Results 1 to 4 of 4
  1. #1
    Member
    Join Date
    Apr 2006
    Posts
    2
    Points
    0

    Default Hijack this logfile, browserhijacking

    Hi.
    I'm hijacked. My browser, IE 6.0, takes me to this site (http://www.securitysafeguards.net/) when i start it up, also a popupwindow comes. Tried Ad-aware by lavasoft, and Norman, and then HiJack This. Removed as suggested, but they were uninteresting. This is what is left in the logfile. Please help me :?


    Logfile of HijackThis v1.99.1
    Scan saved at 08:05:54, on 04.04.2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Altiris\AClient\AClient.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
    C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\NORMAN\bin\ZANDA.EXE
    C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\NORMAN\bin\NJEEVES.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
    C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
    C:\NORMAN\bin\ZLH.EXE
    C:\Program Files\Altiris\AClient\AClntUsr.EXE
    C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Programfiler\iTunes\iTunesHelper.exe
    C:\NORMAN\Nvc\bin\cclaw.exe
    C:\Programfiler\QuickTime\qttask.exe
    C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programfiler\iPod\bin\iPodService.exe
    C:\Programfiler\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liverpool.no/CDA/homepg.aspx
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
    O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp757F.tmp
    O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\bin\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Creative Detector] C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programfiler\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1102322353344
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sfjskole.int
    O17 - HKLM\Software\..\Telephony: DomainName = sfjskole.int
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sfjskole.int
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\NORMAN\bin\NJEEVES.EXE
    O23 - Service: Norman ZANDA - Unknown owner - C:\NORMAN\bin\ZANDA.EXE
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe

  2. #2
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Hi:

    What ever you do, do not click on that link, as it belongs to spyaxe/spyfalcon trojan.

    Lets try a simple fix first, as I don't see a run key.

    Boot the PC in the SAFE MODE:

    safe mode<< Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Still in the safe mode, check the following file in HJT program:

    O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp757F.tmp


    Press the fixed check button

    Still in the safe mode go to/find :

    C:\WINDOWS\system32\hp757F.tmp....delete the file, not the system32 FOLDER.

    Re boot, run the HJT program again post another log.

    BG

  3. #3
    Member
    Join Date
    Apr 2006
    Posts
    2
    Points
    0

    Default

    Hi!
    The link was stupid to post.. My bad. But, i was a little ahead of u, and when norman found a trojan, as it did all of u sudden(have run it many times??), it mentioned that file. I remebered it from Hijack This-logfile, and ran HijackThis, "fixchecked" it, and in norman i delted it from quaranteened files. The HiJacking has passed, im free, for now! If it appears again i will use your post! Thank you very much!!

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    You're not clean...

    This is a trojan :-

    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe

    I also suggest you run the smitrem tool...

    Post back if you are still monitoring this thread...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -