Jump to content


Photo

Hijacker issue. THank u for any help


  • Please log in to reply
3 replies to this topic

#1 warui

warui

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 June 2004 - 05:14 PM

Hi,

First I would like to say, any individual with the education and knowledge to help is truly a saint. Computers have long been the devil and a thorn in the side of many educated people who dont have the time to pursue a secondary education just for the sake of being able to surf the internet. I in my ignorance clicked a picture (non porn i promise). what proceeded was a bombardment of popups and crap. I literally just reached behind my computer and pulled the plug. I was so frustrated I didnt want to ctrl alt del and play games. I have been reading forums all over the place and I am hoping you can offer me some resolution to this nightmare. Please see below for my log. Once again any help is greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 2:32:15 PM, on 6/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\documents and settings\shannon valle\local settings\temp\CSe0crO1Y.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINNT\system32\IEHost.exe
C:\WINNT\system32\unles.exe
C:\WINNT\system32\lkikij.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\HistoryKill\histkill.exe
C:\WINNT\system32\ommdlgc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\WINNT\system32\LacY9.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\CpaF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Shannon Valle\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINNT\BQTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CSe0crO1Y.exe] C:\documents and settings\shannon valle\local settings\temp\CSe0crO1Y.exe
O4 - HKLM\..\Run: [5XTHX7W3PSS@6Y] C:\WINNT\system32\JsqZ.exe
O4 - HKLM\..\Run: [Bakra] C:\WINNT\system32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [uF8f33V] unles.exe
O4 - HKLM\..\Run: [pbqmvmlm] C:\WINNT\system32\lkikij.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ommdlgc] C:\WINNT\system32\ommdlgc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: HushEncryptionEngine - https://mailserver2....ptionEngine.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8125.3988194444
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.bright...bin/actxcab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EB2391B-BFFD-4071-ABF5-11772A09DCBC}: NameServer = 24.234.0.5,24.234.0.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{5EB2391B-BFFD-4071-ABF5-11772A09DCBC}: NameServer = 24.234.0.5,24.234.0.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{5EB2391B-BFFD-4071-ABF5-11772A09DCBC}: NameServer = 24.234.0.5,24.234.0.7

#2 warui

warui

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 June 2004 - 06:55 PM

bump,


I have these phreaking pop ups that are driving me insane. I used about 9 programs today, and they all continuously find crap. So when i got some of these pops i used history killls pop up killer, and i was able to get the address of the domains they were trying to link to.. and then i did a who is on them, oddly enough the whois names all revealed names of individuals in other countries. none of these bastards were businesses in the US. They were all in Panama

an example
this log entry below is one of the pigs scummbag domains. a whois lookup gave me the name of


Domain name: 00Z70AZ77MNSA-00SWJ1ZZPRH.COM

Administrative Contact:
Grupa, Wrangler administrador@wranglergrupa.com
PO Box 87-2944
Zone 7 Panama
Panama City,
PA
+011.5072646127
Technical Contact:
Grupa, Wrangler administrador@wranglergrupa.com
PO Box 87-2944
Zone 7 Panama
Panama City,
PA
+011.5072646127


wranglergroupa.com is not even a site. he just has an index page with an ip for a vpn access only server in the US.

I hate to sound like a racist, but I am so sick of 3rd world countries being the "weak" link in the internets existence.

#3 warui

warui

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 June 2004 - 07:00 PM

so then i lookup this domain that is listed on the index page of this panama scumbag. and look at the freaking results i get



24.120.181.23

OrgName: Cox Communications Inc.
Address: 1400 Lake Hearn Drive

City: Atlanta

StateProv: GA

PostalCode: 30319

Country: US

Comment:

RegDate:

Updated: 2004-05-17



AbuseHandle: IC146-ARIN

AbuseName: Cox Communications, Inc

AbusePhone: +1-404-269-7626

AbuseEmail: abuse@cox.net



AdminHandle: SHACK-ARIN

AdminName: Shackelford, Scott

AdminPhone: +1-404-269-7626

AdminEmail: scott.shackelford@cox.com



TechHandle: WILLI-ARIN

TechName: Williams, Matt

TechPhone: +1-404-269-7626

TechEmail: matt.williams@cox.com



# ARIN WHOIS database, last updated 2004-06-07 19:15

# Enter ? for additional hints on searching ARIN's WHOIS database.
OrgID: CXA
Address: 1400 Lake Hearn Drive
City: Atlanta
StateProv: GA
PostalCode: 30319
Country: US

NetRange: 24.120.0.0 - 24.120.255.255
CIDR: 24.120.0.0/16
NetName: NETBLK-LV-RDC-24-120-0-0
NetHandle: NET-24-120-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: NS.COX.NET
NameServer: NS.WEST.COX.NET
NameServer: NS.EAST.COX.NET
Comment:
RegDate:
Updated: 2004-02-11

TechHandle: IC146-ARIN
TechName: Cox Communications, Inc
TechPhone: +1-404-269-7626
TechEmail: abuse@cox.net

OrgAbuseHandle: IC146-ARIN
OrgAbuseName: Cox Communications, Inc
OrgAbusePhone: +1-404-269-7626
OrgAbuseEmail: abuse@cox.net

OrgTechHandle: WILLI-ARIN
OrgTechName: Williams, Matt
OrgTechPhone: +1-404-269-7626
OrgTechEmail: matt.williams@cox.com

# ARIN WHOIS database, last updated 2004-06-07 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 09 June 2004 - 01:55 PM

You have the Peper trojan, which requires special treatment to put it out of your misery!
Please download and run this uninstaller.

Click on the peperfix link, and download the program. Then go off line, and run the program. It will remove the files, leaving one orphaned entry to be cleaned up with Hijack this.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

O4 - HKLM\..\Run: [CSe0crO1Y.exe] C:\documents and settings\shannon valle\local settings\temp\CSe0crO1Y.exe
O4 - HKLM\..\Run: [5XTHX7W3PSS@6Y] C:\WINNT\system32\JsqZ.exe
O4 - HKLM\..\Run: [Bakra] C:\WINNT\system32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [uF8f33V] unles.exe
O4 - HKLM\..\Run: [pbqmvmlm] C:\WINNT\system32\lkikij.exe
O4 - HKLM\..\Run: [ommdlgc] C:\WINNT\system32\ommdlgc.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab

Reboot, and delete

files
C:\documents and settings\shannon valle\local settings\temp\CSe0crO1Y.exe
C:\WINNT\system32\JsqZ.exe
C:\WINNT\system32\IEHost.exe
C:\WINNT\system32\dp-him.exe
unles.exe
C:\WINNT\system32\lkikij.exe
C:\WINNT\system32\ommdlgc.exe
C:\WINNT\system32\SearchBar.htm

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button