Jump to content


Photo

IE hijack


  • Please log in to reply
1 reply to this topic

#1 mikeytano

mikeytano

    Member

  • New Member
  • Pip
  • 1 posts

Posted 07 July 2004 - 05:14 PM

Ive used CWshredder and spybot and run hijackthis. this is my log. all i get when i start IE is a redirect to a security website and my homepage constantly changes.

Logfile of HijackThis v1.97.7
Scan saved at 6:08:47 PM, on 7/7/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\Explorer.exe
C:\WINDOWS\system32\Explorer.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\services\msxmidi.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\win.exe
C:\WINDOWS\system32\explorer.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tano\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - C:\PROGRA~1\WINDOW~3\WinSB1.DLL (file missing)
F1 - win.ini: run=C:\WINDOWS\System32\services\msxmidi.exe
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~3\WinSB1.DLL (file missing)
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINDOWS\System32\backup.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINDOWS\dial.dll
O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~3\WinSB1.DLL (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [n8wIA] C:\documents and settings\tano\local settings\temp\n8wIA.exe
O4 - HKLM\..\Run: [IGg2IJQq] C:\documents and settings\tano\local settings\temp\IGg2IJQq.exe
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\win.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [XXUBJQBUHIEGYEN] C:\WINDOWS\KNEVRENTSWYJWR.exe
O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports....lgcst1010_x.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictive...ab/12wfwr1d.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingsto...TInc/bridge.cab
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/5/load.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelpe...alHelperNew.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

#2 CalamityJane

CalamityJane

    SWI Junkie

  • Emeritus
  • PipPipPipPip
  • 313 posts

Posted 12 July 2004 - 04:11 PM

Hi mikeytano :)

Wow - what a mess! You have lot of malware on there.

You don't have any critical security updates installed on your Win2k and you have an obsolete verison of IE that isn't supported anymore. You need to get ALL the service packs, critical security updates and upgrade to IE 6 SP1 at Windows update to protect your PC and do that as soon as possible!!

http://v4.windowsupd.../en/default.asp

Now please follow these steps to get rid of all those infections:

1. Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.

2. Make a copy of these instructions so you have them handy as the next steps need to be done in safe mode with IE closed.

3. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

4. Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam

5. Scan with HijackThis and checkmark each of the following and then press *fix checked*

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>

R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - C:\PROGRA~1\WINDOW~3\WinSB1.DLL (file missing)

F1 - win.ini: run=C:\WINDOWS\System32\services\msxmidi.exe
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: (no name) - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~3\WinSB1.DLL (file missing)

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINDOWS\System32\backup.dll

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINDOWS\dial.dll

O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~3\WinSB1.DLL (file missing)

O4 - HKLM\..\Run: [winmain] winmain.exe

O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe

O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe

O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe

O4 - HKLM\..\Run: [n8wIA] C:\documents and settings\tano\local settings\temp\n8wIA.exe

O4 - HKLM\..\Run: [IGg2IJQq] C:\documents and settings\tano\local settings\temp\IGg2IJQq.exe

O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\win.exe

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe

O4 - HKCU\..\Run: [XXUBJQBUHIEGYEN] C:\WINDOWS\KNEVRENTSWYJWR.exe

O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe

O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictive...ab/12wfwr1d.cab

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingsto...TInc/bridge.cab

O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/5/load.exe

O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelpe...alHelperNew.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
.............................................
7. (Don't forget to press the *fix checked* on the above items. Next, stay in safe mode and delete the following files and/or folders named in bold.

C:\WINDOWS\System32\services\msxmidi.exe (file)

winmain.exe (file)

C:\WINDOWS\Belt.exe (file)

C:\WINDOWS\System32\internetfeatures.exe (file)

C:\WINDOWS\wdskctl.exe (file)

C:\documents and settings\tano\local settings\temp\n8wIA.exe (file)

C:\documents and settings\tano\local settings\temp\IGg2IJQq.exe (file)

C:\WINDOWS\win.exe (file)

C:\WINDOWS\system32\explorer.exe (file) <---NOTE: do NOT mistake this for the valie explorer.exe which is located directly in the Windows folder. This bad one is in the System 32 folder.

C:\WINDOWS\System32\msrexe.exe (file)

C:\WINDOWS\System32\services\msxmidi.exe (file)

C:\WINDOWS\KNEVRENTSWYJWR.exe (file)

C:\WINDOWS\System32\ d3d8.exe (file)

C:\Program Files\TV Media (folder)

C:\WINDOWS\System32\services\msxmidi.exe

8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

9. Reboot back into normal mode.

You need to get an online AV scan from one (prefereably two of the following. Let them delete any infected files found.

Panda's Active Scan
http://www.pandasoft...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/v.../virusscan.aspx

10. When all done, scan once more with HijackThis and post a fresh log please.
Microsoft MVP Windows-Security 2003-2009




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button