homepage hijacked - Page 2

KangarooPoo · #11 03-07-04, 16:02

Be sure to follow the next set of steps carefully, in
the exact order specified:

-Open the FINDnFIX\Keys1 Subfolder.
- Locate the "MOVEit.bat" file, Right-Click
on it, select->edit:
The file will open as text file.
-Copy and paste the following line into the 'MOVEit' file, replacing it's contents:

move%WinDir%\System32\LOGH.DLL%SystemDrive%\junkxx x\LOGH.DLL

Be sure to Replace the text in the file with the command above!

-Save the file and close.

*Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert to restart in 15 seconds.
-Allow it to restart the computer!

-On restart, Navigate to:
C:\FINDnFIX\ main folder:
-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here.

<hr width=100% size=1>

panchostein1 · #12 05-07-04, 13:39

i couldn't edit MOVEit ; when i try to open windows alert says that windows can't find the file. i downloaded FINDnFIX again and still cannot edit the MOVEit file(the same windows alert shows up)

<hr width=100% size=1>

KangarooPoo · #13 05-07-04, 13:47

You're Notepad file has been compromised by CWS:

Go to this folder C:\Windows\System32\dllcache
Click Tools/Folder Options Turn on show hidden files and folders.

Then turn OFF "hide protected operating system files".
This is your backup of windows system files which notepad is one of.

Find notepad.exe, right click and click copy. Next go to the shortcut
for notepad in your start menu. Right click and choose properties.

Click "find target". This will open the containing folder.
Right click in this folder and click paste. Windows will tell you the
file already exists do you want to replace it. Click yes and you have
restored notepad.

Go back to Folder Options and hide the system files and hidden files again.

Then try the last step I posted.

<hr width=100% size=1>

Edited by KangarooPoo on 05/07/2004 13:48 (server time).

panchostein1 · #14 05-07-04, 17:28

i went to windows\system32\dllcache , but i couldn't find the dllcache file. there is other way that i can restore the notepad or i can use word for those can of file?.
the other think that i noted when i got into the internet now i only get about.blank homepage but without the contents on the pages and no pop up. can i run hijacking program again and try to post the log thru word?
<hr width=100% size=1>Edited by panchostein1 on 05/07/2004 17:42 (server time).

KangarooPoo · #15 05-07-04, 17:54

Go to C:\Windows\System32\ and see if you can find junkxxx, open it and post back here the contents listed.

<hr width=100% size=1>

panchostein1 · #16 05-07-04, 18:01

i don't find the file either.

<hr width=100% size=1>

panchostein1 · #17 07-07-04, 00:18

this is my latest hijack log, i keep marking them out but keep coming back.Logfile of HijackThis v1.98.0
Scan saved at 7:15:03 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\system32\ZONELABS\minilog.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\program files\support.com\client\bin\tgcmd.exe
C:\PROGRA~1\PANICW~1\dpps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\HTJ\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FRANCI~1.VAI\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FRANCI~1.VAI\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Family\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Family\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Family\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Family\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6CF1449B-5AEF-4160-99B8-12FFD574C8C6} - C:\WINDOWS\System32\lfine.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\dpps2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [System Tray] D:\My Documents\statedocff\doc_details.pif
O4 - Global Startup: ZoneAlarm Pro.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: BellSouth Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - D:\Program Files\BellSouth Messenger\BSM.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {C74190B6-8589-11D1-B16A-00C0F0283628} (Microsoft TreeView Control 6.0 (SP4)) - http://sipnet.stateindustrial.com/CAB Files/mscomctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B406C527-E9A9-465D-8901-14D908C99411}: NameServer = 205.152.144.23 205.152.132.23
O18 - Filter: text/html - {A9DCF99A-2CA8-43A0-98B6-7B0DD9AFE713} - C:\WINDOWS\System32\lfine.dll
O18 - Filter: text/plain - {A9DCF99A-2CA8-43A0-98B6-7B0DD9AFE713} - C:\WINDOWS\System32\lfine.dll

<hr width=100% size=1>

panchostein1 · #18 07-07-04, 21:51

this is the last findnfix log that i could get; please help me out how to get rid of this
problem.

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q328970-Q324929-Q810847-Q813951-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is FAT32.
C: is dirty. You may use the /C option to schedule chkdsk for
this drive.

Wed 07/07/2004
4:40pm up 0 days, 0:09

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\LOGH.DLL +++ File read error
\\?\C:\WINDOWS\System32\LOGH.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
LOGH.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
logh.dll Mon Jun 21 2004 10:36:34p ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\LOGH.DLL

»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... LOGH.DLL .....57344 21.06.2004

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

»»Member of...: (Admin logon required!)
User is a member of group VAIO\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search

different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.

»»Notepad check....

C:\WINDOWS\
notepad.exe Mon Jun 21 2004 10:36:30p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Mon Jun 21 2004 10:36:30p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-21-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

»»»»»»Backups created...»»»»»»
4:42pm up 0 days, 0:11
Wed 07/07/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-07-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-07-2004 winkey.reg

»»Performing 16bit string scan....
00001150: vk : f AppInit_DLLs G
00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ l o g h . d l l
000011D0: h vk UDeviceNotSelectedTimeout 1 5
00001210: P 9 0 vk ' zGDIProcessHandle
00001250:Quota" vk x Spooler2 y e s _ h
00001290: ( X vk 5swapdisk vk
000012D0: . TransmissionRetryTimeout h ( X
00001310: vk ' o USERProcessHandleQuotan
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
fùAppInit_DLLsÖæGÀÿÿÿC
C:\WINDOWS\System32\logh.dll
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

**File C:\FINDnFIX\WIN.TXT
regf Pugf

<hr width=100% size=1>

bricat · #19 07-07-04, 22:38

Open the FINDnFIX\Keys1 Subfolder.
- Locate the "MOVEit.bat" file, Right-Click
on it, select->edit:
The file will open as text file.
-Copy and paste the following line into the 'MOVEit' file, replacing it's contents:

move%WinDir%\System32\ LOGH.DLL%SystemDrive%\junkxxx\LOGH.DLL

Be sure to Replace the text in the file with the command above!

-Save the file and close.

*Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert to restart in 15 seconds.
-Allow it to restart the computer!

-On restart, Navigate to:
C:\FINDnFIX\ main folder:
-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here.

<hr width=100% size=1>..<A target="_blank" HREF=http://www.grisoft.cz/beta/avgemc/avgemc_en.htm>AVG email scanner....<A target="_blank" HREF=http://www.lavasoft.de/>ADAWARE..HIJACK THIS....<A target="_blank" HREF=http://www.softpedia.com/public/cat/10/17/10-17-143.shtml>COOLWEBSHREDDER....<A target="_blank" HREF=http://www.winzip.com/ddchomea.htm>WINZIP..<A target="_blank" HREF=http://www.webattack.com/get/dkeeperlite.shtml> DISKEEPERLITE</A>
<A target="_blank" HREF=http://myweb.tiscali.co.uk/lesgrotte/index.html>BARNEYS PLACE</A>

Sic biscuitus disintegratum

panchostein1 · #20 07-07-04, 23:39

i have problem to open that file, it promp me an error that doesn't find the file. when i try to press edit and gave me the error. there is other way to open or edit this file(i am missing notepad.exe) and i can't find the dllcache file to retrieve the notepad back-up.

<hr width=100% size=1>

Webuser.co.uk

Web User Alerts

Web User Network

Site Policies

Magazine Subscription

Contacts

Search