Newbie dot Org HomePage
Visit one of our web buddies
help please browser hijack
Kris

08/30/04 		Logfile of HijackThis v1.98.0
Scan saved at 16:43:44, on 30-8-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\t1n7utmizdfmmj.exe
C:\Documents and Settings\kris kalwij\Mijn documenten\sweepers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\hj6rwo0non8r4.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\t1n7utmizdfmmj.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Sitecom Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://game13.zylomgames.com/activex/zylomloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\Software\..\Telephony: DomainName = home.intra
O17 - HKLM\System\CCS\Services\Tcpip\..\{58AF539C-975B-47C1-A094-21D86B26E7DA}: NameServer = 213.51.144.168,213.51.129.168
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE80EB5B-5460-444B-B068-B7384E282E52}: NameServer = 213.51.144.168,213.51.129.168
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O20 - AppInit_DLLs: i1gfotd6j0zs.tlb fvs8jg5r0wb.tlb

this is my log I have a browser hijack with pop up... name of the browser hijack is "Search for..." this is the url: http://296f8.ilxt.info/index.php?aid=20009

Please help me...

Mark

08/30/04 		help please browser hijack
Hey Kris ; that's a Coolweb infection, which is very sticky indeed. Please download this tool : CWShredder (but don't run it yet just yet..).

Fire up Task Manager (press CTRL+ALT+DEL), "Processes" tab, and END this process :

t1n7utmizdfmmj.exe

Now, have ONLY HijackThis! running, and check to fix these entries (then click on "Fix checked") :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\hj6rwo0non8r4.dll

O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\t1n7utmizdfmmj.exe

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://game13.zylomgames.com/activex/zylomloader.cab

O20 - AppInit_DLLs: i1gfotd6j0zs.tlb fvs8jg5r0wb.tlb

Ok, now you can run CWShredder (click on "Fix"). Reboot once done.

You need the new version of HijackThis! (1.98.2), so delete the old one and install the new version in the same "sweepers" folder as before. Scan with it and post a new log. Good luck !

kris

08/30/04 		help please browser hijack
Logfile of HijackThis v1.98.0
Scan saved at 0:40:26, on 31-8-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kris kalwij\Mijn documenten\sweepers\HijackThis.exe

O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: Sitecom Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\Software\..\Telephony: DomainName = home.intra
O17 - HKLM\System\CCS\Services\Tcpip\..\{58AF539C-975B-47C1-A094-21D86B26E7DA}: NameServer = 213.51.144.168,213.51.129.168
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE80EB5B-5460-444B-B068-B7384E282E52}: NameServer = 213.51.144.168,213.51.129.168
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl

that is the new log

i did what you said and i think it is gone:D

kris

08/30/04 		help please browser hijack
only the CTRL part i could not find the thing :P the .exe
Mark

08/30/04 		help please browser hijack
No problem Kris, all appears to be good from here. Why you couldn't find that process is a mystery to me as well... but it's gone, so good riddance !

You download and run Ad-Aware SE - Personal on a regular basis (don't forget to update it before scanning..). Good instructions on how to set it up for max. cleaning power here : Ad-Aware tutorial.

Another great free tool for prevention (not a cleaner) : SpywareBlaster .

Safe surfing dude !

Mark

08/30/04 		help please browser hijack
Ooopsss... I usually don't like to give orders...

Make that : "You should download and run Ad-Aware..."

kris

08/31/04 		help please browser hijack
i have spy sweeper and the ad-aware
Mark

08/31/04 		help please browser hijack
Everything ok with the box ?
box ??

08/31/04 		help please browser hijack
wy box ?
Mark

08/31/04 		help please browser hijack
I was just asking if everything was ok with your computer (I call it a box...)
kris

08/31/04 		help please browser hijack
ofcourse
Mark

08/31/04 		help please browser hijack
Ok then, we're done here !

This thread is now closed.

If anyone wishes to post, you simply need to click on the "Start new question thread" button below. Give your thread a title in the "Re:" box, and then write your message (filling in the other boxes is useful as well).


© Copyright 1998-2004 Newbie dot Org -- All rights reserved --
This site maintained by Galaxy Website Design


--|--