« previous next »
Pages: [1]

Author Topic: Hijacking problems  (Read 2817 times)

Offline Kholdstare89

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Hijacking problems
« on: August 01, 2004, 04:56:36 PM »
Hello

 I'm having problems with pop-ups appearing whenever I connect to the internet.  They are about revenue services and security.  I can't find out what's going on.  

This is my hijack this log:

Logfile of HijackThis v1.98.0
Scan saved at 6:04:23 PM, on 8/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\PSSVC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://
R1 - HKCU\Software\Microsoft\Internet Explorer,www = http://
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://psncuc.outhost.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://psncuc.outhost.info/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://psncuc.outhost.info/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.utluobmykmgyzppgetnpvrm.org/xqF...Bd1t2iODkg.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://psncuc.outhost.info/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O1 - Hosts: 213.159.118.228 collections.inhost.info
O1 - Hosts: 213.159.118.228 collections.inhost2.info
O1 - Hosts: 213.159.118.228 1-se.com
O1 - Hosts: 213.159.118.228 58q.com
O1 - Hosts: 213.159.118.228 aifind.cc
O1 - Hosts: 213.159.118.228 aifind.info
O1 - Hosts: 213.159.118.228 allneedsearch.com
O1 - Hosts: 213.159.118.228 approvedlinks.com
O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com
O1 - Hosts: 213.159.118.228 awebfind.biz
O1 - Hosts: 213.159.118.228 best.royalsearch.net
O1 - Hosts: 213.159.118.228 cracks.am
O1 - Hosts: 213.159.118.228 default-homepage-network.com
O1 - Hosts: 213.159.118.228 find.microgirls.com
O1 - Hosts: 213.159.118.228 find4u.net
O1 - Hosts: 213.159.118.228 freshvideogals.com
O1 - Hosts: 213.159.118.228 i-lookup.com
O1 - Hosts: 213.159.118.228 ie-search.com
O1 - Hosts: 213.159.118.228 in.webcounter.cc
O1 - Hosts: 213.159.118.228 itseasy.us
O1 - Hosts: 213.159.118.228 just.find-itnow.com
O1 - Hosts: 213.159.118.228 link.startmake.com
O1 - Hosts: 213.159.118.228 mysearchnow.com
O1 - Hosts: 213.159.118.228 nativehardcore.com
O1 - Hosts: 213.159.118.228 qwertysearch123.biz
O1 - Hosts: 213.159.118.228 search.ieplugin.com
O1 - Hosts: 213.159.118.228 search.psn.cn
O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com
O1 - Hosts: 213.159.118.228 searchcentrix.com
O1 - Hosts: 213.159.118.228 searchmyrequest.com
O1 - Hosts: 213.159.118.228 super-spider.com
O1 - Hosts: 213.159.118.228 t.rack.cc
O1 - Hosts: 213.159.118.228 teen-biz.com
O1 - Hosts: 213.159.118.228 teenhqpics.com
O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net
O1 - Hosts: 213.159.118.228 webcoolsearch.com
O1 - Hosts: 213.159.118.228 wmmse.com
O1 - Hosts: 213.159.118.228 www.008i.com
O1 - Hosts: 213.159.118.228 www.2fastsearch.net
O1 - Hosts: 213.159.118.228 www.8095.com
O1 - Hosts: 213.159.118.228 www.alfa-search.com
O1 - Hosts: 213.159.118.228 www.boredlife.com
O1 - Hosts: 213.159.118.228 www.couldnotfind.com
O1 - Hosts: 213.159.118.228 www.cracks.am
O1 - Hosts: 213.159.118.228 www.daum.net
O1 - Hosts: 213.159.118.228 www.dreamwiz.com
O1 - Hosts: 213.159.118.228 www.find-itnow.com
O1 - Hosts: 213.159.118.228 www.find-itnow.com
O1 - Hosts: 213.159.118.228 www.find4u.net
O1 - Hosts: 213.159.118.228 www.firstbookmark.com
O1 - Hosts: 213.159.118.228 www.gajai.com
O1 - Hosts: 213.159.118.228 www.hand-book.com
O1 - Hosts: 213.159.118.228 www.hao123.com
O1 - Hosts: 213.159.118.228 www.hotsearchbox.com
O1 - Hosts: 213.159.118.228 www.hotwebsearch.com
O1 - Hosts: 213.159.118.228 www.hugesearch.net
O1 - Hosts: 213.159.118.228 www.iquicksearch.com
O1 - Hosts: 213.159.118.228 www.lookfor.cc
O1 - Hosts: 213.159.118.228 www.maxxxhosters.com
O1 - Hosts: 213.159.118.228 www.naver.com
O1 - Hosts: 213.159.118.228 www.nkvd.us
O1 - Hosts: 213.159.118.228 www.nova[censored].com
O1 - Hosts: 213.159.118.228 www.ohcorea.com
O1 - Hosts: 213.159.118.228 www.omega-search.com
O1 - Hosts: 213.159.118.228 www.onet.pl
O1 - Hosts: 213.159.118.228 www.power-search.info
O1 - Hosts: 213.159.118.228 www.rightfinder.net
O1 - Hosts: 213.159.118.228 www.search-1.net
O1 - Hosts: 213.159.118.228 www.search-and-go.com
O1 - Hosts: 213.159.118.228 www.search-dot.com
O1 - Hosts: 213.159.118.228 www.search-space.com
O1 - Hosts: 213.159.118.228 www.searchforge.com
O1 - Hosts: 213.159.118.228 www.searching-the-net.com
O1 - Hosts: 213.159.118.228 www.searchv.com
O1 - Hosts: 213.159.118.228 www.searchxl.com
O1 - Hosts: 213.159.118.228 www.seznam.cz
O1 - Hosts: 213.159.118.228 www.slotch.com
O1 - Hosts: 213.159.118.228 www.spidersearch.com
O1 - Hosts: 213.159.118.228 www.startium.com
O1 - Hosts: 213.159.118.228 www.therealsearch.com
O1 - Hosts: 213.159.118.228 www.ttjj.com
O1 - Hosts: 213.159.118.228 www.viewpornkey.com
O1 - Hosts: 213.159.118.228 www.wazzupnet.com
O1 - Hosts: 213.159.118.228 www.websearch.com
O1 - Hosts: 213.159.118.228 www.windowws.cc
O1 - Hosts: 213.159.118.228 www.xgmm.com
O1 - Hosts: 213.159.118.228 xwebsearch.biz
O1 - Hosts: 213.159.118.228 yourbookmarks.ws
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {D3E4C7CC-02E5-13E0-C8AF-150292CA9E1B} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IDE Loader] C:\WINDOWS\IDElibr32.exe
O4 - HKLM\..\Run: [The Ping] C:\PROGRA~1\LOCKSI~1\Pure Bias Poll.exe
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\APP\TANGOM~1.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\APPLICATION DATA\SVHOST.EXE -sr -1
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [STOPzilla] "c:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKLM\..\Run: [Saveidolreadmeface] C:\WINDOWS\Profiles\Super Saiyan 3\Application Data\owns coal save idol\Download body.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [AutoShutdown] C:\WINDOWS\pssvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [AnVir Virus Destroyer] "C:\Program Files\AnVir Virus Destroyer\AnVir.exe" Minimized
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\APPLICATION DATA\SVHOST.EXE -sr -1
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50099/QDow_AS2.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O19 - User stylesheet: C:\WINDOWS\system\krexnp.7eb

Thanks in advance for any help!
Logged

Another victim

  • Guest
Hijacking problems
« Reply #1 on: August 09, 2004, 04:59:21 AM »
Hi there,

You are being bugged by HackerDefender (HXDEF), a rootkit virus. This is a very bad situation http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' /> .You'll notice some programs shutting down irrationaly.

HXDEF replaces some processes in your system with its own infected processes. So when you try to get an impression of the running processes it will show only those you are supposed to see. Once ativated it hides totally from you and can only be removed with very minitiuos action. Depending on your situation you must decide which action to take:
- If your system is very exhaustive and takes a long time to reinstall from scratch then visit bagpuss.swan.ac.uk/comms/hxdef.htm to get an idea of how to start with cleaning your system.
- If your system is not that specific it will probably be much easier to format and reinstall your system.

Bye
Logged

Koen De Vuyst

  • Guest
Hijacking problems
« Reply #2 on: September 08, 2004, 02:26:49 AM »
Don't worry, here is the solution.  It took me one week to find a descent solution on the net so here it is...  It worked for me!

Click Start, click Run, then type cmd
Then click OK
From the "command prompt" type
NET STOP HACKERDEFENDER100 (then press Enter) Note: (that's) NET<space>STOP<space>HACKERDEFENDER100
If successful you should see: (wait 30 seconds or so)
"The service is not responding to the control function"

See if "winunins.ini" exists and open in Notepad
Paste the contents of "winunins.ini".
Place the file on your Desktop.

->-> What follows next, is the contents of a winunins,ini file <-<-
----------------------------------------------
[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*

[Root Processes]
svhost.exe
trj4j6js.exe
winunins.exe

[Hidden Services]
HackerDefender*
[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[Hidden RegValues]

[Startup Run]
C:\WINDOWS\svhost.exe -sr -0

[Free Space]

[Hidden Ports]

[Settings]
Password=qweqwe
BackdoorShell=ddd.exe
FileMappingName=_.-=[PokuS]=-._
ServiceName=HackerDefender100
ServiceDisplayName=Windows System Uninstaller
ServiceDescription=Microsoft System Service
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

[Comments]
-----------------------------------------------------------
Next:
Reboot your computer into "Safe" mode.
Enable "Show all files and folders", including "hidden" and "system"
Locate and delete the following:

hxdefdrv.sys
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe (not "svchost.exe")
trj4j6js.exe
ddd.exe

Run Regedit and search for all instances of "HackerDefenderDrv100" (No Quotes!)
->-> probably, also, HackerDefender100 - from above?! <-<-
Highlight and delete all references found.
Search the entire registry until you receive the message - "Completed Search".
Then, do the same steps for all of the files listed above.

Note: If you cannot delete the registry keys (Access Denied)
then Right-click key and click Permissions.. Set Full Control to Allow everyone rights


While still in Safe Mode: Run a full system scan with McAfee (or your Anti-virus utility)
Restart normally and post a fresh HijackThis log.

Note: if for some reason "hxdefdrv.sys" seems to be running again in Safe Mode,
repeat the "net stop" command again and then delete the files.

At this point, a HijackThis scan may not show all the files listed above.

Have HijackThis fix all the "offending" entries.

Reboot your computer.
And, if running Win XP, Clear "System Restore",
Update and run McAfee Anti-virus and/or do an online scan.

Restart your computer and create a new "Restore Point"

Next go to Windows Update and install all the "Critical Updates".
Logged
Pages: [1]
« previous next »