Jump to content


Photo

IE Browser Hijacked


  • Please log in to reply
5 replies to this topic

#1 moccona

moccona

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 01 July 2004 - 03:35 AM

My homepage is constantly resetting itself to s1di.d8t.biz (going to that URL is most likely going to install some crap on your own computer. i've entered it just in case someone wants to know it when looking over my log.) The pest is a search engine site complete with contradictory pop-ups advertising anti-spyware programs >_<::)

I've ran Ad-Aware which seemed to identify it, yet despite deleting it, resetting and such, the homepage still persists (even if i change the settings in the Internet Options panel).

I'd like someone to read over my HijackThis log and help me remove the pest. (sidenote: this computer is running the Japanese version of Windows XP and thus has handwriting and keyboard programs installed that are not to be deleted)

Here is the log:
____________________________________________________________________

Logfile of HijackThis v1.98.0
Scan saved at 17:18:54, on 2004/07/01
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.7c\Disk_Monitor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sharp\PowerEJ\BIN\Fusen.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Sharp\PowerEJ\bin\SHMoa.exe
C:\PROGRA~1\Sharp\PowerEJ\bin\TLGrcJE4.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Miyuki HORITA\Local Settings\Temp\hijackthis.zip の一時ディレクトリ 2\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13343293-D5FF-44CD-8535-DD2216707A4F} - C:\WINDOWS\System32\ajp.dll
O3 - Toolbar: ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN ツールバー - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\ja\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [{262CF15F-287A-4D26-8EAF-3B28BF7F018F}_UserSetup] C:\PROGRA~1\SHARP\PAGEDE~1\UserInit.exe
O4 - HKLM\..\Run: [DialApp] C:\Program Files\SHARP\mt\3.2\bin\DialMng.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.7c\Disk_Monitor.exe
O4 - HKLM\..\Run: [Indicator] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.7c\Indicator.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ここだけ翻訳.lnk = C:\Program Files\Sharp\PowerEJ\BIN\Fusen.exe
O8 - Extra context menu item: Bookshelfで検索(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: SHARP ぺたっ!翻訳 - res://C:\Program Files\Sharp\PowerEJ\BIN\QuickTrans.ocx/234
O8 - Extra context menu item: SHARP 英文読み上げ - res://C:\Program Files\Sharp\PowerEJ\BIN\QuickTrans.ocx/235
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ぺたっ!翻訳 - {4656E186-A680-11D3-8B9B-00C04FBC64EC} - res://C:\Program Files\Sharp\PowerEJ\BIN\QuickTrans.ocx/234 (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: 翻訳これ一本 - {4656E186-A680-11D3-8B9B-00C04FBC64EC} - res://C:\Program Files\Sharp\PowerEJ\BIN\QuickTrans.ocx/234 (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O18 - Filter: text/html - {CC4D32F4-F750-4FDD-A922-A72622CB2BAC} - C:\WINDOWS\System32\ajp.dll
O18 - Filter: text/plain - {CC4D32F4-F750-4FDD-A922-A72622CB2BAC} - C:\WINDOWS\System32\ajp.dll
____________________________________________________________________

Thanks for all your help.

#2 r50

r50

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 03:43 AM

Sistray.exe is not right. That program is probably giving you problems.

Sounds like you've got the Prova.Trojan.

Symantic definition

Edited by r50, 01 July 2004 - 03:44 AM.


#3 moccona

moccona

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 01 July 2004 - 04:50 AM

If i have this Trojan infecting my computer, what is the most recommended way of removing it?

Do i simply delete (fix checked) the sistray.EXE via Hijack This?

The symantic definition of the trojan is very long and complex,.. What should I do?

#4 Rootkit

Rootkit

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 01 July 2004 - 05:05 AM

Hi,moccona

No do not remove that it maybe needed

System Tray icon for SiS based graphics. Note - this resides in C:\Windows\System

hold tell someone has more info for you

Gday :bounce:

#5 moccona

moccona

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 01 July 2004 - 05:10 AM

Thanks rootkit, I'm waiting for someone to give me more assistance ;D

Can anyone help me?? :wtf:

Edited by moccona, 01 July 2004 - 06:03 AM.


#6 moccona

moccona

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 02 July 2004 - 01:59 AM

I really do not believe the concept of 'the longer your post is left here, the quicker/better the chance of a reply'. My query is now on page 12.

However, I worked it out by myself.

Although my problem was a common 'about:blank' malware infecting my computer and screwing with my homepage, I found the actual URL of the culprit anyway: just a bunch of numbers and crap. I ran CoolWeb Shredder which picked up about five or so CWS and I quickly erased them. I ran Ad-Aware again which has previously always been picking up around 8 random reg key and file malware yet this time, only one was detected: 'about:blank'. I erased it and have had no problems with my browser since then.

However, as quickly as they go, they return.

I came across some malicious webpage which gave me some random search toolbar and such and changed some settings. I cleared off all cookies, erased history and other crap and ran CoolWeb Shredder- it gave me a warning telling me that a CWS was trying to stop me from running CoolWeb Shredder, but said it was functioning normally and proceeded to scan. It picked up a few random CWSs which I then deleted. I then ran Ad-Aware which detected (no shit) 93 reg key values/folders/files/etc. I deleted them all off my computer and have had no problems ever since.

Just for anyone who wants to know, the malware were called:
'istbar' and '180solutions'

Guess it just pays to be careful which websites you go to. In my case, clicking on non-suspicious links to pages I want to view via Yahoo/google web searches is what got me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button