Help - Search - Members - Calendar
Full Version: hijack this log-desktop taken over
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
slaser
Dec 7 2004, 06:29 AM
My desktop has been taken over by a web page that says, "warning, you're in danger...secure yourself right now". At the bottom is a button that says, "removal instructions". It's trying to get me to buy their fix.

I used spybot and adaware but cannot get rid of the problem. Web pages keep opening up trying to sell me stuff. I ran hijack this and my log follows:

Logfile of HijackThis v1.98.2
Scan saved at 11:55:29 AM, on 12/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.tl81.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094500064514
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {ED5BE7F4-9C97-4013-8838-48C20128D73A} (dmsProMaxOnLine Control) - http://www.promaxonline.net/ProMaxOnLine.ocx

Thanks for your assistance,
Steve
Hunter
Dec 7 2004, 06:37 AM
Are you talking about this thing ?

Go to control panel/display/ then click on the "desktop" tab. click on "customize desktop" then delete (or just uncheck) "security".

and you can uninstall it there.
slaser
Dec 7 2004, 06:54 AM
Yeah! That's exactly what I'm talking about! I'm going to try your fixes and will post my results. Thankyou very much.

Steve
Hunter
Dec 7 2004, 06:54 AM
But you also have other infections on that PC...someone will help you with your hijack this log later on.
slaser
Dec 7 2004, 07:01 AM
Ok, I just removed that security web page by deleting the entry in "customize desktop". That was awesome and I thank you for your help. I do feel I have other spyware as you say, and look forward to fixing that as well.

Thanks, again!
Steve

PS, as I was typing the Thanks, again part a new browser opened, so I definately have more issues to resolve. Can we find the people who infect us and break their kneecaps?
slaser
Dec 7 2004, 07:03 AM
I also tried the smart security web page but I thinks it's the wrong address.
LoPhatPhuud
Dec 7 2004, 08:53 PM
OK, I believe we have a solution.

First:
DLLCompare.zip is in the Zip file attached to this post.

Unzip and copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.


Second:
Download the attached archive and unzip it to your Desktop. Open the FindIt folder and double click on Find.bat.

Copy the Notepad document that opens (output.txt) and paste it contents in this thread.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.