Hijack This log..... - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 05-11-2004, 10:54 AM   #1 (permalink)
Super Techie
 
Join Date: Mar 2004
Posts: 276
Default Hijack This log.....

A friend at work has been telling me about a problem her sons computer is having. The homepage is being hijacked over and over again.
No viruses present and AdAware and Spybot have been run with no problems found (not that cause this problem anyway). I sent her Hijack This and told her to email me the log file, but she printed it and gave it to me instead. If someone could check these out and see if there's anything that might cause a homepage to be changed I'd appreciate it.

Page 1

Page 2
__________________

canooten is offline  
Old 05-11-2004, 11:17 AM   #2 (permalink)
Older But Wiser
 
kboy's Avatar
 
Join Date: Jul 2003
Location: So. Cal
Posts: 1,041
Default

I really don't see anything in the Log. What Website does it go to? Also what does it show in tools in IE as far as your homepage Link?
__________________

__________________
ASUS Sabertooth 990FX
AMD FX-8150
16 GB Ram
ASUS GeForce 760 GTX


1TB Sata Seagate
100 Gig Maxtor Sata 7200 Rpm
ASUS DRW 24B3S7 ATA Optical
Windows 7 Home Premium
Dell E228WFP 22"
kboy is offline  
Old 05-11-2004, 12:54 PM   #3 (permalink)
Super Techie
 
Join Date: Mar 2004
Posts: 276
Default

I'll have to get that information. I'm not 100% sure since I haven't looked at the machine yet.
canooten is offline  
Old 05-11-2004, 05:44 PM   #4 (permalink)
Ultra Techie
 
Join Date: Apr 2004
Posts: 617
Default

it looks like cool web

copy and paste the here log please
__________________
AdAware | Spybot S&D 1.4 | spyware guard & spyware blaster |

How did I get infected in the first place By Tony Klein

If you use IE I suggest using thes two programs IE Hosts & IE-SPYAD


Lobos is offline  
Old 05-11-2004, 05:45 PM   #5 (permalink)
Older But Wiser
 
kboy's Avatar
 
Join Date: Jul 2003
Location: So. Cal
Posts: 1,041
Default

Yeah I was wondering about those Jokneg.dll entries as well. Did a Google search & got nothing. Nice Link Microbell, Could be very useful.
__________________
ASUS Sabertooth 990FX
AMD FX-8150
16 GB Ram
ASUS GeForce 760 GTX


1TB Sata Seagate
100 Gig Maxtor Sata 7200 Rpm
ASUS DRW 24B3S7 ATA Optical
Windows 7 Home Premium
Dell E228WFP 22"
kboy is offline  
Old 05-11-2004, 05:50 PM   #6 (permalink)
Older But Wiser
 
kboy's Avatar
 
Join Date: Jul 2003
Location: So. Cal
Posts: 1,041
Default

Lobos, where did ya see a reference to Cool web? I know that's a Hijacker.
__________________
ASUS Sabertooth 990FX
AMD FX-8150
16 GB Ram
ASUS GeForce 760 GTX


1TB Sata Seagate
100 Gig Maxtor Sata 7200 Rpm
ASUS DRW 24B3S7 ATA Optical
Windows 7 Home Premium
Dell E228WFP 22"
kboy is offline  
Old 05-11-2004, 05:58 PM   #7 (permalink)
Ultra Techie
 
Join Date: Apr 2004
Posts: 617
Default

i said it looks like it but i need the log to confirm it theres another file that is in her start ups that could be causing it.

im not sure till i take a closer look at it

i want to look at vz679lftlo.exe
__________________
AdAware | Spybot S&D 1.4 | spyware guard & spyware blaster |

How did I get infected in the first place By Tony Klein

If you use IE I suggest using thes two programs IE Hosts & IE-SPYAD


Lobos is offline  
Old 05-12-2004, 09:47 AM   #8 (permalink)
Super Techie
 
Join Date: Mar 2004
Posts: 276
Default

I'll try to get the log in txt format.
canooten is offline  
Old 05-12-2004, 10:19 AM   #9 (permalink)
Super Techie
 
Join Date: Mar 2004
Posts: 276
Default

OK, here's the log file in text format......

============================

Logfile of HijackThis v1.97.7
Scan saved at 5:57:56 PM, on 5/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Documents and Settings\Daniel Revo\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {3707549D-B917-49DF-9314-018D7D7A47CF} - C:\WINDOWS\System32\jokneg.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [1y9v9fmymp] C:\WINDOWS\vz679lftlo.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...2/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...111.5699884259
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...15/mcgdmgr.cab

=======================================
canooten is offline  
Old 05-12-2004, 12:36 PM   #10 (permalink)
Ultra Techie
 
Join Date: Apr 2004
Posts: 617
Default

First move hijack this into its own folder
not on the desktop or into a temp folder

run hijack this put a check next to these close all browsers and hit fix

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jokneg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank

O2 - BHO: (no name) - {3707549D-B917-49DF-9314-018D7D7A47CF} - C:\WINDOWS\System32\jokneg.dll








O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKCU\..\Run: [1y9v9fmymp] C:\WINDOWS\vz679lftlo.exe

safe mode
http://service1.symantec.com/SUPPORT...01052409420406

show hidden folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

reboot into safe mode your going to have to show hideen folders

and delete these

C:\WINDOWS\WindowsUpd4.exe
C:\WINDOWS\vz679lftlo.exe
C:\WINDOWS\System32\jokneg.dll

come back and please post another log
__________________

__________________
AdAware | Spybot S&D 1.4 | spyware guard & spyware blaster |

How did I get infected in the first place By Tony Klein

If you use IE I suggest using thes two programs IE Hosts & IE-SPYAD


Lobos is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 11:22 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.