Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Attacking Web Sites


  • Please log in to reply
2 replies to this topic

#1 cb4f_s

cb4f_s

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 26 January 2006 - 02:02 PM

hello there
i have a problem in my sytem, this is like, attacking unwanted websites since from past three days, tha is like hell, i have no idea, how did happen without aware of me, i have done full virus, spyware scan, but no use. the worst is when i using this site:http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/#HowToUse, web sites atacked so many time, i just clikc at any where on the this site.
pls help me, i am sending hilak report, i have no option to explaine greater than this,
i hope could understand my problem..
hijak report:
---------------
Logfile of HijackThis v1.99.1
Scan saved at 12:57:25 AM, on 1/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\1054\taskhelp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\WINDOWS\$ntuninstallkb890859$\svchost32.exe
C:\WINDOWS\$ntuninstallkb893066$\Systemhelp.exe
C:\WINDOWS\system32\Fast.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\hijak\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://202.144.65.70:8090/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.2.13:8081
O1 - Hosts: 203.197.24.163 www.citibank.co.in
O1 - Hosts: 210.210.19.82 www.sifymall.com
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 a.tribalfusion.com
O1 - Hosts: 216.93.174.28 ad.yieldmanager.com
O1 - Hosts: 216.93.174.28 b.casalemedia.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 67.15.114.78 pagead2.googlesyndication.com
O1 - Hosts: 67.15.114.79 ypn-js.overture.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [taskhelp] C:\WINDOWS\system32\1054\taskhelp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{430AC692-D764-4950-8BA8-AFAC6E5A4B14}: NameServer = 172.16.2.13,202.56.250.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF8EFB0-19F6-423F-A316-27254E88CC24}: NameServer = 202.144.95.4,202.144.66.6
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)

Edited by cb4f_s, 26 January 2006 - 02:37 PM.


BC AdBot (Login to Remove)

 


#2 cb4f_s

cb4f_s
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 28 January 2006 - 01:19 AM

hello
my system having some problem
when i internet explorer for open a web site, i typed i wanted website and when i click enter, some other unwanted website is getting open next to i typed website, and in some web sites when i put curser, same problem is attacking, ,, that's happen with
www.bluepingcomputer.com

those unwanted websited are belongs to businesss related .
even i full scan from "WindowsOneCare", and fullscan spyware also, but no sing of virus and other thing, but when i scan from "ScanSpyware", it has showed some report, so i am sending that report, and hijack report also, i hope that could help you to help me.
pls help me

Application Information(scanspyware)

=======================



Application Information

=======================



Application Version: ScanSpyware v3.8 build 3.8.0.4

Original Database: pests12-09-05.db

Updated Database: pests12-09-05.db

Current Date: Saturday, January 28, 2006 08:45:32 AM

__________________________________________________



Directories recognized:

=======================



__________________________________________________



Files recognized:

=================



[CWS - CoolWebSearch]

C:\Documents and Settings\syam\Application Data\Avant Browser\keywords.dat



__________________________________________________



Registry keys recognized:

=========================



__________________________________________________



Registry values recognized:

===========================



[I-Worm.Mimail.i]

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\svchost32



[MiMail]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SvcHost32



__________________________________________________



Cookies recognized:

===================



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@80693899[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@adrevolver[2].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@adrevolver[2].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@adrevolver[3].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@adrevolver[3].txt



[SpediaBar]

c:\documents and settings\syam\cookies\syam@as-us.falkag[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@as-us.falkag[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@as1.falkag[2].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@bravenet[2].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@casalemedia[2].txt



[Clickbank]

c:\documents and settings\syam\cookies\syam@clickbank[2].txt



[Starware]

c:\documents and settings\syam\cookies\syam@data2.perf.overture[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@data2.perf.overture[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@en101[1].txt



[Starware]

c:\documents and settings\syam\cookies\syam@overture[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@overture[1].txt



[Starware]

c:\documents and settings\syam\cookies\syam@perf.overture[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@perf.overture[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@server.iad.liveperson[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@statcounter[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@statcounter[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@statcounter[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@z1.adserver[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@z1.adserver[1].txt



[Tracking Cookies]

c:\documents and settings\syam\cookies\syam@z1.adserver[1].txt



__________________________________________________



hijack report
-----------
Logfile of HijackThis v1.99.1
Scan saved at 10:13:44 AM, on 1/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\$ntuninstallkb901214$\realscheddll.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\WINDOWS\$ntuninstallkb890859$\svchost32.exe
C:\WINDOWS\system32\Softwaredistribution\appmgmt.exe
C:\WINDOWS\system32\Fast.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\DOCUME~1\syam\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://202.144.65.70:8090/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.2.13:8081
O1 - Hosts: 203.197.24.163 www.citibank.co.in
O1 - Hosts: 210.210.19.82 www.sifymall.com
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 a.tribalfusion.com
O1 - Hosts: 216.93.174.28 ad.yieldmanager.com
O1 - Hosts: 216.93.174.28 b.casalemedia.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 67.15.114.78 pagead2.googlesyndication.com
O1 - Hosts: 67.15.114.79 ypn-js.overture.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [realscheddll] C:\WINDOWS\$ntuninstallkb901214$\realscheddll.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{430AC692-D764-4950-8BA8-AFAC6E5A4B14}: NameServer = 172.16.2.13,202.56.250.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF8EFB0-19F6-423F-A316-27254E88CC24}: NameServer = 202.144.95.4,202.144.66.6
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)

#3 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 28 January 2006 - 06:00 PM

Download Hoster from here:
www.funkytoad.com/download/hoster.zip
Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.
==============
Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users