TheTechGuide Forum

General Category => Tech Clinic => Topic started by: AC/DC on April 12, 2005, 04:14:33 PM

Title: Internet Explorer has been ... Hijacked :(
Post by: AC/DC on April 12, 2005, 04:14:33 PM

Currently I have the default firewall turned off , and hijackthis in C:/HiJackThis/HiJackThis.exe

Whenever I open up internet explorer whether to check my e-mail or anytime, another popup always opens with it.
And I have 2~3 .exe that tkaes up 90% of my resources, that appears for 1~2 seconds than disappears so it is hard to delete it (although i did)
and adwatch always picks up nail.exe wanting to change it's reg (i always block) and 2 other things, one that is like a9kash.exe (only approx) and one that starts with d.

Please people HELP me PLEASE!

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\CnxDslTb.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\ko\msnappau.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\windows\system32\vvoijo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Owner\바탕 화면\Stuff\NewsLeecher\newsLeecher.exe
C:\Documents and Settings\Owner\바탕 화면\Stuff\NewsLeecher\newsLeecher.exe
C:\WINDOWS\system32\ap9h4qmo.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Documents and Settings\Owner\바탕 화면\Stuff\Opera75\opera.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nslDF.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\WINDOWS\System32\CnxDslTb.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\ko\msnappau.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - java script:{document.location='http://sexmaxx.com/freegalleries.htm';}
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: HushEncryptionEngine - https://mailserver3.hushmail.com/shared/Hus...ptionEngine.cab (http://\"https://mailserver3.hushmail.com/shared/HushEncryptionEngine.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream1000.babenet.com/cabs/videox.cab (http://\"http://stream1000.babenet.com/cabs/videox.cab\")
O16 - DPF: {2C520C08-1ADA-4CEC-AFFD-D0D1BD268D60} (PDUpdate Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDUpdate.cab (http://\"http://www.pdbox.co.kr/filebox/ctrl_down/PDUpdate.cab\")
O16 - DPF: {5468A766-6749-4EC5-8F7A-5D47EE8FE646} (ConnectControl Control) - http://www.x2game.com/Control/ConnectControl.Cab (http://\"http://www.x2game.com/Control/ConnectControl.Cab\")
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab (http://\"http://down.hangame.com/dist/activex/HanGamePlugin19.cab\")
O16 - DPF: {6CAC0EF6-CB79-4E2E-9C51-54552448F9E2} (IlvUptMng Control) - http://inlive.co.kr/update/proc/IlvUptMng.cab (http://\"http://inlive.co.kr/update/proc/IlvUptMng.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (PC-cillin HouseCall 컨트롤) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {79419762-2D03-48F8-A63E-0544D95143DE} (AutoPatchOCX Control) - http://www.x2game.com/Control/AutoPatchOCX.cab (http://\"http://www.x2game.com/Control/AutoPatchOCX.cab\")
O16 - DPF: {7FC751A9-492D-41B1-9F8D-D2C8809D8907} (EmoWebInstallerCtl Class) - http://pimg.hanmail.net/tv/cabs/MyTVInstaller.cab (http://\"http://pimg.hanmail.net/tv/cabs/MyTVInstaller.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab (http://\"http://cafeimg.hanmail.net/cab9/dmcc2.cab\")
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - https://plugin.inicis.com/wallet50/INIwallet50.cab (http://\"https://plugin.inicis.com/wallet50/INIwallet50.cab\")
O16 - DPF: {A8CB6A65-0E60-49A8-A014-40F09BCC38B1} (Upload Control) - http://www.goonzu.com/center/board/Upload.cab (http://\"http://www.goonzu.com/center/board/Upload.cab\")
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Pmang & SayClub Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab (http://\"http://dl.sayclub.com/sayclub/sayctl/sayax.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {E4972AF4-E211-49B9-9267-C693E521AEF0} (DaumGame_Linkman Control) - http://211.172.252.226/launcher/DaumGame_Linkman.cab (http://\"http://211.172.252.226/launcher/DaumGame_Linkman.cab\")
O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox25 Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDBox25.cab (http://\"http://www.pdbox.co.kr/filebox/ctrl_down/PDBox25.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{355DFF4D-5695-45D0-85BA-FB6628EDB4DC}: NameServer = 210.55.12.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F44E3DA-EB28-46DB-B9E4-5E35C25790D7}: NameServer = 210.55.12.1 210.55.12.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Title: Internet Explorer has been ... Hijacked :(
Post by: Brangien on April 13, 2005, 08:46:33 AM

~Removed log~
Please read at the top of the forum the stickie

How to post a Hijackthis log
Thanks
~guestolo~