TechSpot

Some sort of Trojan that I've never seen before. A challenge lies ahead...

By purduegrad
Dec 19, 2004
Topic Status:
Not open for further replies.
  1. This computer has not been online for over a year...until yesterday. At which time popups abound. And then the page that you are viewing, will automatically change without warning. I've never seen that before. The homepage isn't hijacked, it just changes instantly. I've run spybot search and destroy, cwshredder and hijackthis...my log file is below. As always, any help is greatly appreciated.

    Well...I tried to post my log file but it said my post had 1 or more URLS and that the must be removed before posting....?

    Logfile of HijackThis v1.98.2
    Scan saved at 11:33:36 AM, on 12/19/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.espn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
    O1 - Hosts: 207.44.240.65 ads.x10.com
    O1 - Hosts: 207.44.240.65 images.x10.com
    O1 - Hosts: 207.44.240.65 count.exitexchange.com
    O1 - Hosts: 207.44.240.65 servedby.netadvertising.com
    O1 - Hosts: 207.44.240.65 images.trafficmp.com
    O1 - Hosts: 207.44.240.65 ad.uk.doubleclick.net
    O1 - Hosts: 207.44.240.65 ad.ca.doubleclick.net
    O1 - Hosts: 207.44.240.65 ads.specificpop.com
    O1 - Hosts: 207.44.240.65 ads.specificclick.com
    O1 - Hosts: 207.44.240.65 ads.popupsponsor.com
    O1 - Hosts: 207.44.240.65 adfarm.mediaplex.com
    O1 - Hosts: 207.44.240.65 media.fastclick.net
    O1 - Hosts: 207.44.240.65 media1.fastclick.net
    O1 - Hosts: 207.44.240.65 media19.fastclick.net
    O1 - Hosts: 207.44.240.65 media28.fastclick.net
    O1 - Hosts: 207.44.240.65 media29.fastclick.net
    O1 - Hosts: 207.44.240.65 media39.fastclick.net
    O1 - Hosts: 207.44.240.65 adserv.internetfuel.com
    O1 - Hosts: 207.44.240.65 www.satellitepop.com
    O1 - Hosts: 207.44.240.65 count.exitexchange.com
    O1 - Hosts: 207.44.240.65 z1.adserver.com
    O1 - Hosts: 207.44.240.65 view.atdmt.com
    O1 - Hosts: 207.44.240.65 servedfor.valuead.com
    O1 - Hosts: 207.44.240.65 banners.valuead.com
    O1 - Hosts: 207.44.240.65 img.mediaplex.com
    O1 - Hosts: 207.44.240.65 ln.doubleclick.net
    O1 - Hosts: 207.44.240.65 m2.doubleclick.net
    O1 - Hosts: 207.44.240.65 m.doubleclick.net
    O1 - Hosts: 207.44.240.65 ad.doubleclick.net
    O1 - Hosts: 207.44.240.65 media28.fastclick.net
    O1 - Hosts: 207.44.240.65 media39.fastclick.net
    O1 - Hosts: 207.44.240.65 media.fastclick.net
    O1 - Hosts: 207.44.240.65 popuptraffic.com
    O1 - Hosts: 207.44.240.65 leader.linkexchange.com
    O1 - Hosts: 207.44.240.65 rad.msn.com
    O1 - Hosts: 207.44.240.65 view.atdmt.com
    O1 - Hosts: 207.44.240.65 iv.doubleclick.net
    O1 - Hosts: 207.44.240.65 focusin.ads.targetnet.com
    O1 - Hosts: 207.44.240.65 a.tribalfusion.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\SYSTEM\SZIEBHO.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
    O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
  2. Didou

    Didou Bowtie extraordinair! Posts: 5,899

    One thread on the same subject should suffice.
  3. purduegrad

    purduegrad Newcomer, in training Topic Starter

    One thread per same subject

    Didou, are you bored? And...are you kidding? There's actually two different subjects. And 1 community member may be interested in one of the subjects and not the other. So the second item was listed, perhaps to envoke a response. But I'm glad to see you're on top of things. What a meaningful life.
  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Go to my post here: http://www.techspot.com/vb/topic17297.html and follow the instructions, it is all in there.
    Also, uninstall this STOPZILLA! and SPYWARE DOCTOR stuff.
    Adaware and Spybot are more than capable!
    If you use Firefox, it has aone of the best popup-stoppers.

    And be nice to Didou.
  5. Gunny

    Gunny Newcomer, in training Posts: 79

    Also, in Spybot there is an option to prevent your homepage being changed by anything.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.