hijacked ...

Zuma

Hi, my pc got infected by one of these spywares crap. Apparently it was after installing MSN Plus...? Maybe someone here knows if I can blame it on MSN Plus or it was just a coincidence?

Well I've been at short media and downloaded OmegaKiller 1.2. It deleted the annoying toolbar and the shortcuts in my desktop (cassino/poker etc) and also closed the 2 iexplorer processes that I couldn't close manually by ctrl+alt+del.

I would say it's perfect if after half an hour the same problems hadn't reappeared again and again.

This is the OmegaKiller scan logfile:

Running pass number: 1

- enumerating modules
- Downloader.HC module found
c:\documents and settings\renato\configurações locais\temp\sta8d.exe
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks

- scanning running processes..
- infection in memory: c:\docume~1\renato\config~1\temp\sta8d.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- found infection: else admin
- deleted.
- found infection: else admin
- deleted.
- scanning executable variants

- scanning BHO's
- infected BHO: {E65FA501-7207-C1EF-B04D-B9B6AADF33ED}
- removed
- infected BHO: {E65FA501-7207-C1EF-B04D-B9B6AADF33ED}
- removed
- infected BHO: {E65FA501-7207-C1EF-B04D-B9B6AADF33ED}
- removed
- infected BHO: {E65FA501-7207-C1EF-B04D-B9B6AADF33ED}
- removed
- infected BHO: {E65FA501-7207-C1EF-B04D-B9B6AADF33ED}
- removed
- infected BHO: {E65FA501-7207-C1EF-B04D-B9B6AADF33ED}
- removed
- scanning toolbars


Running pass number: 2

- killing Internet Explorer

- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks

- scanning running processes..
- infection in memory: c:\arquiv~1\modema~1\tonsme~1.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- found infection: junk setup great internet
- deleted.
- found infection: junk setup great internet
- deleted.
- scanning executable variants

- scanning BHO's
- scanning toolbars


Running pass number: 3

- killing Internet Explorer

- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks

- scanning running processes..
- infection in memory: c:\arquiv~1\modema~1\tonsme~1.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants

- scanning BHO's
- scanning toolbars


Running pass number: 4

- killing Internet Explorer

- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks

- scanning running processes..
- removing process startup key
- scanning startup processes
- scanning executable variants

- scanning BHO's
- scanning toolbars

- no infections found, system clean on pass number: 4 ...
- all done ...

help!? :bawling:

SpywareShooter

Please download HijackThis and post a log.

Zuma

Here:

Logfile of HijackThis v1.97.7
Scan saved at 15:02:59, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\ARQUIV~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\ARQUIV~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Arquivos de programas\Messenger\MSMSGS.EXE
C:\Arquivos de programas\Web Activity Monitor\wamtool.exe
C:\Arquivos de programas\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Arquivos de programas\lotus\organize\easyclip6.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
c:\arquiv~1\intern~1\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\Zuma\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ppmajslzxibmcsnkqjltmaen.com/oCcmLrGgCYlrnapxpTQ6nXj5t6BkDLA_xju8cgYijjo.jpg
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jadahqaciocgbytatcuhzvuq.info/oCcmLrGgCYkEtBNh9WtCx6CODStWoAnyOq2G2YYIoScIbWlMYhEquZll1GRGohX6.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 201.8.86.60:6588
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {42DBA612-AF61-835E-3C90-79232997A01E} - C:\ARQUIV~1\CITYWE~1\exit dead.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - c:\arquivos de programas\lotus\organize\iehelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Arquivos de programas\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [WFXSwtch] C:\ARQUIV~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NAV Agent] C:\ARQUIV~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=100904 serial=dr12wex-1403993-zhd lang=BP
O4 - HKLM\..\Run: [Detector] C:\WINDOWS\twain_32\600X1200\Detector.exe
O4 - HKLM\..\Run: [ref help] C:\ARQUIV~1\16ADMI~1\Wavethird.exe
O4 - HKLM\..\Run: [thunk cake cool soft] C:\Documents and Settings\All Users\Dados de aplicativos\TonsLicenseThunkCake\Atom ace.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [httpmon] C:\Arquivos de programas\Web Activity Monitor\wamtool.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Arquivos de programas\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Web Entry (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093372241078
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

SpywareShooter

Please upgrade to HijackThis version 1.98.2. It can detect items that 1.97.7 can't.

Zuma

Alright... :

Logfile of HijackThis v1.98.2
Scan saved at 02:45:02, on 9/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Arquivos de programas\AnalogX\Proxy\proxy.exe
C:\WINDOWS\System32\svchost.exe
c:\arquiv~1\intern~1\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\WinAce\WinAce.exe
C:\Documents and Settings\Renato\Configurações locais\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ditcxpzincsiidpnhismpmlm.com//EWUWO3XyXXJMnc4/6Rz_mbZazKCeTjQpvAH5rr3bq0.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.aqchtyykaxpzpupblswfrl.com//EWUWO3XyXUBuCp7Yf9kmKTWVOLtjoaNpDQhl7yOAYl2rEcZksOYt2Xgcwmewes2.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {E65FA501-7207-C1EF-B04D-B9B6AADF33ED} - C:\ARQUIV~1\MOVEST~1\about fork.exe
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Arquivos de programas\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=101504 serial=dr12wex-1403993-zhd lang=BP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ELSE ADMIN] C:\ARQUIV~1\MODEMA~1\tons media setup.exe
O4 - HKLM\..\Run: [Junk setup great internet] C:\Documents and Settings\All Users\Dados de aplicativos\size close junk setup\Axis dart.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Arquivos de programas\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093917247625
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8A652B0-A990-49C4-89C5-07822988C70B}: NameServer = 200.165.132.148 200.149.55.140

Zuma

Also I'd like to know if MSN Plus is spyware infested or it was just a coincidence because I'm pretty sure i got this after installing MSN Plus...

Thanks!

SpywareShooter

Messenger Plus 3 comes bundled with C2 Media (Lop.com) spyware.

SpywareShooter

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ditcxpzincsiidpnhismpmlm...pvAH5rr3bq0.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.aqchtyykaxpzpupblswfrl.c...Xgcwmewes2.html
O2 - BHO: (no name) - {E65FA501-7207-C1EF-B04D-B9B6AADF33ED} - C:\ARQUIV~1\MOVEST~1\about fork.exe
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [ELSE ADMIN] C:\ARQUIV~1\MODEMA~1\tons media setup.exe
O4 - HKLM\..\Run: [Junk setup great internet] C:\Documents and Settings\All Users\Dados de aplicativos\size close junk setup\Axis dart.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe"
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)



Fix those entries then find and delete the files listed above.