Jump to content


Photo

i've been hijacked at work.. :-(


  • Please log in to reply
3 replies to this topic

#1 fool

fool

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 08 June 2004 - 04:32 PM

I can't seem to get everything working right after getting the vbouncer and a few other prog's this morning. Anybody have any ideas. Verizon won't allow me admin priv's either to instal spybot s&d and adaware isn't doing anything to help anymore. . .lol Anyone with any ideas I would greatly appreciate any help. Here's my log file:

Logfile of HijackThis v1.97.7
Scan saved at 4:31:10 PM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\My Personal Favorites\pbmarks.exe
C:\Program Files\Gordoware\connectto.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\dwwin.exe
C:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://nwramsweb.ftw....gte.com/eposs/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://nwramsweb.ftw....gte.com/eposs/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,AutoConfigURL = http://autoproxy.ver...gi-bin/getproxy
O1 - Hosts: icgshi3.hnllhi.tel.gte.com 141.239.2.37
O1 - Hosts: icgshi3.hnllhi.tel.gte.com 141.239.2.46
O1 - Hosts: icgsva1.mcvlva.tel.gte.com 136.151.164.241
O1 - Hosts: icgsca1.thokca.tel.gte.com 144.28.13.199
O1 - Hosts: icgsca1.thokca.tel.gte.com 144.28.13.200
O1 - Hosts: icgsil1
O1 - Hosts: icgstx1.cppltx.tel.gte.com 143.91.173.171
O1 - Hosts: icgstx1.cppltx.tel.gte.com 143.91.173.160
O1 - Hosts: icgsfl1.tampfl.tel.gte.com 136.151.95.134
O1 - Hosts: icgsfl1.tampfl.tel.gte.com 136.151.93.5
O1 - Hosts: icgswa1
O1 - Hosts: 161.128.232.58 igbhvp01 # Blue Hill ICGS server in fBA area
O1 - Hosts: cats1.thokca.tel.gte.com 144.28.14.8 //HA: ,OS:NA
O1 - Hosts: cats2.thokca.tel.gte.com 144.28.6.5 //HA: ,OS:NA
O1 - Hosts: 144.70.151.107 marngtwy # Marion Gateway srv//HA: ,OS:NA
O1 - Hosts: 136.151.178.138 ncdur1 # North Carolina Alpha //HA: ,OS:VMS
O1 - Hosts: 136.151.104.99 mecbcn //HA: ,OS:NA
O1 - Hosts: 136.151.160.2 tcm //HA: ,OS:NA
O1 - Hosts: 136.151.160.129 soda //HA: ,OS:NA
O1 - Hosts: 136.151.182.26 drhmnc7 coe3 #CONSTANT //HA: ,OS:NA
O1 - Hosts: 136.151.179.200 npv //HA: ,OS:NA
O1 - Hosts: 136.151.179.201 npv2 //HA: ,OS:NA
O1 - Hosts: 136.151.186.37 RNATEST # RNA (RAS - DHCP) //HA: ,OS:NA
O1 - Hosts: 136.151.200.40 nettsd02 //HA: ,OS:NA
O1 - Hosts: 136.151.200.41 nettsd01 //HA: ,OS:NA
O1 - Hosts: 136.151.200.120 venus # vds //HA: ,OS:VMS
O1 - Hosts: 136.151.200.121 hera # vds //HA: ,OS:VMS
O1 - Hosts: 136.151.200.122 hermes # vds //HA: ,OS:VMS
O1 - Hosts: 136.151.201.108 p1ttgt10 # netcap test //HA: ,OS:UX
O1 - Hosts: 136.151.236.74 icgs_web # vds //HA: ,OS:NTS
O1 - Hosts: 136.151.240.2 aurora # vds //HA: ,OS:VMS
O1 - Hosts: 136.151.240.3 argos # vds //HA: ,OS:VMS
O1 - Hosts: 136.151.240.4 athena # vds //HA: ,OS:VMS
O1 - Hosts: 136.151.240.13 adonis # vds //HA: ,OS:NTS
O1 - Hosts: 136.151.240.15 tweety # vds //HA: ,OS:NTS
O1 - Hosts: 136.151.240.16 elmer # vds //HA: ,OS:NTS
O1 - Hosts: 138.100.128.23 advantage //HA: ,OS:NA
O1 - Hosts: 139.49.132.13 abfp //HA: ,OS:NA
O1 - Hosts: 143.63.171.4 cpms tpx //HA: ,OS:IBM
O1 - Hosts: 143.63.171.6 cpms2 tpx2 //HA: ,OS:IBM
O1 - Hosts: 143.63.171.131 cpms3 tpx3 //HA: ,OS:IBM
O1 - Hosts: 143.63.171.132 cpms4 tpx4 //HA: ,OS:IBM
O1 - Hosts: 143.91.90.16 adsl_srv //HA: ,OS:NA
O1 - Hosts: 143.91.90.234 coemod4 # Dallas no. 4 //HA: ,OS:UX
O1 - Hosts: 143.91.103.145 nehqsp01 //HA: ,OS:NA
O1 - Hosts: 143.91.140.2 coemod2 # Dallas no. 2 //HA: ,OS:NA
O1 - Hosts: 143.91.140.17 coemod1 # Dallas no. 1 //HA: ,OS:NA
O1 - Hosts: 143.91.140.36 coemod3 # Dallas no. 3 //HA: ,OS:NA
O1 - Hosts: 143.91.173.143 cop3_srv //HA: ,OS:NA
O1 - Hosts: 143.91.251.199 mowen1 # Missouri Alpha //HA: ,OS:VMS
O1 - Hosts: 144.28.14.30 seymor //HA: ,OS:NA
O1 - Hosts: 144.28.14.16 caicgs # California Alpha //HA: ,OS:VMS
O1 - Hosts: 144.70.124.10 ilblm1 # Illinois Alpha //HA: ,OS:VMS
O1 - Hosts: 144.70.124.26 icgsil1
O1 - Hosts: 144.70.151.6 pafv # Pennsylvania FieldView web server
,OS:NTS
O1 - Hosts: 144.70.165.74 nemar1 # Ohio Alpha //HA: ,OS:VMS
O1 - Hosts: 144.70.151.12 ohioidds
O1 - Hosts: 159.161.33.41 opms //HA: ,OS:NA
O1 - Hosts: 159.161.108.249 co_awas //HA: ,OS:IBM
O1 - Hosts: 159.161.122.121 ibmsys ibmcpms //HA: ,OS:IBM
O1 - Hosts: 159.161.125.250 casvax #old address - remove //HA: ,OS:VMS
O1 - Hosts: 136.151.200.136 casprd
O1 - Hosts: 172.18.193.3 cnas //HA: ,OS:NA
O1 - Hosts: 192.76.111.5 mark2 //HA: ,OS:IBM
O1 - Hosts: 192.195.156.9 sam //HA: ,OS:NA
O1 - Hosts: 192.76.74.2 va_awas //HA: ,OS:NA
O1 - Hosts: 141.157.43.4 is002283 #Backup live wire
O1 - Hosts: 151.203.100.109 tirks
O1 - Hosts: 198.140.141.46 butler46 # Butler //HA: ,OS:UX
O1 - Hosts: 198.140.141.47 butler47 # Butler //HA: ,OS:UX
O1 - Hosts: 172.17.147.7 ilib1 # Libla unix server //HA: ,OS:UX
O1 - Hosts: 136.151.164.241 icgsva1 # Virginia ICGS oracle server
O1 - Hosts: 136.151.165.218 icgsva1 # Virginia ICGS oracle server
O1 - Hosts: 136.151.164.24 vamec1 alpha //HA:AA-00-04-00-D0-F4,OS:VMS
O1 - Hosts: 136.151.164.33 varamsweb #
O1 - Hosts: 136.151.164.128 varamsdb #
O1 - Hosts: 136.151.164.240 vaivault # HP Ivault server //HA: ,OS:NTS
O1 - Hosts: 136.151.164.121 mchvva1 mchvlsvr
stn1.mchv//HA:08-00-09-20-04-87,OS:NA
O1 - Hosts: 136.151.164.122 mchvva2 # stn2.mchv 712
//HA:08-00-09-94-FB-74,OS:NA
O1 - Hosts: 136.151.164.145 nemcsp01 # //HA:08-00-09-41-0E-43,OS:NA
O1 - Hosts: 136.151.164.180 mchvva3 # //HA:08-00-09-93-6D-A3,OS:NA
O1 - Hosts: 144.70.168.53 gteerie # CEMORES PA //HA: ,OS:UX
O1 - Hosts: 144.70.168.208 iere1 # Erie //HA: ,OS:NTS
O1 - Hosts: 144.70.151.93 ipen1 # Pennsylvania
//HA:00-B0-D0-7E-52-D7,OS:NTS
O1 - Hosts: 144.70.173.39 iyrk1 # York //HA:00-b0-d0-a1-90-b0,OS:NTS
O1 - Hosts: *136.151.158.237 iamh1 # Amherst
//HA:08-00-36-2D-D9-02,OS:UX
O1 - Hosts: 136.151.164.104 icen1 # Central
//HA:00-50-da-59-ae-ff,OS:NT
O1 - Hosts: 136.151.159.129 icpk1 # Chesapeake
//HA:00-50-da-59-a0-e0,OS:NTS
O1 - Hosts: 136.151.149.1 iemp1 # Emporia //HA: ,OS:NT
O1 - Hosts: 136.151.159.193 ihrb1 # Harrisonburg
//HA:00-50-DA-59-AD-A5,OS:NT
O1 - Hosts: 136.151.164.10 icem1 # CEMORES VA
//HA:08-00-36-26-64-02,OS:UX
O1 - Hosts: 136.151.164.7 imec1 # Mechanicsville
//HA:00-50-DA-22-35-B4,OS:NTS
O1 - Hosts: 136.151.164.224 imec2 # Training //HA: ,OS:UX
O1 - Hosts: 136.151.154.34 imax1 # Maxwell //HA: ,OS:UX
O1 - Hosts: 136.151.164.235 ints1 vaip1 # Shafer, Daniel
//HA:00-B0-D0-7E-51-EE,OS:NTS
O1 - Hosts: 136.151.148.206 istf1 # Stafford //HA: ,OS:NT
O1 - Hosts: 144.70.175.36 isel1 # SelingsGrove //HA: ,OS:NT
O1 - Hosts: 136.151.150.14 amhdefgate # Amherst
//HA:00-00-A2-0E-97-6E,OS:UX
O1 - Hosts: 136.151.150.46 blgdefgate # Bowling Green
//HA:00-00-A2-C3-F1-ED,OS:UX
O1 - Hosts: 136.151.150.62 chsdefgate # Chase City
//HA:00-00-A2-C4-0B-53,OS:UX
O1 - Hosts: 136.151.159.190 cpkdefgate # Chesapeake
//HA:00-00-A2-FE-5C-82,OS:UX
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no
file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} -
C:\WINDOWS\system32\regsvrac32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator
5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe"
-servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2
_03\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser
Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [updater] C:\Program Files\Common
files\updater\wupdater.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program
Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Bookmarks] C:\Program Files\Webroot\My Personal
Favorites\pbmarks.exe /S
O4 - Global Startup: CheckMaps.lnk = C:\Program
Files\Gordoware\CheckMaps.exe
O4 - Global Startup: connectto.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF:
START_PAGE_URL=http://nwramsweb.ftwyin.tel.gte.com/eposs/
O15 - Trusted Zone: http://www.srdunderground.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupd...38028.600775463
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} -
http://www.jraun.com...ActivexTest.ocx
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) -
http://download.over...com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
eposs1.verizon.com
O17 - HKLM\Software\..\Telephony: DomainName = eposs1.verizon.com
O17 -
HKLM\System\CCS\Services\Tcpip\..\{4E924730-4AAA-49AD-A35C-DF9C316081C7}:
NameServer = 144.70.31.117,144.70.124.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
eposs1.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
Verizon.com,Vznotes.com
O17 -
HKLM\System\CS1\Services\Tcpip\..\{4E924730-4AAA-49AD-A35C-DF9C316081C7}:
NameServer = 144.70.31.117,144.70.124.35
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
eposs1.verizon.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =
Verizon.com,Vznotes.com
O17 -
HKLM\System\CS2\Services\Tcpip\..\{4E924730-4AAA-49AD-A35C-DF9C316081C7}:
NameServer = 144.70.31.117,144.70.124.35
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
Verizon.com,Vznotes.com

#2 fool

fool

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 09 June 2004 - 12:18 AM

bump :techsupport:

#3 fool

fool

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 09 June 2004 - 06:40 AM

Anyone with any ideas on this? :scratchhead:

#4 fool

fool

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 09 June 2004 - 08:22 AM

Ok, I've got everything working like normal again after doing some searching on this forum for a few hours and whatnot. here's my latest hijack log in which I removed my hosts to keep down on the length of the log file. I have left those untouched as of this far because most are used for work. There are a few that I'm sort of baffled on like hermes, venus, and the greek names but other than that hows the rest of the log look?


Logfile of HijackThis v1.97.7
Scan saved at 8:41:42 AM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\My Personal Favorites\pbmarks.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Gordoware\connectto.exe
C:\Bentley\Program\Microstation\ustation.exe
C:\temp\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Lotus\Notes\NLNOTES.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nwramsweb.ftw....gte.com/eposs/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nwramsweb.ftw....gte.com/eposs/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.ver...gi-bin/getproxy

This was where the hosts were but I removed them for a more condensed hijack log to read from. Most of my problems are fixed now
but, I'd still like to go over everything and see if I need to remove anything else.


O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Bookmarks] C:\Program Files\Webroot\My Personal Favorites\pbmarks.exe /S
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: CheckMaps.lnk = C:\Program Files\Gordoware\CheckMaps.exe
O4 - Global Startup: connectto.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://nwramsweb.ftwyin.tel.gte.com/eposs/
O15 - Trusted Zone: http://www.srdunderground.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38028.600775463
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} - http://www.jraun.com...ActivexTest.ocx
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eposs1.verizon.com
O17 - HKLM\Software\..\Telephony: DomainName = eposs1.verizon.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E924730-4AAA-49AD-A35C-DF9C316081C7}: NameServer = 144.70.31.117,144.70.124.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eposs1.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = Verizon.com,Vznotes.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{4E924730-4AAA-49AD-A35C-DF9C316081C7}: NameServer = 144.70.31.117,144.70.124.35
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eposs1.verizon.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = Verizon.com,Vznotes.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{4E924730-4AAA-49AD-A35C-DF9C316081C7}: NameServer = 144.70.31.117,144.70.124.35
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = Verizon.com,Vznotes.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button