Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
I've been hijacked also, read some of the posts below 2
- Thread starter muz
- Start date
TekTippy4U
Technical User
Xemus
I've (well, not me, but merijin)..discovered one major SERIOUS flaw in using the HOSTS file in windows to block popups/adware, as referenced in the doxdesk links
It involves an activex control that's been d/l and runs on the local pc as it's own web-server..
Read this article
this is a clip ot text taken from that article
-------------------------snip---------------------------
More current variants also install a small web server, contained in a file named svchost32.exe. It adds several google addresses (google.de, google.ch, google.ca, etc) search.yahoo.com, and search.msn.com to the HOSTS file, telling windows that the IP addresses for those sites is 127.0.0.1, and that's where it's webserver is listening.
---------------------------------------------------------
Just wanted to update everyone, if they were unaware....
TT4U
Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.
I've (well, not me, but merijin)..discovered one major SERIOUS flaw in using the HOSTS file in windows to block popups/adware, as referenced in the doxdesk links
It involves an activex control that's been d/l and runs on the local pc as it's own web-server..
Read this article
this is a clip ot text taken from that article
-------------------------snip---------------------------
More current variants also install a small web server, contained in a file named svchost32.exe. It adds several google addresses (google.de, google.ch, google.ca, etc) search.yahoo.com, and search.msn.com to the HOSTS file, telling windows that the IP addresses for those sites is 127.0.0.1, and that's where it's webserver is listening.
---------------------------------------------------------
Just wanted to update everyone, if they were unaware....
TT4U
Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.
Thanks for the update, tho his instructions on using the host file must be somewhere else on the site, as they were not included in those articles. Following those instructions, running CWshredder, and rechecking Hijack This should cleanup the trojan. I don't believe it would be nessecary to even open the hosts file.
TekTippy4U
Technical User
You're correct....I don't even run a HOSTS file.
I had read the doxdesk thing and decided to try it (I don't have a popup issue, but i thought i'd give it a go, as one particular site achieves a bothersome pop-under on me.......and i thought maybe the pages elsewhere would load faster, as described in how it would work.)
I'm a minimalist as far as software running on the box.
I have all my cache cleaned after each session.
Anyway, as far as disabling activex and java and overall
security settings, it's a decent place to direct people.
TT4U
Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.
I had read the doxdesk thing and decided to try it (I don't have a popup issue, but i thought i'd give it a go, as one particular site achieves a bothersome pop-under on me.......and i thought maybe the pages elsewhere would load faster, as described in how it would work.)
I'm a minimalist as far as software running on the box.
I have all my cache cleaned after each session.
Anyway, as far as disabling activex and java and overall
security settings, it's a decent place to direct people.
TT4U
Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.
rlaeromech
IS-IT--Management
Carr,
I would like to post my log from hijack this and have someone check it out. I was being hijacked by a site called best web search. I have made the log and saved it, how do I post it for you to see. I'm new at this site.
Thanks,
RL
I would like to post my log from hijack this and have someone check it out. I was being hijacked by a site called best web search. I have made the log and saved it, how do I post it for you to see. I'm new at this site.
Thanks,
RL
rlaeromech
IS-IT--Management
Carr,
Here is my log, I figured you just paste it.
Logfile of HijackThis v1.97.7
Scan saved at 11:39:45 AM, on 2/4/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\XSM.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\wfxsnt40.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\SxgTkBar.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Starfish\TrueSync\tstool.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKLM\..\Run: [Winhost] C:\WINNT\winh.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: AdsGone 2003.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AdsGone (HKLM)
O9 - Extra 'Tools' menuitem: &AdsGone Settings (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - O17 - HKLM\System\CCS\Services\Tcpip\..\{DCFC73B0-6FC5-4FFB-84CD-00954240CD7B}: NameServer = 204.127.202.4,216.148.227.68,204.127.202.4
Let me know where the hijacked problems are.
Thanks,
RL
Here is my log, I figured you just paste it.
Logfile of HijackThis v1.97.7
Scan saved at 11:39:45 AM, on 2/4/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\XSM.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\wfxsnt40.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\SxgTkBar.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Starfish\TrueSync\tstool.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKLM\..\Run: [Winhost] C:\WINNT\winh.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: AdsGone 2003.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AdsGone (HKLM)
O9 - Extra 'Tools' menuitem: &AdsGone Settings (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - O17 - HKLM\System\CCS\Services\Tcpip\..\{DCFC73B0-6FC5-4FFB-84CD-00954240CD7B}: NameServer = 204.127.202.4,216.148.227.68,204.127.202.4
Let me know where the hijacked problems are.
Thanks,
RL
Remove these entries, using Hijack This!:
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKLM\..\Run: [Winhost] C:\WINNT\winh.exe (this one is a virus malware known as LOLAWEB_A, see here:
O4 - HKCU\..\Run: [Internat.exe] internat.exe
(this one is a result of the NETSNAKE virus, see here: O4 - HKCU\..\Run: [Internat.exe] internat.exe)
After removing these, get a good online virus scan, such as the one offered here:
(Note: You're running Win2k, and this is the Win95/98 forum...but I can't resist a hijack log)
"'Tis an ill wind that blows no minds." - Malaclypse the Younger
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKLM\..\Run: [Winhost] C:\WINNT\winh.exe (this one is a virus malware known as LOLAWEB_A, see here:
O4 - HKCU\..\Run: [Internat.exe] internat.exe
(this one is a result of the NETSNAKE virus, see here: O4 - HKCU\..\Run: [Internat.exe] internat.exe)
After removing these, get a good online virus scan, such as the one offered here:
(Note: You're running Win2k, and this is the Win95/98 forum...but I can't resist a hijack log)
"'Tis an ill wind that blows no minds." - Malaclypse the Younger
rlaeromech
IS-IT--Management
Carr,
Thanks, and sorry about the 95/98 thread. This was my first post to teck tips. I am running the scan and it has found so far a Trojan.startpage virus that it is saying non-cleanable. I am hoping the scan program will tell me what to do about it.
Thanks again for your help!
RL
Thanks, and sorry about the 95/98 thread. This was my first post to teck tips. I am running the scan and it has found so far a Trojan.startpage virus that it is saying non-cleanable. I am hoping the scan program will tell me what to do about it.
Thanks again for your help!
RL
- Status
Similar threads
- Locked
- Question