Problems with sandboxer worm /hijack log

Discussion in 'adware, spyware & hijack cleaning' started by hanbets1, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. hanbets1

    hanbets1 Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    2
    Please help! Problems with sandboxer worm /hijack log

    Pop-up ads from sandboxer keep showing up, even after I have to constantly use ad-aware v6. Problems associated with it include: pop-up ads from sandboxer; hijacking my keyboard and browser, such as changing font sizes on web pages, highlighting things with one click, being unable to switch between open windows, opening links in new windows when they were meant to open in the same. This is such a nuisance and very annoying. I have absolutely no knowledge on changing things involving this. Any help is appreciated. My log for hijackthis is below. Thanks in advance.




    Logfile of HijackThis v1.97.7
    Scan saved at 9:46:34 PM, on 6/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\SM1BG.EXE
    C:\docume~1\jessie\locals~1\temp\wfUi.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\urfuczwg.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Documents and Settings\jessie\Application Data\pdta.exe
    C:\WINDOWS\System32\wnsintcc.exe
    D:\demos\aim.exe
    D:\DEMOS\SYSTEM~4\PopupStopper.exe
    D:\Digital Imaging\bin\hpobnz08.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
    C:\Program Files\Common files\WinTools\WSup.exe
    D:\Digital Imaging\bin\hpoevm08.exe
    D:\Digital Imaging\Bin\hpoSTS08.exe
    D:\demos\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://wsites.tux.nu
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.viplolita.com/home/search.cgi
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50094
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://wsites.tux.nu
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://wsites.tux.nu
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://wsites.tux.nu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50094
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50094
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O1 - Hosts: 66.230.146.42 gator.com #cooklop
    O1 - Hosts: 66.230.146.42 www.gator.com #cooklop
    O1 - Hosts: 66.230.146.42 doubleclick.net #cooklop
    O1 - Hosts: 66.230.146.42 www.doubleclick.net #cooklop
    O1 - Hosts: 66.230.146.42 tripod.com #cooklop
    O1 - Hosts: 66.230.146.42 www.tripod.com #cooklop
    O1 - Hosts: 66.230.146.42 geocities.com #cooklop
    O1 - Hosts: 66.230.146.42 www.geocities.com #cooklop
    O1 - Hosts: 66.230.146.42 adultfriendfinder.com #cooklop
    O1 - Hosts: 66.230.146.42 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 66.230.146.42 cj.com #cooklop
    O1 - Hosts: 66.230.146.42 www.cj.com #cooklop
    O1 - Hosts: 66.230.146.42 paypopup.com #cooklop
    O1 - Hosts: 66.230.146.42 www.paypopup.com #cooklop
    O1 - Hosts: 66.230.146.42 worldsex.com #cooklop
    O1 - Hosts: 66.230.146.42 www.worldsex.com #cooklop
    O1 - Hosts: 66.230.146.42 free6.com #cooklop
    O1 - Hosts: 66.230.146.42 trafficmp.com #cooklop
    O1 - Hosts: 66.230.146.42 www.trafficmp.com #cooklop
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\demos\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - D:\demos\PnEL.dll
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\demos\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - D:\demos\PnEL.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [wfUi] C:\docume~1\jessie\locals~1\temp\wfUi.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [arnaiasxl] C:\WINDOWS\System32\urfuczwg.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKCU\..\Run: [Alcr] C:\Documents and Settings\jessie\Application Data\pdta.exe
    O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe
    O4 - HKCU\..\Run: [AIM] D:\demos\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "D:\DEMOS\SYSTEM~4\PopupStopper.exe"
    O4 - Global Startup: hp psc 2000 Series.lnk = D:\Digital Imaging\bin\hpobnz08.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.arczip.com
    O16 - DPF: ChatClient - http://asktheexpert.arczip.com/taw/chat/ChatClient.cab
    O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: Yahoo! NBA StatTracker - http://aud1.sports.yahoo.com/java/y/nbast8268_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42033/sb026.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1C854D5E-66D9-11D3-81DD-00A0C9B62983} (TestX Class) - http://www.3dgreetings.com/Plugin/3DGreetings/PlayerX.CAB
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://207.74.21.65/activex/AxisCamControl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} - http://www.talkingbuddy.com/talkingbuddyinstall.exe
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fredmeyer.digitalcameradeveloping.com/upload/XUpload.ocx
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4367/mcfscan.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
     
    Last edited: Jun 24, 2004
  2. hanbets1

    hanbets1 Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    2
    also problems viewing anything from geocities

    I also cannot view any pages related to geocities.com. Whenever i type geocities.com, it gives me links to cartoon porn; or if there is a picture that was uploaded to geocities it won't let me view it. I have copied and pasted what the page looks like below when I go to the url geocities.com. I am at a loss on how to fix it. My hijack log is also below. Any help on this is greatly appreciated.


    Index of /
    Name Last modified Size Description
    --------------------------------------------------------------------------------
    Parent Directory 05-Jul-2003 19:34 -
    01.zip 25-Sep-2001 10:25 1.7M
    02.zip 25-Sep-2001 10:52 1.7M
    03.zip 25-Sep-2001 11:04 1.6M
    04.zip 05-Oct-2001 04:08 1.2M
    05.zip 04-Oct-2001 10:44 1.7M
    06.zip 05-Oct-2001 03:34 1.6M
    3Dgpoupsex/ 10-Oct-2001 18:03 -


    duplicate log removed - snap
     
    Last edited by a moderator: Jun 24, 2004
Thread Status:
Not open for further replies.