Jump to content


Photo

pesky lil hijacker


  • This topic is locked This topic is locked
5 replies to this topic

#1 clingervsradar

clingervsradar

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 July 2004 - 05:07 PM

ive run CWS, ad-aware, spybot S&D and hijackthis.. dumped the temp files and all the good stuff

heres the first log

Logfile of HijackThis v1.97.7
Scan saved at 5:49:36 PM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\javaqu.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\mfcrd32.exe
C:\Documents and Settings\jebus.SUXOR\Local Settings\Temporary Internet Files\Content.IE5\WJ73YK51\HijackThis[1].exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\edsnr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://edsnr.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://edsnr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\edsnr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://edsnr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\edsnr.dll/sp.html#96676
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B784881A-C236-6F52-D86B-285DC0FC4011} - C:\WINDOWS\sysjj32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [javaqu.exe] C:\WINDOWS\system32\javaqu.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [mfcrd32.exe] C:\WINDOWS\mfcrd32.exe
O4 - HKLM\..\RunOnce: [windu32.exe] C:\WINDOWS\windu32.exe
O4 - HKLM\..\RunOnce: [winfe32.exe] C:\WINDOWS\system32\winfe32.exe
O4 - HKLM\..\RunOnce: [apprh32.exe] C:\WINDOWS\system32\apprh32.exe
O4 - HKLM\..\RunOnce: [javaju.exe] C:\WINDOWS\system32\javaju.exe
O4 - HKLM\..\RunOnce: [mfcki.exe] C:\WINDOWS\system32\mfcki.exe
O4 - HKLM\..\RunOnce: [mfcwn32.exe] C:\WINDOWS\system32\mfcwn32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)

---------------------------------------------------
---------------------------------------------------

i figured out that the #96676 files are part of the problem so i cleaned them out.. but something is still floating around regenerating them ect.

i know what most of the stuff thats left is.. but some of it im not sure.. so if anyone could drop a hint id be very thankful

#2 spin

spin

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 16 July 2004 - 05:55 PM

Go here

An answer to help you

12 step process and you are free.

#3 canoeingkidd

canoeingkidd

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 692 posts

Posted 16 July 2004 - 06:27 PM

Download the latest version of Ad-Aware:
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.
Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

Run Hijack this and check the following:

O2 - BHO: (no name) - {B784881A-C236-6F52-D86B-285DC0FC4011} - C:\WINDOWS\sysjj32.dll
O4 - HKLM\..\Run: [javaqu.exe] C:\WINDOWS\system32\javaqu.exe
O4 - HKLM\..\RunOnce: [mfcrd32.exe] C:\WINDOWS\mfcrd32.exe
O4 - HKLM\..\RunOnce: [windu32.exe] C:\WINDOWS\windu32.exe
O4 - HKLM\..\RunOnce: [winfe32.exe] C:\WINDOWS\system32\winfe32.exe
O4 - HKLM\..\RunOnce: [apprh32.exe] C:\WINDOWS\system32\apprh32.exe
O4 - HKLM\..\RunOnce: [javaju.exe] C:\WINDOWS\system32\javaju.exe
O4 - HKLM\..\RunOnce: [mfcki.exe] C:\WINDOWS\system32\mfcki.exe
O4 - HKLM\..\RunOnce: [mfcwn32.exe] C:\WINDOWS\system32\mfcwn32.exe


Make sure all browser windows are closed including this one and click fix checked.


Immediately Download about buster here http://tools.zerosre...AboutBuster.zip

1) Run About:Buster and hit Ok, then Start.
2) Let the program run, it may take awhile.
3) Once it finishes running, copy the information from the log section, and post it in the topic along with a new hijackthis log. Then reboot your machine



P.S. Reviewed by Zero in #privacy

Edited by canoeingkidd, 17 July 2004 - 08:49 AM.


#4 clingervsradar

clingervsradar

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 July 2004 - 10:49 PM

ive been tickering around with this for a while.. ran aboutbuster, hijackthis, spybot S&S, ad-aware and looked through the registery(found nothing that stood out there.. but then again i dont mess with it much). played with msconfig a bit and so far "apijm, javaqu and ntwb32 have showed up and been disabled

hijackthis turns up the following


Logfile of HijackThis v1.97.7
Scan saved at 11:42:42 PM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\apijm.exe
C:\WINDOWS\mfcrd32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jebus.SUXOR\Start Menu\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\fucka.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

res://fucka.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

res://fucka.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\fucka.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

res://fucka.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

res://C:\WINDOWS\fucka.dll/sp.html#96676
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: (no name) - {DB41F021-5AC5-A9B7-B3CF-8039B91DD632} -

C:\WINDOWS\system32\addwy.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

/auto
O4 - HKLM\..\Run: [apijm.exe] C:\WINDOWS\system32\apijm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [mfcrd32.exe] C:\WINDOWS\mfcrd32.exe
O4 - HKLM\..\RunOnce: [appbd.exe] C:\WINDOWS\system32\appbd.exe
O4 - HKLM\..\RunOnce: [ntcx.exe] C:\WINDOWS\system32\ntcx.exe
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)

_______________________________________
_______________________________________
_______________________________________



aboutbuster turns up this

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINDOWS\aekahr.dat
Removed! : C:\WINDOWS\czeld.dat
Removed! : C:\WINDOWS\dmmqbm.dat
Removed! : C:\WINDOWS\fucka.dll
Removed! : C:\WINDOWS\trgkh.dll
Removed! : C:\WINDOWS\wrawwp.dat
Removed! : C:\WINDOWS\System32\apijm.exe
Removed! : C:\WINDOWS\System32\cgzrs.dat
Removed! : C:\WINDOWS\System32\ntcx.exe
Removed! : C:\WINDOWS\System32\sowou.dat
Removed! : C:\WINDOWS\System32\zcdsh.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


in addition to the hijacking, popups and regeneration.. whatever this is has also been closing all my word.doc and killing my wireless connection

#5 clingervsradar

clingervsradar

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 17 July 2004 - 03:12 PM

:(

#6 clingervsradar

clingervsradar

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 18 July 2004 - 01:43 AM

i got it i got it i got it i got it i got it

wooooooohoooooooooooooo


well.. atleast i think i did anyway... so far everything is runnin cool and nothing has regenerated.. so far everything apears to be cocked locked and ready to rock

the things you can accomplish when yer drunk are amazing




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button