Jump to content


Photo

Bad .org .net URL DNS Error page hihack


  • Please log in to reply
1 reply to this topic

#1 fred3

fred3

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 08 July 2004 - 02:34 PM

This has happened locally on two computers. Windows ME and Windows XP Home.
If a bad URL is entered in IE6, this is the result:
If the URL ends in .com, the result is normal:
http://search.msn.co...perxxxxxnnn.com
If the URL ends in .org or .net then an abnormal / unwanted / hijacked result occurs. This is it:
www.buydomains.com opens up
the title on the page is:
ォォキエッコキク_BuyDomains.com_クキコッ`キササ
and an additional page
www.seeq.com opens up
http://www.seeq.com/...ain=centurb.net
where www.centurb.net is what was typed in to begin with.
When the latter page is closed, it asks if you want to have www.seeq.com become your home page.

Here are two hijack this logs. The first was done with the offending pages not launched. The second was done with the offending pages open:

Logfile of HijackThis v1.97.7
Scan saved at 12:14:49 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\drivers\CDAC11BA.EXE
E:\PROGRA~1\VCOM\Fix-It\MXTask.exe
E:\WINDOWS\System32\GEARSec.exe
E:\Program Files\HP Web Jetadmin\hpwebjetd.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\tcpsvcs.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
E:\Program Files\HP Web Jetadmin\hpwebjetd.exe
E:\WINDOWS\system32\fxssvc.exe
E:\PROGRA~1\VCOM\Fix-It\mxtask.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
E:\WINDOWS\Mixer.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\System32\ctfmon.exe
E:\QBOOKSW\Components\QBAgent\QBDAgent.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
E:\WINDOWS\System32\mrtMngr.EXE
E:\WINDOWS\System32\dllhost.exe
E:\Program Files\ACT\act.exe
E:\PROGRA~1\ACT\actwp.wpi
E:\QBOOKSW\qbw32.exe
E:\QBOOKSW\AXLBRI~1.EXE
E:\QUICKENW\qw.exe
E:\Program Files\Outlook Express\msimn.exe
E:\Data\My Documents\_Download\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BootWarn] E:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [RoxioEngineUtility] "E:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "E:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Lamp] E:\PROGRAM FILES\HP\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Fix-It AV] E:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UpdateManager] "E:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PC 1Click Daily Scan] E:\Program Files\PromoSoft Corporation\PC 1Click 2.0 Free AutoScan\pc1click.exe /background
O4 - Startup: Norton System Doctor.LNK = E:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Norton System Doctor.LNK = E:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = E:\QBOOKSW\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8074.6688194444
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = missionsystems.com
O17 - HKLM\Software\..\Telephony: DomainName = missionsystems.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5530BAD-6438-487B-9F07-8EA5FC8A6055}: NameServer = 209.206.160.253,209.206.160.254,207.69.188.186
O17 - HKLM\System\CCS\Services\Tcpip\..\{FABFDBCC-0176-4B09-B0DF-C8EE145AFFE5}: NameServer = 207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = missionsystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = missionsystems.com

**********************************************

Logfile of HijackThis v1.97.7
Scan saved at 12:15:53 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\drivers\CDAC11BA.EXE
E:\PROGRA~1\VCOM\Fix-It\MXTask.exe
E:\WINDOWS\System32\GEARSec.exe
E:\Program Files\HP Web Jetadmin\hpwebjetd.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\tcpsvcs.exe
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
E:\Program Files\HP Web Jetadmin\hpwebjetd.exe
E:\WINDOWS\system32\fxssvc.exe
E:\PROGRA~1\VCOM\Fix-It\mxtask.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
E:\WINDOWS\Mixer.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\System32\ctfmon.exe
E:\QBOOKSW\Components\QBAgent\QBDAgent.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
E:\WINDOWS\System32\mrtMngr.EXE
E:\WINDOWS\System32\dllhost.exe
E:\Program Files\ACT\act.exe
E:\PROGRA~1\ACT\actwp.wpi
E:\QBOOKSW\qbw32.exe
E:\QBOOKSW\AXLBRI~1.EXE
E:\QUICKENW\qw.exe
E:\Program Files\Outlook Express\msimn.exe
E:\Data\My Documents\_Download\Hijack This\HijackThis.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Data\My Documents\_Download\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BootWarn] E:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [RoxioEngineUtility] "E:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "E:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Lamp] E:\PROGRAM FILES\HP\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Fix-It AV] E:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UpdateManager] "E:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PC 1Click Daily Scan] E:\Program Files\PromoSoft Corporation\PC 1Click 2.0 Free AutoScan\pc1click.exe /background
O4 - Startup: Norton System Doctor.LNK = E:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Norton System Doctor.LNK = E:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = E:\QBOOKSW\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8074.6688194444
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = missionsystems.com
O17 - HKLM\Software\..\Telephony: DomainName = missionsystems.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5530BAD-6438-487B-9F07-8EA5FC8A6055}: NameServer = 209.206.160.253,209.206.160.254,207.69.188.186
O17 - HKLM\System\CCS\Services\Tcpip\..\{FABFDBCC-0176-4B09-B0DF-C8EE145AFFE5}: NameServer = 207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = missionsystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = missionsystems.com

#2 fred3

fred3

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 09 July 2004 - 10:49 AM

I should have mentioned:
Ad-Aware and Spybot Search & Destroy were run with latest updates and everything that was found was removed.

Fred




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button