~1\Temp\SFXCE.tmp\cupdate.exe
    C:\DOCUME~1\Kazel\LOCALS~1\Temp\SFXCE.tmp\1001\bcray.exe

    Now the things that look very questionable but I don't have enough info to determine.
    I don't believe there should be any valid program running out of a temp folder so I
    question what fUG57A.exe is and why is it running twice? This stuff really looks like it
    should be fixed to me.
    C:\documents and settings\kazel\local settings\temp\fUG57A.exe
    C:\documents and settings\kazel\local settings\temp\fUG57A.exe
    O4 - HKLM\..\Run: [fUG57A.exe] C:\documents and settings\kazel\local settings\temp\fUG57A.exe
    O4 - HKLM\..\Run: [fUG57A] C:\documents and settings\kazel\local settings\temp\fUG57A.exe

    Is aoltwh32.exe part of AOL? I can't find any info on it anywhere.
    C:\WINDOWS\System32\aoltwh32.exe
    O4 - HKCU\..\Run: [Kw24Rki2T] aoltwh32.exe
     
    chaslang, Jun 12, 2004
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds