Spyware Or Hijack Problem

[jdrichar]

When browsing, a site (http://t.swapx.cc/h.php?aid=80) pops up frequently. Certain sites, like my e-mail, cannot even be viewed. Also, I get two porn sites added to my favorited, and no matter how many times I delete them, they always ome back. Here is my HjT log:

Logfile of HijackThis v1.98.2

Scan saved at 10:26:03 AM, on 10/9/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINNT\System32\swxkqg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE

C:\WINNT\System32\wuauclt.exe

C:\Program Files\Juno6\qs\exec.exe

C:\Program Files\Juno6\qs\exec.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Symantec Shared\nmain.exe

c:\PROGRA~1\NORTON~1\navw32.exe

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZMOF7DW9\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=80

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=80

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.gateway.net

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll

F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\RXLNFU~1.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [gggvrepb] C:\WINNT\System32\swxkqg.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O6 "USB001" /M "Stylus C40"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w

O4 - HKCU\..\RunServices: [image] rundll32 C:\WINNT\d3wz.dll,Install

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: winlogin.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\kxqwxepb.exe

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/.../yiebio4025.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BDE86981-BFC4-4A79-A9E0-C137686791F8}: NameServer = 64.136.28.120 64.136.20.120

O20 - AppInit_DLLs: vz29kvl7s1zl0.dll

[robroy]

Sounds like a hijack

have you run ad aware, spybot s & d etc.

Move hijack this to its own folder away from the temporary internet folder wher it could get deleted

JD

[therock247uk]

1. Download adaware from http://www.lavasoft.de/support/download/ install it and update it. Dont run the scan with it yet we will do that later on.

2. Ok go into safemode following instructions on http://service1.symantec.com/SUPPORT/tsgen...001052409420406

3. When in safemode. Open Adaware which is what you downloaded earlyer.

Before scanning with Ad-aware SE Free:

Run a FULL adaware scan using the following configuration below

Click Start

Select Perform Full System Scan and hit Next to let Ad-Aware scan your drives.

It will list malware files and registry keys. Click Next.

Under the Critical Objects tab, rightclick in the list, choose Select All, then Next.

It will ask for verification of checked items. Choose OK.

Close Ad-Aware, Reboot into normal mode.

4. Then post a new Hijakckthis log here in a reply.

Edited October 9, 2004 by therock247uk

[therock247uk]

Ok because you cannot run both Adaware and housecall we are going to do this.

1. Make sure you have show hidden files on go here for instructions. http://www.xtra.co.nz/help/0,,4155-1916458,00.html Boot into safemode if you dont know how go here for Instructions. http://service1.symantec.com/SUPPORT/tsgen...001052409420406

2. While in safemode. Open Hijackthis and click scan. Then tick and fix the following in hijackthis with all windows closed except Hijackthis leaving hijackthis the only program open.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=80

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=80

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\RXLNFU~1.DLL

O4 - HKLM\..\Run: [gggvrepb] C:\WINNT\System32\swxkqg.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKCU\..\RunServices: [image] rundll32 C:\WINNT\d3wz.dll,Install

O4 - Global Startup: winlogin.exe

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\kxqwxepb.exe

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab

O20 - AppInit_DLLs: vz29kvl7s1zl0.dll

3. Go to Start, Control Panel, Add/Remove and uninstall Wintools if it is there.

4. Delete the folders.

C:\Program Files\Submit\

C:\Program Files\Common Files\WinTools\

C:\Program Files\SideFind\

5. Delete the files.

C:\WINNT\System32\swxkqg.exe

image.dll < Might be in C:\WINNT\ or C:\WINNT\System32

vz29kvl7s1zl0.dll < Might be in C:\WINNT\ or C:\WINNT\System32

C:\Program Files\Internet Explorer\kxqwxepb.exe

C:\WINNT\System32\RXLNFU~1.DLL < File starts with RXLNFU

6. Reboot into normal mode and post a new Hijackthis log here in a reply.

Edited October 9, 2004 by therock247uk

[Chappy]

I also noticed that neither XP nor IE have any patches applied. This is a very dangerous way to run your machine as many known vulnerabilities exist and can be exploited along with your spyware problems.

Please visit MS Windows Update and apply SP2 for XP and IE.

Dave