home page take over by spyware help

[mtews]

following is a log created by hijack this..
hopefully someone can look at this and tell me what to
delete... or direct me where to post this and how
thanks mtews

Logfile of HijackThis v1.97.7
Scan saved at 7:42:49 PM, on 1/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\EarthLink TotalAccess\Spyware
Blocker\SpywareBlocker.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\winlogon.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton
AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\EarthLink
TotalAccess\FastLane\IPClient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mr Buzzard's Mom\Local
Settings\Temp\Temporary Directory 1 for hijackthis
[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://69.50.184.51/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://69.50.184.51/find4u/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.earthlink.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://69.50.184.51/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://69.50.184.51/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,Shellnext = http://www.emachines.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-
B547-B2026E4C7EDF} - C:\Program Files\EarthLink
TotalAccess\PnEL.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton
AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - C:\Program Files\Microsoft
Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-
B2697FA7D77E} - C:\Program Files\EarthLink
TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLink
TotalAccess\Spyware Blocker\SpywareBlocker.exe" /0
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program
Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: winlogon.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {11111111-1111-1111-1111-113653602075} -
mhtml:file://C:NO_SUCH_MHT.MHT!
http://www.008k.com/partner/inst/f10213.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF6965B7-5AE5-
4253-9D46-BDB1742379A8}: NameServer = 208.13.143.36
199.2.252.10

 

[H Leboeuf]

following is a log created by hijack this..
hopefully someone can look at this and tell me what to
delete... or direct me where to post this and how
thanks mtews
SMSS trojan

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.flood.f.html
--
Winlogon
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hazzer.html

lsass.exe
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.ratsou.b.html


Did not check the others. Remove the trojans from your system.

Henri Leboeuf
Web page: http://www.generation.net/~hleboeuf/index.htm

Logfile of HijackThis v1.97.7
Scan saved at 7:42:49 PM, on 1/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\EarthLink TotalAccess\Spyware
Blocker\SpywareBlocker.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\winlogon.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton
AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\EarthLink
TotalAccess\FastLane\IPClient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mr Buzzard's Mom\Local
Settings\Temp\Temporary Directory 1 for hijackthis
[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://69.50.184.51/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://69.50.184.51/find4u/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.earthlink.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://69.50.184.51/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://69.50.184.51/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,Shellnext = http://www.emachines.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-
B547-B2026E4C7EDF} - C:\Program Files\EarthLink
TotalAccess\PnEL.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton
AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - C:\Program Files\Microsoft
Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-
B2697FA7D77E} - C:\Program Files\EarthLink
TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLink
TotalAccess\Spyware Blocker\SpywareBlocker.exe" /0
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program
Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: winlogon.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {11111111-1111-1111-1111-113653602075} -
mhtml:file://C:NO_SUCH_MHT.MHT!
http://www.008k.com/partner/inst/f10213.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF6965B7-5AE5-
4253-9D46-BDB1742379A8}: NameServer = 208.13.143.36
199.2.252.10