Hijacked :-( Logs enclosed

Discussion in 'adware, spyware & hijack cleaning' started by debeast, Jun 21, 2004.

Thread Status:
Not open for further replies.
  1. debeast

    debeast Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    2
    Managed to avoid most hijakings so i've been got by a 1/2 decent one
    Spybot/ Adaware dont spot it !!!!

    heres the Find All log

    --==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10.1 -6/10 @@@***==--

    »»»»»»Find-All recent updates:»»»»»»
    *Size of Windows key
    *Winlogon\notify
    *UserInit value
    *Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
    *Versions of major keys and windows files
    *list of active services and drivers (\'FilesList')
    *Note:
    If using 'Find-All' to clean, be sure to include the link to your
    post in the forum!! (I keep recieving files I don't know where they came from...0-0...)
    *Note: Reg backup restore will not work if current user
    doesn't have 'Admin privileges'! (view »»Group/user section)


    Mon Jun 21 09:22:28 2004 -- ++Results:
    »»System Info:

    Microsoft Windows XP [Version 5.1.2600]
    'Find-All' is running from Drive:
    C: "" (8410:33EC) - FS:NTFS clusters:4k
    Total: 163 913 347 072 [153G] - Free: 151 866 929 152 [141G]


    »»IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    --a-- W32i APP ENU 6.0.2800.1106 shp 91,136 03-31-2003 iexplore.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

    »»Google:

    »»UserAgent:
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


    »»Wmplayer version:
    8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
    --a-- W32i APP ENU 8.0.0.4490 shp 520,192 04-11-2003 wmplayer.exe
    6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
    --a-- W32i APP ENU 6.4.9.1125 shp 4,639 03-31-2003 mplayer2.exe

    »»M$Java version:

    »»NotePad(s) version(s):
    5.1.2600.0 C:\WINDOWS\notepad.exe
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 03-31-2003 notepad.exe
    5.1.2600.0 C:\WINDOWS\System32\notepad.exe
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 03-31-2003 notepad.exe

    »» Regedit* version(s):
    5.1.2600.1106 C:\WINDOWS\regedit.exe
    --a-- W32i APP ENU 5.1.2600.1106 shp 134,144 03-31-2003 regedit.exe
    5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
    --a-- W32i APP ENU 5.1.2600.0 shp 3,584 03-31-2003 regedt32.exe


    »»PC uptime:
    9:22am up 0 days, 0:56

    »»Locked or 'Suspect' file(s) found...

    »»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
    Files listed in this section (in System32) are not always definitive!
    Always Double Check and be sure the file pointed doesn't exist!

    »»Tasks (services):
    0 System Process
    4 System
    680 smss.exe
    752 csrss.exe Title:
    776 winlogon.exe Title: NetDDE Agent
    820 services.exe Svcs: Eventlog,PlugPlay
    832 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
    984 ati2evxx.exe Svcs: Ati HotKey Poller
    1008 svchost.exe Svcs: RpcSs
    1104 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem, FastUserSwitchingCompatibility,helpsvc,Iprip,lanmanserver, lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule, seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService, Themes,TrkWks,uploadmgr
    1332 svchost.exe Svcs: Dnscache
    1376 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient
    1560 ati2evxx.exe Title: ATI video bios poller client
    1612 explorer.exe Title: Program Manager
    1712 spoolsv.exe Svcs: Spooler
    1884 sstray.exe Title: nForce Tray Options
    1904 atiptaxx.exe Title: DIEmWin
    1912 DAP.exe Title: 86% 1160-Eszter_Toilet_Mouth01-768K.wmv - Download Accelerator Plus
    1940 PDVDServ.exe Title: CL RC Engine2 Dummy Winidow
    1964 iTunesHelper.exeiTunes HelperTitle: iTunes Helper
    1980 qttask.exe Title: QTPlayer Tray Icon
    1992 realsched.exe Title: Notification Wnd for RNAdmin
    1996 EM_EXEC.EXE Title: Logitech GetMessage Hook
    2004 SETI@home.exe Title: SETI@Home Client
    324 avgserv.exe Svcs: AvgServ
    456 kpf4ss.exe Svcs: KPF4
    520 tcpsvcs.exe Svcs: SimpTcp
    540 snmp.exe Svcs: SNMP
    664 kpf4gui.exe Title: Kerio Personal Firewall Alert
    1128 kpf4gui.exe Title: KPF4MainWindow
    1532 iPodService.exe Svcs: iPodService
    2168 msmsgs.exe Title:
    3236 TeaTimer.exe Title: Spybot-S&D Resident
    2532 avgcc32.exe Title:
    3888 IEXPLORE.EXE Title: Wilders Security Forums - View Single Post - CWS Variants - Microsoft Internet Explorer
    4052 wmplayer.exe Title: Windows Media Player
    3316 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
    2972 ntvdm.exe
    2776 tlist.exe
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
    "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM




    »»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

    »»Winlogon\notify:

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 6134

    »»UserInit value:

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

    5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
    --a-- W32i APP ENU 5.1.2600.1106 shp 22,016 03-31-2003 userinit.exe

    »»Group/user settings:


    User: [ALPHA\Nathan], is a member of:

    BUILTIN\Administrators
    \Everyone

    User is a member of group ALPHA\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »»ACLs list:
    C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    ALPHA\Nathan:F
    CREATOR OWNER:(OI)(CI)(IO)F
    BUILTIN\Users:(OI)(CI)R
    BUILTIN\Users:(CI)(special access:)

    FILE_APPEND_DATA

    BUILTIN\Users:(CI)(special access:)

    FILE_WRITE_DATA


    ERROR: There are no more files.


    »»File(s) in 'junkxxx' folder:

    »»Md5sums

    MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
    Copyright (C) 2001-2002 Jem Berkes - http://www.pc-tools.net/


    0 bytes, 0 ms = 0.00 MB/sec

    »»hosts file:
    A R C:\WINDOWS\System32\Drivers\etc\hosts
    -ra-- - - - - - 734 03-31-2003 hosts
    ------
    »»Rehash:

    »Strings found:

    Mon Jun 21 09:22:44 2004 -- ++Find-All backups:
    A C:\FindallwinBackup.hiv
    --a-- - - - - - 8,192 06-21-2004 findallwinbackup.hiv
    A C:\findallappinit.reg
    --a-- - - - - - 632 06-21-2004 findallappinit.reg
    A C:\Find-All\Find-All\winBackup.hiv
    A C:\Find-All\Find-All\Fileslist\copyhosts.txt
    A C:\Find-All\Find-All\Fileslist\drivers.txt
    A C:\Find-All\Find-All\Fileslist\modules.txt
    A C:\Find-All\Find-All\Fileslist\services.txt
    A C:\Find-All\Find-All\Fileslist\windows.txt

    ***Next Registry run should open this key directly:

    ! REG.EXE VERSION 2.0

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
    LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    And heres my Hijack this log wasn't sure which was more useful:

    Logfile of HijackThis v1.97.7
    Scan saved at 09:37:25, on 21/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\SETI@home\SETI@home.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Documents and Settings\Nathan\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{24C4CE00-3BCF-4655-A80B-EA154C24C96C}: NameServer = 192.168.0.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{24C4CE00-3BCF-4655-A80B-EA154C24C96C}: NameServer = 192.168.0.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{24C4CE00-3BCF-4655-A80B-EA154C24C96C}: NameServer = 192.168.0.1

    Basically can you spot the dodgy file o_O?

    Thanks ppl
     
    Last edited by a moderator: Jun 21, 2004
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I can't see any obvious hijacks in either logs

    Can you give a few details about the hijack,

    where are you diverted to

    do you get pop ups or what are the EXACT symptoms
     
  3. debeast

    debeast Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    2
    Lots of pop ups :-(

    Constantly ........ v annoying mostly trying to give me a free ringtone
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    In that case I suspect a zestyfind/vx2 BI hijack

    try this please

    Click Here to download the VX2BetterInternet.exe FINDER & KILLER.

    1: Shut off all open programs including printer and anything in the System Tray (virus scan, popup blocker, etc.).
    2: Doubleclick the VX2BetterInternet.exe to launch the utility.
    3: Click on “Find VX2.BetterInternet” button. The utility will display the bugs if they’re there and post that log
     
Thread Status:
Not open for further replies.