Hijackthis Log - Please evaluate

soul13 · 10-29-2004, 03:57 PM

This is my hijackthis log run this afternoon. I am having a ton of trouble keeping viruses, etc. from infecting my computer. I run spywareguard, spywareblaster, spybot search and desroy and AVG anti-virus. Thanks

Logfile of HijackThis v1.97.2
Scan saved at 3:45:49 PM, on 10/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = none
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = none
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Erika's Lair
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O4 - HKLM\..\RunServices: [AntiVirus] IEXPL0RES.exe
O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: v3cab -
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://fpdownload.macromedia.com/get...re/awswaxd.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} -
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} -
O16 - DPF: {28DCBCA1-EE10-40E6-8850-8D515E42A13C} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098394415073
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} -
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_1us.cab
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} -
O16 - DPF: {E8415EF3-062B-4165-9291-93000FDB5130} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = direcway.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = direcway.com

mimo2005 · 10-29-2004, 04:09 PM

hi

if you dont have this :

adware se version (1.5) ,get it

http://www.download.com/3000-2144-10...age&tag=button

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

please download the new hijackthis
http://www.softpedia.com/public/cat/...10-17-69.shtml

scan and post new log .

soul13 · 10-29-2004, 06:20 PM

I ran Adaware and spybot and spywareblaster, AVG, as well as online torjan scan, then reran hijack this and here's my log:

Logfile of HijackThis v1.98.2
Scan saved at 8:15:44 PM, on 10/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = none
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = none
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Erika's Lair
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [AntiVirus] IEXPL0RES.exe
O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: v3cab -
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} -
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} -
O16 - DPF: {28DCBCA1-EE10-40E6-8850-8D515E42A13C} -
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098394415073
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} -
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_1us.cab
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} -
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} -
O16 - DPF: {E8415EF3-062B-4165-9291-93000FDB5130} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = direcway.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = direcway.com

mimo2005 · 10-29-2004, 06:26 PM

looking at this log .

mimo2005 · 10-29-2004, 06:34 PM

Hi

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = none
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = none
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O4 - HKLM\..\RunServices: [AntiVirus] IEXPL0RES.exe
O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: v3cab -
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} -
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} -
O16 - DPF: {28DCBCA1-EE10-40E6-8850-8D515E42A13C} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} -
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} -
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} -
O16 - DPF: {E8415EF3-062B-4165-9291-93000FDB5130} -

Restart to safe mode.

How to start your computer in safe mode
http://service1.symantec.com/SUPPORT...01052409420406

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete (you can windows search tool)

IEXPL0RES.exe
winser32.exe

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

Reboot

and post a new log .

soul13 · 11-01-2004, 12:26 PM

I followed the abovedirections completely however I encounter two problems. #1 After selecting to show all hidden, system files from both locations you specified I was not able to locate either the IEXPLORES.EXE or winser32.exe files. Also when I try to delete file inder the internet options tab I get the following error message:
An exception occurred while tyring to run "shel32.dll,Control_RunDLL C:\WINDOWS\System32|inetcpl.cpl,"

Please advise. And thanks for all your help so far!

Logfile of HijackThis v1.98.2
Scan saved at 2:18:23 PM, on 11/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\hijackthis\HijackThis.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = none
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Erika's Lair
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js)
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\RunServices: [AntiVirus] IEXPL0RES.exe
O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098394415073
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_1us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = direcway.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = direcway.com

greyknight17 · 11-01-2004, 03:00 PM

Make sure to update Windows and Internet Explorer at http://windowsupdate.microsoft.com.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Download CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = none
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O4 - HKLM\..\RunServices: [AntiVirus] IEXPL0RES.exe
O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe

Reboot into Safe Mode (hit F8 key until menu shows up). Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

IEXPL0RES.exe - do a search for it
winser32.exe - do a search for it

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Section and use the tools provided.

10-29-2004, 03:57 PM	#1 (permalink)
soul13 Registered User Join Date: Oct 2004 Posts: 3 OS: WINXP Pro	Hijackthis Log - Please evaluate This is my hijackthis log run this afternoon. I am having a ton of trouble keeping viruses, etc. from infecting my computer. I run spywareguard, spywareblaster, spybot search and desroy and AVG anti-virus. Thanks Logfile of HijackThis v1.97.2 Scan saved at 3:45:49 PM, on 10/29/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\DIRECWAY\BIN\dpcstart.exe C:\WINDOWS\System32\devldr32.exe C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\system32\ntvdm.exe C:\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = none R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = none R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Erika's Lair R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll O4 - HKLM\..\RunServices: [AntiVirus] IEXPL0RES.exe O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: v3cab - O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://fpdownload.macromedia.com/get...re/awswaxd.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} - O16 - DPF: {28DCBCA1-EE10-40E6-8850-8D515E42A13C} - O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098394415073 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} - O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} - O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_1us.cab O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} - O16 - DPF: {E8415EF3-062B-4165-9291-93000FDB5130} - O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = direcway.com O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = direcway.com O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = direcway.com

10-29-2004, 06:20 PM	#3 (permalink)
soul13 Registered User Join Date: Oct 2004 Posts: 3 OS: WINXP Pro	Rescanned with newest version I ran Adaware and spybot and spywareblaster, AVG, as well as online torjan scan, then reran hijack this and here's my log: Logfile of HijackThis v1.98.2 Scan saved at 8:15:44 PM, on 10/29/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\DIRECWAY\BIN\dpcstart.exe C:\WINDOWS\System32\devldr32.exe C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Yahoo!\Messenger\YPager.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = none R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = none R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Erika's Lair R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\RunServices: [AntiVirus] IEXPL0RES.exe O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O16 - DPF: v3cab - O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} - O16 - DPF: {28DCBCA1-EE10-40E6-8850-8D515E42A13C} - O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098394415073 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} - O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} - O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_1us.cab O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} - O16 - DPF: {E8415EF3-062B-4165-9291-93000FDB5130} - O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = direcway.com O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = direcway.com O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = direcway.com

11-01-2004, 12:26 PM	#6 (permalink)
soul13 Registered User Join Date: Oct 2004 Posts: 3 OS: WINXP Pro	Posting new log I followed the abovedirections completely however I encounter two problems. #1 After selecting to show all hidden, system files from both locations you specified I was not able to locate either the IEXPLORES.EXE or winser32.exe files. Also when I try to delete file inder the internet options tab I get the following error message: An exception occurred while tyring to run "shel32.dll,Control_RunDLL C:\WINDOWS\System32\|inetcpl.cpl," Please advise. And thanks for all your help so far! Logfile of HijackThis v1.98.2 Scan saved at 2:18:23 PM, on 11/1/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe C:\Program Files\DIRECWAY\BIN\dpcstart.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\devldr32.exe C:\hijackthis\HijackThis.exe C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = none R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Erika's Lair R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Erika\Application Data\Mozilla\Profiles\default\ssx7emvl.slt\prefs.js) O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll O4 - HKLM\..\RunServices: [AntiVirus] IEXPL0RES.exe O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098394415073 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_1us.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com O17 - HKLM\System\CCS\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = direcway.com O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com O17 - HKLM\System\CS2\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = direcway.com O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: Domain = direcway.com O17 - HKLM\System\CS3\Services\Tcpip\..\{317E8339-77D6-42D8-9BDA-D3A637C567D6}: NameServer = 66.82.4.8 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = direcway.com

11-01-2004, 03:00 PM	#7 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Make sure to update Windows and Internet Explorer at http://windowsupdate.microsoft.com. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Download CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = none R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts O4 - HKLM\..\RunServices: [AntiVirus] IEXPL0RES.exe O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe Reboot into Safe Mode (hit F8 key until menu shows up). Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: IEXPL0RES.exe - do a search for it winser32.exe - do a search for it Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Section and use the tools provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

10-29-2004, 04:09 PM	#2 (permalink)
mimo2005 Manager, The Relaxation Room/Analyst, Security Team Join Date: Oct 2004 Posts: 10,772 OS: xp	hi if you dont have this : adware se version (1.5) ,get it http://www.download.com/3000-2144-10...age&tag=button Install the program and launch it. First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files. From main window :Click Start then under Select a scan Mode tick Perform full system scan. Next deselect Search for negligible risk entries. Now to scan just click the Next button. When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next) Restart your computer. please download the new hijackthis http://www.softpedia.com/public/cat/...10-17-69.shtml scan and post new log .

10-29-2004, 06:26 PM	#4 (permalink)
mimo2005 Manager, The Relaxation Room/Analyst, Security Team Join Date: Oct 2004 Posts: 10,772 OS: xp	looking at this log .

10-29-2004, 06:34 PM	#5 (permalink)
mimo2005 Manager, The Relaxation Room/Analyst, Security Team Join Date: Oct 2004 Posts: 10,772 OS: xp	Hi Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked" R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = none R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = none R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) O4 - HKLM\..\RunServices: [AntiVirus] IEXPL0RES.exe O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O16 - DPF: v3cab - O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} - O16 - DPF: {28DCBCA1-EE10-40E6-8850-8D515E42A13C} - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} - O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} - O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} - O16 - DPF: {E8415EF3-062B-4165-9291-93000FDB5130} - Restart to safe mode. How to start your computer in safe mode http://service1.symantec.com/SUPPORT...01052409420406 Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK" Now find and delete (you can windows search tool) IEXPL0RES.exe winser32.exe Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Empty the Recycle Bin Reboot and post a new log .