Hello all,

One of the doctors I work with is having trouble with his websites getting hijacked. Here is what I've done: Ran Adware and Spybot S&D. Adware found nothing too bad and it was able to delete the files that were detected. Now Spybot S&D found something called "X-Demon (with something written in German)" and Spybot was unable to remove. So I went into the registry and removed what I could. But this did not stop the problem. So the only thing I can think to do is post a HJT log. Any input would be greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 8:16:18 PM, on 11/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fastseeker.com/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 216.93.174.28 ad.doubleclick.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINDOWS\POPUPW~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &FastSeeker Search - res://C:\Program Files\FastSeeker\FastSeekerToolbar011203.dll/cmsearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Backgammon - [url]http://download.games.yahoo.com/games/clients/y/at0_x.cab[/url]
O16 - DPF: Yahoo! Dice - [url]http://download.games.yahoo.com/games/clients/y/dct2_x.cab[/url]
O16 - DPF: Yahoo! Exploder - [url]http://download.games.yahoo.com/games/clients/y/vtk_x.cab[/url]
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - [url]http://support.cox.net/custsup/supportaction/sdccommon/download/tgctlar.cab[/url]
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - [url]http://support.cox.net/custsup/supportaction/sdccommon/download/tgctlsi.cab[/url]
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - [url]http://central.clevercontent.com/02030035/cccabs/CleverContent.cab[/url]
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - [url]http://www.bitstream.com/wfplayer/tdserver.cab[/url]
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - [url]http://www.bulletinboards.com/CFIDE/classes/CFJava.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - [url]https://com-ns01.osu-com.okstate.edu/iNotes.cab[/url]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - [url]http://207.188.7.150/23da24da595b0a1a8b04/netzip/RdxIE.cab[/url]
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - [url]http://www.cdkeybonus.com/cdkey/ITCDKey.cab[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - [url]http://rd1.surfernetwork.com/surferplugin.ocx[/url]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [url]http://207.188.7.150/23433cad66a70f5ab305/netzip/RdxIE6.cab[/url]
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - [url]ftp://ftp.autodesk.com/pub/mapguide/viewer/mgaxctrl.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37911.3333564815[/url]
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - [url]http://offers.brightstreet.com/cif/download/bin/actxcab.cab[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab[/url]
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - [url]http://www.live365.com/players/play365.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://active.macromedia.com/flash2/cabs/swflash.cab[/url]

You are running an old version of HJT so some things may be missed... Download 1.98.2 and use it to post back after these fixes....

Open HJT and click on Scan, check these items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fastseeker.com/search.html
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 216.93.174.28 ad.doubleclick.net
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/23da24da595b0a...etzip/RdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23433cad66a70f...tzip/RdxIE6.cab

Close all open windows except HJT and click Fix Checked....

Then reboot and post a fresh log....

Thank you sir... Will do..


Jason

Budfred just wanted to say thank you for your advice. You, once again, solved another problem and made me look like the big hero.. Don't get me wrong I gave you full credit for the cure. Here is the proof. An email between myself and Dr. Bryan:

"Dr.B,
Here is the link to your HJT log. Thought you might like to see what is being said about your HJT log...
http://www.pcguide.com/vb/showthread.php?t=33349


Jason" Monday, November 15, 2004 23:56 PM

"Jason,
Thanks for posting. I think the demon was Z-Demon.
Dr. B" Tuesday, November 16, 2004 10:56 AM


Once again Thank you Budfred...

Jason

Thanks... Feel free to take credit though... :p :p