Jump to content


Photo

Please help - I've been taken hostage


  • This topic is locked This topic is locked
6 replies to this topic

#1 catwilliams

catwilliams

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 July 2004 - 07:32 AM

I have scanned with updated Spybot and Ad-aware. As well a complete virus scan. They have not removed whatever has taken over my Internet. Actually Spybot keeps saying cannot fix all I need to reboot and run Spybot again on boot up. I've done this many times.

I've lost my home page - countless Popups, had a real difficult time reaching your sites - it sure didn't want me to download Hijack This.

I've run Hijack This and have posted the log file below. Please help me - reading it is like a foreign language. Thank you for any help you can offer.

Logfile of HijackThis v1.97.7
Scan saved at 10:28:09 PM, on 19/07/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\softwarepeakaim\DefyStupid.exe
C:\WINDOWS\system32\internat.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\cathy\Desktop\Maintenance\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogershispeed.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www.hispeed.rogers.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4419F7BF-4C3E-DCE0-EF16-2C36636E43D1} - C:\PROGRA~1\HOLEFI~1\City Wma.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: safemove - {B8916132-F04A-A89D-865B-3B7183A0029E} - C:\PROGRA~1\HOLEFI~1\City Wma.dll
O3 - Toolbar: (no name) - {4DF5B116-4FD9-4039-B377-1130953A980F} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [EQBAIT] C:\PROGRA~1\softwarepeakaim\DefyStupid.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RHSI Update Manager] "C:\Program Files\Rogers Hi-Speed Internet\RHSI Update Manager\RHSIUpdateManager.exe" /background
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.gov.pe.ca...rs/mgaxctrl.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://sc.communitie...t/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7845.6439351852
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...360/mcfscan.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.micro...ate/sdkinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com

#2 catwilliams

catwilliams

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 July 2004 - 12:49 PM

Anybody there who can help???

#3 catwilliams

catwilliams

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 July 2004 - 12:59 PM

I should mention, I've been trying without any success to download the Hijack This 1.98 - whatever has control of my browser will either not let me get to the page where the download is or I'll get to the page and click to download and it takes me somewhere else - the log I supplied with my first post was generated using HJ 1.97

#4 catwilliams

catwilliams

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 July 2004 - 07:20 AM

Wondering....if anyone has had a chance to look at my HJ log....any advice?????????

#5 H@ns

H@ns

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 2,630 posts

Posted 21 July 2004 - 07:23 AM

Please don't ask it more than once a day, there are lots of people with logs from 3,4 days old who aren't yet analyzed. So be Patient please.
Nucia Security Forums - Dutch Anti-Malware Support

#6 Ansh

Ansh

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 21 July 2004 - 11:47 AM

Using Hijack This, you should fix following:
Be sure to close all browsers before fixing
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4419F7BF-4C3E-DCE0-EF16-2C36636E43D1} - C:\PROGRA~1\HOLEFI~1\City Wma.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: safemove - {B8916132-F04A-A89D-865B-3B7183A0029E} - C:\PROGRA~1\HOLEFI~1\City Wma.dll
O3 - Toolbar: (no name) - {4DF5B116-4FD9-4039-B377-1130953A980F} - (no file)
O4 - HKCU\..\Run: [internat.exe] internat.exe

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com

After reboot , delete following
C:\WINDOWS\system32\internat.exe

#7 H@ns

H@ns

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 2,630 posts

Posted 21 July 2004 - 11:51 AM

:alarm: SJeesj, i wouldn't fix :alarm:

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKCU\..\Run: [internat.exe] internat.exe

Those are absolutely normal entries

For Internat.exe: http://www.liutiliti...brary/internat/

Edited by H@ns, 21 July 2004 - 11:54 AM.

Nucia Security Forums - Dutch Anti-Malware Support




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button