• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
kcates

hijacker is back, starting new thread

17 posts in this topic

Hi,

 

I was working with rubber ducky last night. Ducky had me clean up things with Hijack This and remove items in the temp directory via "local settings". Everything looked fine at the time, but the "thing" has come back many times since then.

 

Some observations:

 

1. At some point later, I'll open Outlook, or Norton Antivirus, etc, and I'll get a "virtual memory low" message. That's generally tells me that it has returned (i.e. if I run Hijack This, it's there).

 

2. When running Hijack This, I started noticing the '&' character appearing in the name string of HBOs like Google Toolbar (e.g. "Google T&oolbar"), as if it was being "marked". I've since removed all such things in Hijack This.

 

3. This think seems to recognize anti-hijack tools and disables them. I'm running "Browser Hijack Blaster" and it was working initially but now fails to warn me when something has changed. I also have it set to start on system boot and it doesn't. I also mentioned last night that I installed SpywareBlaster and it has never run. I always get a "this program is corrupted..." message.

 

4. Along the same line, when I first started looking at this, I noticed that there was a notepad.exe.bak file, as if maybe someone made a backup and rewrote the notepad.exe file. Given that Hijack This loads the log into notepad, I thought it may be playing with the file. I replaced notepad.exe with a known good copy.

 

5. I could easily think I imagined this, but when I started the browser just now, a small icon appeared on the task bar, to the right of the browser, for just a moment. It looked like a pale yellow square, with a crack running through it. That's the best I can describe it. I've never seen it before.

 

5. At the moment, Hijack This is clean.

 

Any ideas? I'm about to go insane... :-)

 

Thanks,

Ken

Share this post


Link to post
Share on other sites

Just did netstat and noticed this, not sure what it means

 

Proto Local Address Foreign Address State

TCP mothership:netbios-ssn 192.168.1.101:3754 ESTABLISHED

TCP mothership:1128 192.168.1.101:netbios-ssn ESTABLISHED

Share this post


Link to post
Share on other sites

And this!!! That last one (host06) displays the search engine page and pop ups that your system is infected...

 

Proto Local Address Foreign Address State

TCP mothership:1205 192.168.1.101:netbios-ssn TIME_WAIT

TCP mothership:1206 192.168.1.101:netbios-ssn TIME_WAIT

TCP mothership:1209 host06.ipslink.com:http ESTABLISHED

TCP mothership:1210 host06.ipslink.com:http ESTABLISHED

Share this post


Link to post
Share on other sites

okay, I've figured out that something remaining on my pc is connecting out to various servers to re-infect the pc. If I put the addresses in the restricted list of IE, will that affect all outgoing accesses? Do all outgoing accesses us IE functionality?

Share this post


Link to post
Share on other sites

Clean at the moment, I just blocked an attempt to install an HBO called "die.dll" (that's pretty scary...)

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:54:26 PM, on 6/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

D:\Program Files\Common Files\Symantec Shared\ccApp.exe

D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

D:\Program Files\Norton AntiVirus\navapsvc.exe

d:\Program Files\qbooks\online backup\OLRegCap.EXE

D:\Program Files\Norton AntiVirus\SAVScan.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

D:\WINDOWS\System32\MsPMSPSv.exe

D:\WINDOWS\system32\cmd.exe

D:\Program Files\Browser Hijack Blaster\bhblaster.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Messenger\msmsgs.exe

D:\Documents and Settings\Ken\Desktop\HijackThis.exe

 

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

Share this post


Link to post
Share on other sites

Ok rerun About:Buster in Safe Mode. Check if you have v 1.21.

 

Once done reboot and disable all protection. Open ie. Tell me if it reinstalls the hijack or if its gone.

 

Now dont forget to re-enable all protection.

Share this post


Link to post
Share on other sites

If you mean when their BHO is installed, it takes me to some generic search page and starts popping windows that say "you system is infected, click here for software to get rid of it" or something like that. Actually, it's the "host06.ipslink.com" site I mentioned above. You can't tell that from the window, but I saw that address in netstat and connected to see what it was (yikes!)

 

Since then, I've been monitoring netstat and my linksys outbound log and have spotted a number of addresses that it connects to.

 

What I don't understand is - is this something that happens only when I have the browser open, or is there an independent process running to cause it? I haven't tried monitoring netstat with the browser closed yet...

Share this post


Link to post
Share on other sites

come to think of it, since it keeps trying to connect to host6.whatever, that string must be in a file somewhere. I'm searching all .dlls now to see if I can find it...

Share this post


Link to post
Share on other sites

this search is going to take forever...

 

At least putting the address in the IE restricted list seems to be helping since I've seen it connect to host6.whatever several times since then and it doesn't seem to be able to download anything... a small victory...

Share this post


Link to post
Share on other sites

Whats your hosts file look like.

 

Open Spybot Search and Destroy goto tools and hit hosts file see if there are entries in there. Other than local host.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0