Re: Browser Hijack!!

Forums » Up and Running » Security » Security » Browser Hijack!!


Share Topic:	RSS topic:	toggle: flat / full normal / watch	Posting:	Post a:	Post a:

Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal

WEBTREND_ID Cookies »
« U.K. teen acquitted with Trojan defense

Paul928

join:2000-05-06
Haverhill, MA

·Comcast

Here is my log file from Hijackthis...kind of a long one.

Logfile of HijackThis v1.97.3
Scan saved at 1:04:31 PM, on 11/3/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Music\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »tooncomics.com/main/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »tooncomics.com/main/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »rd.yahoo.com/customize/ymsgr/def···ahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »rd.yahoo.com/customize/ymsgr/def···rch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »www.seekseek.com/quicksearch.asp···on_id=18
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = »www.fastwebfinder.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated)
O1 - Hosts file is located at: C:\WINDOWS\help\hosts
O1 - Hosts: 88.88.88.88 elite
O1 - Hosts: 207.44.220.30 www.google.akadns.net
O1 - Hosts: 207.44.220.30 www.google.com
O1 - Hosts: 207.44.220.30 google.com
O1 - Hosts: 207.44.220.30 www.altavista.com
O1 - Hosts: 207.44.220.30 altavista.com
O1 - Hosts: 207.44.220.30 search.yahoo.com
O1 - Hosts: 207.44.220.30 uk.search.yahoo.com
O1 - Hosts: 207.44.220.30 ca.search.yahoo.com
O1 - Hosts: 207.44.220.30 jp.search.yahoo.com
O1 - Hosts: 207.44.220.30 au.search.yahoo.com
O1 - Hosts: 207.44.220.30 de.search.yahoo.com
O1 - Hosts: 207.44.220.30 search.yahoo.co.jp
O1 - Hosts: 207.44.220.30 www.lycos.de
O1 - Hosts: 207.44.220.30 www.lycos.ca
O1 - Hosts: 207.44.220.30 www.lycos.jp
O1 - Hosts: 207.44.220.30 www.lycos.co.jp
O1 - Hosts: 207.44.220.30 alltheweb.com
O1 - Hosts: 207.44.220.30 web.ask.com
O1 - Hosts: 207.44.220.30 ask.com
O1 - Hosts: 207.44.220.30 www.ask.com
O1 - Hosts: 207.44.220.30 www.teoma.com
O1 - Hosts: 207.44.220.30 search.aol.com
O1 - Hosts: 207.44.220.30 www.looksmart.com
O1 - Hosts: 207.44.220.30 auto.search.msn.com
O1 - Hosts: 207.44.220.30 search.msn.com
O1 - Hosts: 207.44.220.30 ca.search.msn.com
O1 - Hosts: 207.44.220.30 fr.ca.search.msn.com
O1 - Hosts: 207.44.220.30 search.fr.msn.be
O1 - Hosts: 207.44.220.30 search.fr.msn.ch
O1 - Hosts: 207.44.220.30 search.latam.yupimsn.com
O1 - Hosts: 207.44.220.30 search.msn.at
O1 - Hosts: 207.44.220.30 search.msn.be
O1 - Hosts: 207.44.220.30 search.msn.ch
O1 - Hosts: 207.44.220.30 search.msn.co.in
O1 - Hosts: 207.44.220.30 search.msn.co.jp
O1 - Hosts: 207.44.220.30 search.msn.co.kr
O1 - Hosts: 207.44.220.30 search.msn.com.br
O1 - Hosts: 207.44.220.30 search.msn.com.hk
O1 - Hosts: 207.44.220.30 search.msn.com.my
O1 - Hosts: 207.44.220.30 search.msn.com.sg
O1 - Hosts: 207.44.220.30 search.msn.com.tw
O1 - Hosts: 207.44.220.30 search.msn.co.za
O1 - Hosts: 207.44.220.30 search.msn.de
O1 - Hosts: 207.44.220.30 search.msn.dk
O1 - Hosts: 207.44.220.30 search.msn.es
O1 - Hosts: 207.44.220.30 search.msn.fi
O1 - Hosts: 207.44.220.30 search.msn.fr
O1 - Hosts: 207.44.220.30 search.msn.it
O1 - Hosts: 207.44.220.30 search.msn.nl
O1 - Hosts: 207.44.220.30 search.msn.no
O1 - Hosts: 207.44.220.30 search.msn.se
O1 - Hosts: 207.44.220.30 search.ninemsn.com.au
O1 - Hosts: 207.44.220.30 search.t1msn.com.mx
O1 - Hosts: 207.44.220.30 search.xtramsn.co.nz
O1 - Hosts: 207.44.220.30 search.yupimsn.com
O1 - Hosts: 207.44.220.30 uk.search.msn.com
O1 - Hosts: 207.44.220.30 search.lycos.com
O1 - Hosts: 207.44.220.30 www.lycos.com
O1 - Hosts: 207.44.220.30 www.google.ca
O1 - Hosts: 207.44.220.30 google.ca
O1 - Hosts: 207.44.220.30 www.google.uk
O1 - Hosts: 207.44.220.30 www.google.co.uk
O1 - Hosts: 207.44.220.30 www.google.com.au
O1 - Hosts: 207.44.220.30 www.google.co.jp
O1 - Hosts: 207.44.220.30 www.google.jp
O1 - Hosts: 207.44.220.30 www.google.at
O1 - Hosts: 207.44.220.30 www.google.be
O1 - Hosts: 207.44.220.30 www.google.ch
O1 - Hosts: 207.44.220.30 www.google.de
O1 - Hosts: 207.44.220.30 www.google.se
O1 - Hosts: 207.44.220.30 www.google.dk
O1 - Hosts: 207.44.220.30 www.google.fi
O1 - Hosts: 207.44.220.30 www.google.fr
O1 - Hosts: 207.44.220.30 www.google.com.gr
O1 - Hosts: 207.44.220.30 www.google.com.hk
O1 - Hosts: 207.44.220.30 www.google.ie
O1 - Hosts: 207.44.220.30 www.google.co.il
O1 - Hosts: 207.44.220.30 www.google.it
O1 - Hosts: 207.44.220.30 www.google.co.kr
O1 - Hosts: 207.44.220.30 www.google.com.mx
O1 - Hosts: 207.44.220.30 www.google.nl
O1 - Hosts: 207.44.220.30 www.google.co.nz
O1 - Hosts: 207.44.220.30 www.google.pl
O1 - Hosts: 207.44.220.30 www.google.pt
O1 - Hosts: 207.44.220.30 www.google.com.ru
O1 - Hosts: 207.44.220.30 www.google.com.sg
O1 - Hosts: 207.44.220.30 www.google.co.th
O1 - Hosts: 207.44.220.30 www.google.com.tr
O1 - Hosts: 207.44.220.30 www.google.com.tw
O1 - Hosts: 207.44.220.30 go.google.com
O1 - Hosts: 207.44.220.30 google.at
O1 - Hosts: 207.44.220.30 google.be
O1 - Hosts: 207.44.220.30 google.de
O1 - Hosts: 207.44.220.30 google.dk
O1 - Hosts: 207.44.220.30 google.fi
O1 - Hosts: 207.44.220.30 google.fr
O1 - Hosts: 207.44.220.30 google.com.hk
O1 - Hosts: 207.44.220.30 google.ie
O1 - Hosts: 207.44.220.30 google.co.il
O1 - Hosts: 207.44.220.30 google.it
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···tc_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - »office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - »www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - »thesims.ea.com/teleport/hotdate/···eleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - »aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/254e0d9dc812f8d037···E601.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - »thesims.ea.com/teleport/supersta···eleX.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - »cs6b.instantservice.com/jars/cus···ed35.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - »us.dl1.yimg.com/download.yahoo.c···mapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - »download.abacast.com/download/fi···etup.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - »fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{33480BEB-FB8D-465D-AE4A-6BB4469C927C}: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB061A3-A055-43A0-9B3B-2003FA486F41}: NameServer = 216.127.92.38
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp

permalink · 2003-11-03 13:07:13 · Print ·

Paul928 join:2000-05-06 Haverhill, MA	Re: Browser Hijack!! Thanks for the help people. What I did was actually delete the whole host file,re-booted and everything was cool....thanks for all the help
	permalink · 2003-11-03 13:19:28 ·

John2g Qui Tacet Consentit Premium join:2001-08-10 England	Re: Browser Hijack!! said by Paul928 : Thanks for the help people. What I did was actually delete the whole host file,re-booted and everything was cool....thanks for all the help It might pay you to read this: »securityresponse.symantec.com/av···sts.html -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	permalink · 2003-11-03 14:04:32 · Print ·

Nam Vet Premium join:2001-12-03 Allentown, PA	I am going to defer here to someone more knowledgeable. but look at you host file path (it's wrong) and all the url's in the hosts file redirect you to 207.44.220.30 which is "ns1.sitething.net" [text was edited by author 2003-11-03 13:25:36]
	permalink · 2003-11-03 13:22:56 ·

Zupe
Premium,MVM
join:2001-11-29
New York, NY
clubs:

said by Paul928 :
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »tooncomics.com/main/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »tooncomics.com/main/sp.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »www.seekseek.com/quicksearch.asp···on_id=18

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = »www.fastwebfinder.com/hp.php

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated)

O1 - Hosts file is located at: C:\WINDOWS\help\hosts
O1 - Hosts: 88.88.88.88 elite
O1 - Hosts: 207.44.220.30 www.google.akadns.net
O1 - Hosts: 207.44.220.30 www.google.com
O1 - Hosts: 207.44.220.30 google.com
O1 - Hosts: 207.44.220.30 www.altavista.com
O1 - Hosts: 207.44.220.30 altavista.com
O1 - Hosts: 207.44.220.30 search.yahoo.com
O1 - Hosts: 207.44.220.30 uk.search.yahoo.com
O1 - Hosts: 207.44.220.30 ca.search.yahoo.com
O1 - Hosts: 207.44.220.30 jp.search.yahoo.com
O1 - Hosts: 207.44.220.30 au.search.yahoo.com
O1 - Hosts: 207.44.220.30 de.search.yahoo.com
O1 - Hosts: 207.44.220.30 search.yahoo.co.jp
O1 - Hosts: 207.44.220.30 www.lycos.de
O1 - Hosts: 207.44.220.30 www.lycos.ca
O1 - Hosts: 207.44.220.30 www.lycos.jp
O1 - Hosts: 207.44.220.30 www.lycos.co.jp
O1 - Hosts: 207.44.220.30 alltheweb.com
O1 - Hosts: 207.44.220.30 web.ask.com
O1 - Hosts: 207.44.220.30 ask.com
O1 - Hosts: 207.44.220.30 www.ask.com
O1 - Hosts: 207.44.220.30 www.teoma.com
O1 - Hosts: 207.44.220.30 search.aol.com
O1 - Hosts: 207.44.220.30 www.looksmart.com
O1 - Hosts: 207.44.220.30 auto.search.msn.com
O1 - Hosts: 207.44.220.30 search.msn.com
O1 - Hosts: 207.44.220.30 ca.search.msn.com
O1 - Hosts: 207.44.220.30 fr.ca.search.msn.com
O1 - Hosts: 207.44.220.30 search.fr.msn.be
O1 - Hosts: 207.44.220.30 search.fr.msn.ch
O1 - Hosts: 207.44.220.30 search.latam.yupimsn.com
O1 - Hosts: 207.44.220.30 search.msn.at
O1 - Hosts: 207.44.220.30 search.msn.be
O1 - Hosts: 207.44.220.30 search.msn.ch
O1 - Hosts: 207.44.220.30 search.msn.co.in
O1 - Hosts: 207.44.220.30 search.msn.co.jp
O1 - Hosts: 207.44.220.30 search.msn.co.kr
O1 - Hosts: 207.44.220.30 search.msn.com.br
O1 - Hosts: 207.44.220.30 search.msn.com.hk
O1 - Hosts: 207.44.220.30 search.msn.com.my
O1 - Hosts: 207.44.220.30 search.msn.com.sg
O1 - Hosts: 207.44.220.30 search.msn.com.tw
O1 - Hosts: 207.44.220.30 search.msn.co.za
O1 - Hosts: 207.44.220.30 search.msn.de
O1 - Hosts: 207.44.220.30 search.msn.dk
O1 - Hosts: 207.44.220.30 search.msn.es
O1 - Hosts: 207.44.220.30 search.msn.fi
O1 - Hosts: 207.44.220.30 search.msn.fr
O1 - Hosts: 207.44.220.30 search.msn.it
O1 - Hosts: 207.44.220.30 search.msn.nl
O1 - Hosts: 207.44.220.30 search.msn.no
O1 - Hosts: 207.44.220.30 search.msn.se
O1 - Hosts: 207.44.220.30 search.ninemsn.com.au
O1 - Hosts: 207.44.220.30 search.t1msn.com.mx
O1 - Hosts: 207.44.220.30 search.xtramsn.co.nz
O1 - Hosts: 207.44.220.30 search.yupimsn.com
O1 - Hosts: 207.44.220.30 uk.search.msn.com
O1 - Hosts: 207.44.220.30 search.lycos.com
O1 - Hosts: 207.44.220.30 www.lycos.com
O1 - Hosts: 207.44.220.30 www.google.ca
O1 - Hosts: 207.44.220.30 google.ca
O1 - Hosts: 207.44.220.30 www.google.uk
O1 - Hosts: 207.44.220.30 www.google.co.uk
O1 - Hosts: 207.44.220.30 www.google.com.au
O1 - Hosts: 207.44.220.30 www.google.co.jp
O1 - Hosts: 207.44.220.30 www.google.jp
O1 - Hosts: 207.44.220.30 www.google.at
O1 - Hosts: 207.44.220.30 www.google.be
O1 - Hosts: 207.44.220.30 www.google.ch
O1 - Hosts: 207.44.220.30 www.google.de
O1 - Hosts: 207.44.220.30 www.google.se
O1 - Hosts: 207.44.220.30 www.google.dk
O1 - Hosts: 207.44.220.30 www.google.fi
O1 - Hosts: 207.44.220.30 www.google.fr
O1 - Hosts: 207.44.220.30 www.google.com.gr
O1 - Hosts: 207.44.220.30 www.google.com.hk
O1 - Hosts: 207.44.220.30 www.google.ie
O1 - Hosts: 207.44.220.30 www.google.co.il
O1 - Hosts: 207.44.220.30 www.google.it
O1 - Hosts: 207.44.220.30 www.google.co.kr
O1 - Hosts: 207.44.220.30 www.google.com.mx
O1 - Hosts: 207.44.220.30 www.google.nl
O1 - Hosts: 207.44.220.30 www.google.co.nz
O1 - Hosts: 207.44.220.30 www.google.pl
O1 - Hosts: 207.44.220.30 www.google.pt
O1 - Hosts: 207.44.220.30 www.google.com.ru
O1 - Hosts: 207.44.220.30 www.google.com.sg
O1 - Hosts: 207.44.220.30 www.google.co.th
O1 - Hosts: 207.44.220.30 www.google.com.tr
O1 - Hosts: 207.44.220.30 www.google.com.tw
O1 - Hosts: 207.44.220.30 go.google.com
O1 - Hosts: 207.44.220.30 google.at
O1 - Hosts: 207.44.220.30 google.be
O1 - Hosts: 207.44.220.30 google.de
O1 - Hosts: 207.44.220.30 google.dk
O1 - Hosts: 207.44.220.30 google.fi
O1 - Hosts: 207.44.220.30 google.fr
O1 - Hosts: 207.44.220.30 google.com.hk
O1 - Hosts: 207.44.220.30 google.ie
O1 - Hosts: 207.44.220.30 google.co.il
O1 - Hosts: 207.44.220.30 google.it

O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe

O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe

O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - »cs6b.instantservice.com/jars/cus···ed35.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{33480BEB-FB8D-465D-AE4A-6BB4469C927C}: NameServer = 216.127.92.38

O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB061A3-A055-43A0-9B3B-2003FA486F41}: NameServer = 216.127.92.38

O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38

O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp

You've got a whole bunch of spyware here, including Coolwebsearch, the QHosts trojan, and a newer one called seek-seek. This will take a few steps to get rid of:

1) Download and run CWShredder from here: »www.spywareinfo.com/~merijn/cwsc···les.html (Direct Download: »www.spywareinfo.com/~merijn/file···dder.zip )

2) Download and run the QHosts removal tool from Symantec here: »securityresponse.symantec.com/av···ool.html (Direct Download: »www.symantec.com/avcenter/FixQhost.exe )

3) Go to the C:\Windows\Help directory and delete the file called "Hosts" there, then, as pieter arntz

suggested above, copy and paste this into notepad, save as restorehostspath.reg, doubleclick it and confirm that you want to merge it with the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00

4) Hit Ctrl-Alt-Del, highlight slmss.exe and hit "end Process". Do the same for mwsvm.exe

5) With all browswer windows closed, re-scan with Hijack This and put a check next to any of the items I listed above that still remain, then click "Fix Checked", Reboot and rescan with Hijack This and post your log again

6) Wait for someone to look over your log. Assuming it's clean, you can then delete the following:

C:\WINDOWS\mwsvm.exe
C:\Program Files\Common Files\slmss\slmss.exe (possibly the whole slmss directory)
C:\WINDOWS\ieasst.dll
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?
[text was edited by author 2003-11-03 14:21:41]

permalink · 2003-11-03 14:05:57 · Print ·

your comment..

Forums » Up and Running » Security » Security	WEBTREND_ID Cookies » « U.K. teen acquitted with Trojan defense


Sunday, 29-Nov 15:52:11	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF