A week ago I formatted my computer, installed KAV (Kaspersky Anti Virus), Ad-Aware butt forgot to install firewall program.
last 2 days I surf on Autohits.dk( an autosurf site) after an hour, thare are a lot of pop-up window and 4 shopping-ware installed on my computer.
ok, I tried to uninstall them. That is so easy like other uninstall programs.
But I found my IE was affected with spy-ware.
I have scanned with Ad-aware pro. found only some ad tracking cookies.
Scanned with Bazooka, found nothing
I have installed Xoftspy and scanned too. found more cookies but it dont detected my IE was Hijacked.
ok, tried Hijack This and found something
CODE
Logfile of HijackThis v1.97.7
Scan saved at 8:48:22, on 17/12/2547
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\systime.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\RTE\RTEGPRS.exe
C:\Program Files\NoFlash\NoFlash.exe
C:\WINDOWS\System32\systime.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\irftp.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Avant Browser\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Microsoft Visual Studio\VB98\vb6.exe
D:\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: FlashCaptureIEHlprObj Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\FlashCap.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.114-big.dll
O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.114-big.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RTEGPRS] "C:\Program Files\Common Files\RTE\RTEGPRS.exe"
O4 - HKCU\..\Run: [No! Flash] C:\Program Files\NoFlash\NoFlash.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmsearch.html
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmbacklinks.html
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.114-big.dll/cmtrans.html
O8 - Extra context menu item: ???????????????????? FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ????????????? FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: FlashCapture (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{42DFEA4C-2F25-4535-9A67-7533278F9DCB}: NameServer = 203.146.237.237 203.149.0.2
Warnning !! Dont click any link, if you are not sure in your computer securities
My start page was attacked by these page http://213.159.117.134/index.php
I have fixed with Hijack This, but it return ontime. WOW !! how they do that ?
I find in registry and deleted all key related to 213.159...... but can't delete. It return ontime.
I have Scanned with KAV, found nothing.
I have tried online spyware scan
-> http://download.zonelabs.com/bin/updates/z...AEN1025EXE.html <= Not a good tool
, found nothing-> http://www.spywareguide.com/txt_onlinescan.html <=can't complete scan. maybe spyware blocked it or have problem in program
-> http://www.webroot.com/services/spyaudit_03.htm <=ok, Nice tool. found that my IE was hijacked and results on this page (you can click to see results
)>> http://www.webroot.com/services/spyauditre...p?key=977030206Spyware Found on Your Computer
Trojans (See list)
TopConverting Downloader 1
System Monitors (See list)
Visual Log 1
Adware (See list) 8
Bargain Buddy
BrowserVillage Sidebar
CashBack
CoolWebSearch (CWS)
213.159.117.134 Hijack
InternetOptimizer
Lopdotcom
SurfSideKick
213.159.117.134 <<= it is CoolWebSearch page........ Big Scam search Engine
Now I think it is high risk to use IE, I now use Avant browser only.
but I still need IE sometime.
any suggestion else I 'd very appreciate ....
