Problems with sandboxer worm /hijack log

hanbets1 · Jun 24, 2004

Please help! Problems with sandboxer worm /hijack log

Pop-up ads from sandboxer keep showing up, even after I have to constantly use ad-aware v6. Problems associated with it include: pop-up ads from sandboxer; hijacking my keyboard and browser, such as changing font sizes on web pages, highlighting things with one click, being unable to switch between open windows, opening links in new windows when they were meant to open in the same. This is such a nuisance and very annoying. I have absolutely no knowledge on changing things involving this. Any help is appreciated. My log for hijackthis is below. Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 9:46:34 PM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\GEARSEC.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\SM1BG.EXE
C:\docume~1\jessie\locals~1\temp\wfUi.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\urfuczwg.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\jessie\Application Data\pdta.exe
C:\WINDOWS\System32\wnsintcc.exe
D:\demos\aim.exe
D:\DEMOS\SYSTEM~4\PopupStopper.exe
D:\Digital Imaging\bin\hpobnz08.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Common files\WinTools\WSup.exe
D:\Digital Imaging\bin\hpoevm08.exe
D:\Digital Imaging\Bin\hpoSTS08.exe
D:\demos\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://wsites.tux.nu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.viplolita.com/home/search.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50094
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://wsites.tux.nu
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://wsites.tux.nu
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://wsites.tux.nu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50094
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50094
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O1 - Hosts: 66.230.146.42 gator.com #cooklop
O1 - Hosts: 66.230.146.42 www.gator.com #cooklop
O1 - Hosts: 66.230.146.42 doubleclick.net #cooklop
O1 - Hosts: 66.230.146.42 www.doubleclick.net #cooklop
O1 - Hosts: 66.230.146.42 tripod.com #cooklop
O1 - Hosts: 66.230.146.42 www.tripod.com #cooklop
O1 - Hosts: 66.230.146.42 geocities.com #cooklop
O1 - Hosts: 66.230.146.42 www.geocities.com #cooklop
O1 - Hosts: 66.230.146.42 adultfriendfinder.com #cooklop
O1 - Hosts: 66.230.146.42 www.adultfriendfinder.com #cooklop
O1 - Hosts: 66.230.146.42 cj.com #cooklop
O1 - Hosts: 66.230.146.42 www.cj.com #cooklop
O1 - Hosts: 66.230.146.42 paypopup.com #cooklop
O1 - Hosts: 66.230.146.42 www.paypopup.com #cooklop
O1 - Hosts: 66.230.146.42 worldsex.com #cooklop
O1 - Hosts: 66.230.146.42 www.worldsex.com #cooklop
O1 - Hosts: 66.230.146.42 free6.com #cooklop
O1 - Hosts: 66.230.146.42 trafficmp.com #cooklop
O1 - Hosts: 66.230.146.42 www.trafficmp.com #cooklop
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\demos\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - D:\demos\PnEL.dll
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\demos\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - D:\demos\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [wfUi] C:\docume~1\jessie\locals~1\temp\wfUi.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [arnaiasxl] C:\WINDOWS\System32\urfuczwg.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [Alcr] C:\Documents and Settings\jessie\Application Data\pdta.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe
O4 - HKCU\..\Run: [AIM] D:\demos\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "D:\DEMOS\SYSTEM~4\PopupStopper.exe"
O4 - Global Startup: hp psc 2000 Series.lnk = D:\Digital Imaging\bin\hpobnz08.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.arczip.com
O16 - DPF: ChatClient - http://asktheexpert.arczip.com/taw/chat/ChatClient.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud1.sports.yahoo.com/java/y/nbast8268_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42033/sb026.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C854D5E-66D9-11D3-81DD-00A0C9B62983} (TestX Class) - http://www.3dgreetings.com/Plugin/3DGreetings/PlayerX.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://207.74.21.65/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} - http://www.talkingbuddy.com/talkingbuddyinstall.exe
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fredmeyer.digitalcameradeveloping.com/upload/XUpload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4367/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

hanbets1 · Jun 24, 2004

also problems viewing anything from geocities

I also cannot view any pages related to geocities.com. Whenever i type geocities.com, it gives me links to cartoon porn; or if there is a picture that was uploaded to geocities it won't let me view it. I have copied and pasted what the page looks like below when I go to the url geocities.com. I am at a loss on how to fix it. My hijack log is also below. Any help on this is greatly appreciated.

Index of /
Name Last modified Size Description
--------------------------------------------------------------------------------
Parent Directory 05-Jul-2003 19:34 -
01.zip 25-Sep-2001 10:25 1.7M
02.zip 25-Sep-2001 10:52 1.7M
03.zip 25-Sep-2001 11:04 1.6M
04.zip 05-Oct-2001 04:08 1.2M
05.zip 04-Oct-2001 10:44 1.7M
06.zip 05-Oct-2001 03:34 1.6M
3Dgpoupsex/ 10-Oct-2001 18:03 -

duplicate log removed - snap

Log in or Sign up

Problems with sandboxer worm /hijack log

hanbets1 Registered Member

hanbets1 Registered Member

Log in or Sign up

Problems with sandboxer worm /hijack log

hanbets1 Registered Member

hanbets1 Registered Member

Useful Searches