Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ive been hijacked


  • Please log in to reply
6 replies to this topic

#1 Dark_Stag_needsHelp

Dark_Stag_needsHelp

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 15 November 2004 - 10:01 PM

I have been hijacked, i used spybot S&D and Ad-Aware, CWShreader, and hijackthis,

i cant get rid of this file called "coolWWWsearch.googlems"
it wont go away! i need some help, and you guys seem very knowledgable....
i also think i have more bad files... O ya, i also have an HTML page on my desktop i tried to make go away, but failed and now its just a white page...
plz help! :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 Dark_Stag_needsHelp

Dark_Stag_needsHelp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 15 November 2004 - 10:50 PM

this would probably help some lol :thumbsup:


Logfile of HijackThis v1.97.7
Scan saved at 7:48:45 PM, on 11/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Patrick\Application Data\siti.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\My Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=127.0.0.1:1080
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [71f175f371ef] C:\WINDOWS\System32\cmcfg327.exe
O4 - HKLM\..\Run: [2TC4YM@4XBC6RK] C:\WINDOWS\System32\RsaQs5.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Raae] C:\Documents and Settings\Patrick\Application Data\siti.exe
O4 - HKCU\..\Run: [Asatdgl] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: AIM (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10226.dll' missing
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB



plz help me

#3 Dark_Stag_needsHelp

Dark_Stag_needsHelp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 16 November 2004 - 07:36 AM

Plz hurry, the stuff i got rid of is already regenerating :thumbsup:

#4 Dark_Stag_needsHelp

Dark_Stag_needsHelp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 16 November 2004 - 04:14 PM

Sry to impateinet but my Pc is getting worse, i need some help plz,

i cant get rid of the desktop, by the web folder method, aftr i delete it, it comes straight bak, i also updated windows, so i thought that would fix the desktop part of the hijack, but it didnt, i dont kno wtf is goin on with my other stuff....


i really need some assistance A.S.A.P plz

#5 Dark_Stag_needsHelp

Dark_Stag_needsHelp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 16 November 2004 - 05:42 PM

U2, this the NEW HJT log....

Logfile of HijackThis v1.97.7
Scan saved at 2:12:01 PM, on 11/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\My Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=127.0.0.1:1080
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [2TC4YM@4XBC6RK] C:\WINDOWS\System32\ObvAjhI.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Raae] C:\Documents and Settings\Patrick\Application Data\siti.exe
O4 - HKCU\..\Run: [Asatdgl] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB




ok and here id the startup list



StartupList report, 11/16/2004, 2:17:30 PM
StartupList version: 1.52
Started from : C:\My Downloads\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\My Downloads\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Patrick\Start Menu\Programs\Startup]
Xfire.lnk = C:\Program Files\Xfire\Xfire.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NeroCheck = C:\WINDOWS\System32\\NeroCheck.exe
Lexmark X1100 Series = "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
2TC4YM@4XBC6RK = C:\WINDOWS\System32\ObvAjhI.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Raae = C:\Documents and Settings\Patrick\Application Data\siti.exe
Asatdgl = C:\WINDOWS\System32\m?iexec.exe
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\ATIRAD~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 3,789 bytes
Report generated in 0.015 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

hehe ty
:thumbsup:

#6 Dark_Stag_needsHelp

Dark_Stag_needsHelp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 16 November 2004 - 06:50 PM

ok newer version of HJT after a deleted the other stuff u said....


Logfile of HijackThis v1.97.7
Scan saved at 3:47:52 PM, on 11/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\My Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB



And here is the startuplist

StartupList report, 11/16/2004, 3:49:28 PM
StartupList version: 1.52
Started from : C:\My Downloads\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\My Downloads\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Patrick\Start Menu\Programs\Startup]
Xfire.lnk = C:\Program Files\Xfire\Xfire.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NeroCheck = C:\WINDOWS\System32\\NeroCheck.exe
Lexmark X1100 Series = "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\ATIRAD~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,153 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

hehe ty

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:34 AM

Posted 18 November 2004 - 09:22 PM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users