Weird sort of hijacking and redirecting I have encountered

Discussion in 'adware, spyware & hijack cleaning' started by Zidane, Nov 24, 2003.

Thread Status:
Not open for further replies.
  1. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    I have encountered a weird sort of hijacking or what is it - one Australian guy sent me an web address to a gallery of pics, I tried to open it - oops, paypage... there appeared "NOCREDITCARD.COM" and I had to select what sort of net connection I have... :eek:

    So I told the Australian about that and asked him if he is a member of that page - he answered that it is NO PAYPAGE and he can see the pics directly and thought I am BS-ing, there started a flamewar on the forum he posted the address at, some people defended him saying they can access the page all right, some people defended me saying they see only a gate to some paypage, so the Australian guy didnt know what is going on and tried to give us, who had the redirecting problems, his proxy server IP address - and when I was connecting to the page through his proxy - everything was all right and I went to the page he said I have to see... then I returned my provider´s proxy - and the redirecting to the paypage started again, I turned off the proxy in Internet tools and tried to get here with my IP directly - redirected... weird o_O

    So I started experimenting with connecting through various proxies and found this: I am from Czech Republic and when I was connecting through Czech proxies - redirected to the Czech version of NOCREDITCARD paypage... when I tried to connect through Polish proxy server - redirected to the Polish version of NOCREDITCARD... when I tried some German servers, redirected to some other paypage, not NOCREDITCARD, but still redirected... and when I tried Netherland´s proxies or Slovak proxies - everything was all right, I could get to the desired page... what is this all about? o_O

    So I found out that the problem probably exists somewhere at the point all the connections of the country go through... I dont know if it is called the DNS server or what, but you know what I mean, dont you? Some point all the connection through this country´s servers go through - here was my surfing probably hijacked and redirected... if I found the "right country - clean country" - everything all right :) so it is clear it has nothing to do with spies in my comp, the problem has to be somewhere else...

    Can you inform me what causes the problem and if is there any other resolution than finding the "right country" proxy server and hide behind ito_O What is this weird hijacking and redirecting about? o_O
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Zidane,

    Can you see if this makes any sense:
    http://www.pestpatrol.com/PestInfo/n/nocreditcard_dialer.asp

    Two related ActiveX elements I often find in logs are:
    O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.com/downl...LAccess1040.cab

    O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.net/downl...GHTMLDialer.cab

    Hope this helps a bit,

    Pieter
     
  3. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    If I understand right, this can be the problem:

    Some dialers connect to local Internet Service Providers and are beneficial as configured.

    If I got it right, the dialer is not in my computer, but somewhere else, somewhere "on the way" - if it was in my computer, I would be redirected everytime I think, but it is not so - when I use e.g. cache.clnet.cz proxy, I am redirected and when I use e.g. 213.81.156.250 proxy, everything is all right, so I think the NOCREDITCARD dialer is not in my computer, but somewhere else, somewhere at the point all the connections made through Czech proxies are going through... cos as I said in the question, if I use e.g. Slovak proxies, I avoid the redirecting - I avoid the dialer to take effect... so I dont know where the dialer is, but I am 99% sure that it is not in my computer...

    I just used my IP and got redirected here: hxxp://network.nocreditcard.net/?login=622315, when I used the proxy 213.81.156.250 - no redirecting, so I just keep using the proxy and no problem I think :)

    My hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 15:40:39, on 25.11.2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Čisticí programy\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Overnet\overnet.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\ICQ\icq.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\ABC~1.ABC\LOCALS~1\Temp\Rar$EX00.343\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mrkvosoft Infernet Exprdel
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.81.156.250:3128
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Mouse Tachometer] C:\Program Files\Mouse Tachometer\Mouse Tachometer.exe --hide
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\Čisticí programy\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = ?
    O4 - Startup: MRU-Blaster Silent Clean.lnk = ?
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CmAVA.exe
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5471875
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1182CC65-E9A5-4454-AA49-4C171F562834}: NameServer = 213.180.32.2,213.180.32.11



    disabled the llink to nocreditcard
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Zidane,

    This is very strange indeed.

    Could you please IM or mail me the link that triggered all this?

    Regards,

    Pieter
     
  5. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    IM sent :)
     
Thread Status:
Not open for further replies.