Options

dloader-cx trojan and hijacked desktop

Unknown
edited May 2005 in Spyware & Virus Removal
OK, I have sorted out many trojans and viruses but this one has me beat.

1) Sophos reports that I have the trojan dloader-cx (this keeps reappearing after every removal)
2) the desktop has been hijacked and has a black box with a blue background. The black box has text that says " windows error. System has detected spyware etc... I cannot change the desktop in the control panel.
3) I cannot select the task manager to see what services are currently running.

Here is the Hijack this log

Logfile of HijackThis v1.98.2
Scan saved at 19:32:18, on 19/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svhost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\vxh8jkdq6.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
c:\windows\system32\hhdzbl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\User1\Application Data\oaom.exe
C:\WINDOWS\System32\??curity\regsvr32.exe
C:\WINDOWS\System32\pd33.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
C:\WINDOWS\System32\imapi.exe
F:\Security\hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.imdb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [akcvzm] c:\windows\system32\hhdzbl.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Csrp] C:\Documents and Settings\User1\Application Data\oaom.exe
O4 - HKCU\..\Run: [Zqdkgdu] C:\WINDOWS\System32\??curity\regsvr32.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

Aaaargh! Help!

Comments

  • SpywareShooterSpywareShooter 127.0.0.1
    edited May 2005
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
    F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe
    O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
    O4 - HKLM\..\Run: [akcvzm] c:\windows\system32\hhdzbl.exe
    O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
    O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
    O4 - HKCU\..\Run: [Csrp] C:\Documents and Settings\User1\Application Data\oaom.exe
    O4 - HKCU\..\Run: [Zqdkgdu] C:\WINDOWS\System32\??curity\regsvr32.exe
    O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\pd33.exe
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.ysbweb.com

    Fix those entries then find and delete these files:
    C:\WINDOWS\System32\kernels32.exe
    C:\WINDOWS\System32\svhost.exe
    c:\windows\system32\hhdzbl.exe
    C:\WINDOWS\System32\win32.exe
    C:\Documents and Settings\User1\Application Data\oaom.exe
    C:\WINDOWS\System32\??curity\regsvr32.exe
    C:\WINDOWS\System32\pd33.exe

    Then reboot your computer and post a new log.
  • super snake
    edited May 2005
    ok, i have fixed all the items and searched for the items to delete. however, some of them do not seem to exist. of those that did i used 'move on boot' to get rid of them. I also used numerous spy ware removers in safe mode.

    What concerns me is that even in safe mode I cannot access the task manager.!!

    Here is the latest hijack this file:

    Logfile of HijackThis v1.98.2
    Scan saved at 23:04:03, on 20/05/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
    C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    F:\Security\hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.imdb.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
    O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Pinnacle Scheduler.lnk = ?
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab


    My desktop still has the windows error dektop hijack on it!!!!!!
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    If you still need help with this problem please post a new hijackthis log.
  • super snake
    edited May 2005
    OK, my desktop was hijacked and the internet was screwed, so I installed a fresh updated copy of f-secure. It says there are hundreds of trojans all over the place in system files that have been replaced. Even if I can remove the trojans its only gonna screw the system up as I dont have the service pack 1 disk that it requires to replace these files with the original ones.

    I'm gonna reinstall tonight.

    F##king spyware and viruses! What we need is a whle new way of coding software and hard drives to avoid this. As it stands I'm spending more time fixing the computer that learning on it.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    So....do you still need help, or can I close this thread?
Sign In or Register to comment.