Jump to content


Photo

I have been hijacked


  • Please log in to reply
8 replies to this topic

#1 jjddJohn

jjddJohn

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 May 2004 - 01:06 PM

The IE will not keep my homepage. I have run hijackthis and deleted everything that did not look right. I have been able to regain control of the address bar. I still cannot keep the homepage. In addition I get popups even when I am not using IE. I assume this software is reinstalling itself since the "about blank" comes up after I reboot.

The following is the log from highjackthis.

Logfile of HijackThis v1.97.7
Scan saved at 1:52:32 PM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\wnscpit.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\Gzsr8.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\Cvxd37.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ggnab.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ggnab.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ggnab.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ggnab.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ggnab.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ggnab.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {DC56D535-57CB-4AA0-AA24-1286F811EB09} - C:\WINDOWS\System32\ggnab.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Xqsye.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpit.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 jjddJohn

jjddJohn

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 May 2004 - 02:22 PM

bump

#3 angoid

angoid

    Cyberdefenestrator

  • Developer
  • PipPipPipPip
  • 335 posts

Posted 22 May 2004 - 02:31 PM

Hi jjddjohn, and welcome to SpywareInfo ;)

Firstly, you've got the Peper trojan. Use the uninstall tool - download from:

http://www.memorywat....com/uninst.exe

Double click on uninst.exe, let it run and terminate.

run it again for good measure, and reboot your system.

When done, download CWShredder (link in my signature). Unzip it and run it with all other applications closed. Click on Fix (NOT Scan Only) and let it run its course.

When done, exit CWShredder and again reboot your system.

Post back a fresh HijackThis log and we'll take a look at the rest.
If you don't know what eschatology is then don't worry; it's not the end of the world.

#4 angoid

angoid

    Cyberdefenestrator

  • Developer
  • PipPipPipPip
  • 335 posts

Posted 22 May 2004 - 03:17 PM

Further to my post above, can you also do the following please:

Download RegistrarLite from here.

Run it, and into its address bar paste the following text:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the 'Go' tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and note the information in the 'Value' field.

Let's say you have C:\WINDOWS\System32\xxx.dll.

Whenever you see that text in the following text, or xxx.dll, replace it with what you noted above.

Use the Registrar Lite program again. Copy and paste the key below into reglite's address bar and hit 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Right-click on the Windows key in the left pane and rename it to something else - for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

DoubleClick "Appinit_Dlls" value on right pane and erase the data in the 'Value' box at the the bottom of the new pane. The data to remove will be:

"C:\WINDOWS\System32\xxx.dll", hit 'Apply' and 'Ok' to set.

Rename 'NotWindows' back to 'Windows' in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the xxx.dll in the specified folder (C:\WINDOWS\System32 in this example).

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

Copy and paste this into the 'From' box: C:\WINDOWS\System32\xxx.dll
Copy and paste this into the 'To' box: C:\Junk\xxx.dll

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there.

If it's there, rerun CWShredder and hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log.
If you don't know what eschatology is then don't worry; it's not the end of the world.

#5 jjddJohn

jjddJohn

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 May 2004 - 08:00 AM

Sorry it took so long to get back. Here is my latest log. The dll in the junk folder is d3di.dll

Logfile of HijackThis v1.97.7
Scan saved at 8:57:18 AM, on 5/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\PD6000SM.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\wnscpit.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpit.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#6 jjddJohn

jjddJohn

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 May 2004 - 10:09 AM

dump dump

Edited by jjddJohn, 29 May 2004 - 07:20 PM.


#7 jjddJohn

jjddJohn

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 May 2004 - 07:21 PM

dump

#8 jjddJohn

jjddJohn

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 01 June 2004 - 11:49 AM

I have reposted my log. Could you please review it?

#9 angoid

angoid

    Cyberdefenestrator

  • Developer
  • PipPipPipPip
  • 335 posts

Posted 06 June 2004 - 04:37 PM

Hi, and very sorry for the huge delay :-(

Can you run HijackThis alone (i.e. with no other applications running), and place a check against these items:

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpit.exe
O9 - Extra button: WeatherBug (HKCU)


and click on Fix Checked. Exit HijackThis and reboot your system.

Post back another log and we'll see whether that's got them all!

Cheers.
If you don't know what eschatology is then don't worry; it's not the end of the world.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button