Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked!


  • Please log in to reply
6 replies to this topic

#1 tigre

tigre

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 25 April 2005 - 08:27 PM

Here we go: I have come home today to find my browser has been hijacked (My roomie likes to "click" things). After a brief examination I discovered that my homepage had been changed from MSN.com to www.qfind.net and when IE is opened none of the toolbars or file options are there. I have a little yellow triangle with an exclamation mark flashing in the bottom right corner which keeps opening up to inform me there is spyware.....DUH! On reboot tthere are 2 ads that pop up and now Windows Messenger has decided to make itself known (never used before).

I did a system scan with Adaware which removed some bleep then the same with Spybot S&D. I also ran Microsoft's new Antispyware Beta which reported nothing. Next I ran a virus scan with PC-Cillin which came up with several intruders as well as 2 unfixable trojans. I have gone hrough my System32 folder and found 3 files which came in today:

intmonp.exe
msole32.exe (this would be the yellow triangle)
vhkbjtb.exe (PC-Cillin says this is the virus TROJ_RANCK.E)

Below you will find my HijackThis log. I really hope this will be easy because no only do I have this going on....XP is not agreeing with my ethernet card and my printer died on the weekend. Thanks in advance.

Tigre



Logfile of HijackThis v1.99.1
Scan saved at 5:14:20 PM, on 4/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\msole32.exe
E:\WINDOWS\popuper.exe
E:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
E:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
E:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
E:\WINDOWS\System32\firewall.exe
E:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINDOWS\System32\intmonp.exe
E:\Program Files\Netropa\One-touch Multimedia Keyboard\KEYBDMGR.EXE
E:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
E:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
E:\WINDOWS\System32\zboxjywr.exe
E:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - E:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "E:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [REGSHAVE] E:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [msnappau] "E:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Keyboard Manager] E:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Windows Network Firewall] E:\WINDOWS\System32\firewall.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Messenger] E:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113447504841
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - E:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - E:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

BC AdBot (Login to Remove)

 


#2 tigre

tigre
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 25 April 2005 - 08:38 PM

One more thing...have lost the t and y on my keyboard intermittently

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:13 PM

Posted 26 April 2005 - 12:08 AM

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

E:\WINDOWS\System32\msmsgs.exe
E:\WINDOWS\System32\intmonp.exe
E:\WINDOWS\System32\zboxjywr.exe
E:\WINDOWS\popuper.exe
E:\WINDOWS\System32\msole32.exe

To copy the files simply navigate to the directory they are in and right click on the file name, and then click on copy option. Now go back to the c:\submit folder and right click in the folder and select the paste option.

Once the files are all copied zip the folder and rename submit.zip to yourmembername.zip (for example grinler.zip). If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a Compressed folder. You will now see a file called yourmembername.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that.

When the files are zipped, go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browsing to the file you are submitting Finally click on the Send File button.

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
O4 - HKLM\..\Run: [Windows Network Firewall] E:\WINDOWS\System32\firewall.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSN Messenger] E:\WINDOWS\System32\msmsgs.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


E:\WINDOWS\System32\firewall.exe
E:\WINDOWS\System32\msmsgs.exe

Reboot your computer to go back to normal mode.

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the mark all button.

6. Press the OK button.

7. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

8. Post a copy of the log as a reply to this post along with a new hijackthis log

#4 tigre

tigre
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 28 April 2005 - 10:52 AM

First I would like to say thank you to Grinler for your time. Unfortunately I completely lost internet access shortly after the prob and wasn't able to use the info provided. A tech friend ended up sorting out most of the problems and we'll get the rest this weekend. This whole thing was apparently the result of a new and very dangerous virus (TROJ_RANCK.E and popuper.exe) which I'll detail in a new post under the IE category. Thanks again.

Edited by tigre, 28 April 2005 - 10:55 AM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:13 PM

Posted 28 April 2005 - 03:47 PM

Ok Sounds good then. I am going to close this topic. Can you please provide me with a link to the information aboutthis virus that you used?

#6 tigre

tigre
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 28 April 2005 - 04:57 PM

Sorry for taking up your valuable time but I really appreciate it. Tech guy will be back with the disks in a couple of days so we can reload IE and I'll get exact info from him to send you. Just wanted to add on that the TROJ_RANCK.E , apparently, has been around since February and PC-Cillin cleaned it in one instance (it showed 2 infections) but in the 2nd was unable to do anything about it. Possibly an alias file name? Thanks again, Grinler.

Tigre

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:13 PM

Posted 28 April 2005 - 09:57 PM

Who knows..may be a new variant that has similar properties as Ranck.E so is being picked up as that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users