Jump to content


Photo

"Sexxx" dialer and http://64.237.41.215/ homepage


  • Please log in to reply
1 reply to this topic

#1 somecallmegoo

somecallmegoo

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 July 2004 - 06:26 PM

Hello - please help as I am a novice and a half.

Surfing where I shouldn't have. And picked up some bugs.

The first is my homepage has been hijacked. Everytime I turn on the computer it goes to http://64.237.41.215/


The second problem is a porn dialer deems to have stuck itself onto my "start" menu. It's an icon of part of a woman's face

Now I ran Ad-Aware as suggested. Sure cleaned out quite a bit. Now the porn dialer icon does not apperar to be rcognized in the start menu (no graphic icon, but still the "sexxx" file. When you look on the C: drive - the icon is still there. File name 123029.

Any help would be greatly appreciated. Here is my HijackThis log. Thanks in advance:


Logfile of HijackThis v1.97.7
Scan saved at 6:27:07 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\win.exe
C:\documents and settings\criegel\local settings\temp\L8F.exe
C:\documents and settings\criegel\local settings\temp\I2h.exe
C:\May17_loader.exe
C:\WINDOWS\System32\IEHost.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\Jil1.exe
C:\WINDOWS\System32\Qpaae5.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\criegel\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.101/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.101/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://technomic/Intranet/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.101/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.101/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.101/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.101/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.101/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.101/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.101/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.101/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.101/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.101/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = HTTP://TECHNOMIC:80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://technomic/Intranet
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.31.79.101/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.31.79.101/search.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\System32\wer1306.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINDOWS\System32\backup.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINDOWS\dial.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\win.exe
O4 - HKLM\..\Run: [L8F] C:\documents and settings\criegel\local settings\temp\L8F.exe
O4 - HKLM\..\Run: [I2h] C:\documents and settings\criegel\local settings\temp\I2h.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\May17_loader.exe" /HideUninstall /PC="AM.WILD" /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Sqw6V9U5.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .zip: C:\PROGRA~1\PKWARE\PKZIPP\nppkzip.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/...lesilent610.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7844.5483796296
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/5/load.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_1us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#2 Gandalf

Gandalf

    hexenmeister

  • Retired Staff - Helper
  • Pip
  • 45 posts

Posted 04 August 2004 - 02:24 PM

somecallmegoo.
Hi and welcome to our forum. I'm Gandalf who will be working with you on your log.
Let me apologise for the delay in analysing your log but we are snowed under with logs at the moment as you can see from the forum.

There are several issues that need to be dealt with before we fix anything with HijackThis.

You show evidence of a Peper infection. Will you please go here to download the PeperFix tool, save it to your desktop,doubleclick on it, make sure all Windows except Peper are closed and click 'Find and Fix' You will be prompted to Reboot your computer when finished. And then repeat once again to make sure all files are removed. You will be prompted to Reboot your computer once again.
********************************************************************************************************************
You also show a CWS infection.
Please download this tool CWShredder (latest version 1.59.1) to its own folder and double click CWShredder.exe. Make sure all other Windows are closed and only CWShredder window showing and click on Fix. When completed you will have to Reboot your computer.
********************************************************************************************************************
You have the W32.Beagle@mm virus.
Download the FxBgleMO.exe file from: http://securityrespo...er/FxBgleMO.exe
Save the file to a convenient location, such as the Windows desktop
If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.

I strongly recommend that you do not skip this next step. as the tool might not remove all files
We will now Clean out the System Restore Cache.
System restore allows you to roll back your system to a prior date for troubleshooting purposes and cannot be altered by third party software. By disabling, you will lose all previously created Restore points, but once re-enabled with a clean Restore point, Windows will continue to create them as before.
To turn Off Windows XP System Restore: -
1. Click Start
2. Right-click My Computer and then click Properties
3. Click the System Restore tab
4. Select "Turn off System Restore" (or "Turn off System Restore on all drives") check box and click Apply
You will then see the following message: -
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted and you will not be able to undo changes to your computer.
5. Click Yes to do this
6. Click OK

Double-click the FxBgleMO.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.
When the tool has finished running, you will see a message indicating whether the computer was infected by W32.Beagle@mm. In the case of a removal of the worm, the program displays the following results:
Total number of the scanned files
Number of deleted files
Number of repaired files
Number of terminated viral processes
Number of fixed registry entries
********************************************************************************************************************
I see you have Spybot Search & Destroy installed. If it is V1.3 fine - just have it "Check for Updates" then "Check for Problems" and have it Fix all entries marked in RED - leave any others alone.

If your version is not the latest 1.3, Will you please
1.Download and Install Spybot S&D, accepting the Default Settings (Please ensure you have version 1.3 final.)
Home - The home of Spybot-S&D!: http://www.safer-networking.org/
2. Go to Start > Programs >Spybot – Search & Destroy and choose Spybot S&D
3. Close ALL windows except Spybot S&D
4. Click the button to ‘Search for Updates’ and download and install the Updates.
5. Next click the button ‘Check for Problems’
6. When Spybot is complete, it will be showing 'RED' (RED) entries ‘BLACK’ entries and ‘GREEN’ (GREEN) entries in the window
7. Make sure there is a check mark beside the RED (RED) entries ONLY.
8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED (RED) entries.
9. REBOOT Your computer.
********************************************************************************************************************
You say you ran an Ad-Aware scan. I presume you have V6. build181? Please "check for updates" and then run a scan using the settings detailed below: Configure Ad-Aware for a full scan Once set like this it will not need resetting until you get a new version when released.

If your copy of Ad-Aware is outdated: Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe
Install the program and launch it.

Will you do another scan with these settings.
First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Posted Image Reboot your computer.
********************************************************************************************************************
Now go Here
or
Here for an online virus scan.
********************************************************************************************************************
Your copy of Hijackthis is outdated. New version now at 1.98.1
This needs to be placed in its own Permanent folder so it can create backups of all it fixes in one safe place for easier retrieval, if necessary.
To do this: Click Start / My Computer, Double click your C: drive. Click on File then New, then Folder. This will create a folder called "new folder" rename this to HJT or Hijackthis.
Now download HJT directly to this folder from http://www.spywarein.../HijackThis.exe
It should now be in C:\HJT\HijackThis.exe

Double click HijackThis.exe. When the HJT screen appears, close ALL other open screens (windows) making sure HJT is the only screen showing and click the Scan button. When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, then press Ctrl-A to Select All, and copy its contents here.

Gandalf




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button