Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with website hijacker


  • Please log in to reply
3 replies to this topic

#1 adenslayer

adenslayer

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 11 June 2005 - 07:44 PM

I need help, heres my log................................................

Logfile of HijackThis v1.99.1
Scan saved at 7:42:33 PM, on 06/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\jaoagsj.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\hi\HijackThis.exe
C:\WINDOWS\System32\bootpd.exe
C:\WINDOWS\System32\bootpd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\KARENN~1\LOCALS~1\Temp\unylurqxonw.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:49 PM

Posted 12 June 2005 - 09:04 AM

Welcome adenslayer to Bleeping Computer.

Download and unzip http://metallica.geekstogo.com/MADEbyOSC.zip
Run the file by doubleclicking metallica.bat
and post the log.
Do not reboot untill someone has looked at your log and given you the next step.
If you have to reboot repeat this part when you are back online.


Posted Image
Life is what happens while you're making other plans

#3 adenslayer

adenslayer
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 12 June 2005 - 07:53 PM

************************************
**These are the hidden files found**
************************************
Volume in drive C is HP_PAVILION
Volume Serial Number is 1B5A-18F5

Directory of C:\DOCUME~1\KARENN~1\LOCALS~1\Temp

06/04/2005 10:17 PM 50,688 ankfszozybq.dll
06/11/2005 07:22 PM 50,688 xinyjwnatmr.dll
06/04/2005 10:44 PM 50,688 nkhkrwxoxsf.dll
06/11/2005 07:39 PM 50,688 lensrqfwlex.dll
06/11/2005 07:40 PM 50,688 unylurqxonw.dll
06/04/2005 10:46 PM 50,688 uhifixevqfg.dll
06/12/2005 07:52 PM <DIR> Temporary Directory 1 for MADEbyOSC.zip
6 File(s) 304,128 bytes
1 Dir(s) 43,724,308,480 bytes free
************************************
**These are the system files found**
************************************
Volume in drive C is HP_PAVILION
Volume Serial Number is 1B5A-18F5

Directory of C:\DOCUME~1\KARENN~1\LOCALS~1\Temp

06/04/2005 10:17 PM 50,688 ankfszozybq.dll
06/11/2005 07:22 PM 50,688 xinyjwnatmr.dll
06/04/2005 10:44 PM 50,688 nkhkrwxoxsf.dll
06/11/2005 07:39 PM 50,688 lensrqfwlex.dll
06/11/2005 07:40 PM 50,688 unylurqxonw.dll
06/04/2005 10:46 PM 50,688 uhifixevqfg.dll
6 File(s) 304,128 bytes
0 Dir(s) 43,724,308,480 bytes free

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:49 PM

Posted 13 June 2005 - 03:06 PM

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

***

Download and install APM.
(don't run it yet we will get to that in a minute)

***

Reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

***

Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick these one by one:

C:\DOCUME~1\KARENN~1\LOCALS~1\Temp\ankfszozybq.dll

C:\DOCUME~1\KARENN~1\LOCALS~1\Temp\lensrqfwlex.dll

C:\DOCUME~1\KARENN~1\LOCALS~1\Temp\nkhkrwxoxsf.dll

C:\DOCUME~1\KARENN~1\LOCALS~1\Temp\uhifixevqfg.dll

C:\DOCUME~1\KARENN~1\LOCALS~1\Temp\unylurqxonw.dll

C:\DOCUME~1\KARENN~1\LOCALS~1\Temp\xinyjwnatmr.dll



For each of the files, select Unload DLL, and click OK on the prompts that follows.

Close APM.

***

Run Killbox.
Select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\bootpd.exe
C:\WINDOWS\system32\scrsvc.exe
C:\WINDOWS\system\jaoagsj.exe


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot the system back to safe mode.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\KARENN~1\LOCALS~1\Temp\unylurqxonw.dll

O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished

***

Still in HijackThis.

Click Config > Misc Tools > Open Uninstall Manager
Select PremiumSearch Startpage and click Delete this entry.

Exit HijackThis.

***

Reboot the system to normal mode.

***

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.

***

Download CleanUp!.
If that doesn’t work, use this link.

Go to options
Select ‘custom’
Put a check to:* empty recycle bins
* delete prefetch files
* CleanUp! All users.
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Please download and open the following zip file. Double-click on the file inside the zip and when it asks you if you would like to merge the file into your registry, please answer yes. This will make sure all files are visible on your computer.
http://www.davehigham.zen.co.uk/downloads/xphidden.zip

***

Open Windows Explorer.

Move to this folder:
C:\DOCUMENTS AND SETTINGS\KARENN~1\LOCAL SETTINGS\Temp\ [~1 means the name is langer than it can show now]

See it those dll files are gone now. If they are still here, please delete them and let me know.

***

Post back here with a fresh log using HijackThis.

Edited by g2i2r4, 13 June 2005 - 03:06 PM.



Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users