Jump to content


Photo

Homepage Hijacker similiar to jimfisher's problem


  • Please log in to reply
3 replies to this topic

#1 ozguny

ozguny

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 July 2004 - 05:23 PM

Hello!

I'm suffering from a malware similiar to:
http://forums.spywar...t=0

Malware redirects me to: http://213.159.117.134/index.php and then forces me to download a program.

I scanned with Hijackthis and tried to fix the 'http://213.159.117.134/index.php' related entries, an entry like this:
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt- download.com/MediaTicketsInstaller.cab
and a BHO entry

Also there wasn't any entries like(which were there in the other thread):
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\ozguny\Application Data\acao.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

But there were another 04 entries to 2 files under 'C:\WINDOWS\system32\' and 'C:\Documents and Settings\ozguny\Application Data\' directories. I fixed/deleted them in HTJ and deleted that files on the harddisk also.

But I couldn't remove the malware.


My new HijackThis log is:

Logfile of HijackThis v1.97.7
Scan saved at 01:16:04, on 11.07.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\ozguny\Desktop\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\ozguny\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\ozguny\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\ozguny\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\ozguny\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\ozguny\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\ozguny\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.93.232.141...80/dexTR258.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A869AF04-720E-4F39-B661-03E03236611A}: NameServer = 212.156.4.2 212.156.4.10



What should I do to remove this malware?

Thanks.

Edited by ozguny, 10 July 2004 - 05:27 PM.


#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 10 July 2004 - 05:32 PM

Your problem is different.
For now, fix checked these (only) in hijackthis:

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
*R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
*R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
*R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
*O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.93.232.141...80/dexTR258.exe


Restart you computer.

Next,
Go to Windows updates, (link(s) bellow, and upgrade you dangerously outdated version of :

My new HijackThis log is:

Logfile of HijackThis v1.97.7
Scan saved at 01:16:04, on 11.07.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

To it's current, 6/SP1! , Known as:
Internet Explorer v6.00 SP1 (6.00.2800.1106)
including but not limited to all
security updates on offer, applicable to your OS.

Your start pages all have 'live' Xploit!
Your current IE version can't be fixed.

When you have done that, re-run hijackthis and post follow up log!

Edited by freeatlast, 10 July 2004 - 05:42 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 ozguny

ozguny

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 03:17 AM

Hi!

I couldn't download IE SP1 because I'm in a hurry.
I'm going to a trip for about a week.
I'll install SP1 when I come back.

Thanks for your support.

#4 ozguny

ozguny

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 03:31 AM

I was able to downloaded IE SP1 at last.

HJT Log is:


Logfile of HijackThis v1.97.7
Scan saved at 11:31:04, on 11.07.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\ozguny\Desktop\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\ozguny\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\ozguny\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\ozguny\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\ozguny\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A869AF04-720E-4F39-B661-03E03236611A}: NameServer = 212.156.4.2 212.156.4.10

It didn't work.

Edited by ozguny, 11 July 2004 - 03:32 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button