| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 60919 | 2005-08-18 03:00:00 | Damn Hijackers | B.M. (505) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 382005 | 2005-08-18 03:00:00 | A mates dropped of a computer with a complaint I haven’t seen before, but think I’ve read about on this forum. Regretfully searching press F1 hasn’t found what I want. The problem is, something hijacks his Paradise ISP Connection. Yep it changes Paradise’s dialup number to any one of a number of overseas numbers. 00448707690694 002463473130 being just a couple. OK, he’s got Nortons right up to date, Spybot right up to date, and AdAware right up to date but they don’t find anything! I’ve ditched the connection and set up another and everything is fine until you restart the computer when blow me down you’ve got a new number deputising for Paradise. Now, I’ve read about someone else having similar problems and they found another programme like spybot and AdAware that found the problem. Anyone else remember and/or point me in the right direction? :confused: |
B.M. (505) | ||
| 382006 | 2005-08-18 03:16:00 | Get hijackthis and post a log here. It sounds like a dialler is on his system. And it dials overseas, which most diallers do. |
Speedy Gonzales (78) | ||
| 382007 | 2005-08-18 03:50:00 | Here you go Speedy: Logfile of HijackThis v1.99.1 Scan saved at 2:41:59 PM, on 18/08/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\usbn.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Webshots\WebshotsTray.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Program Files\Messenger\msmsgs.exe C:\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {588EDA85-434B-4C12-A5F2-0E6DF42957C7} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c59 -w O4 - Startup: BJ Status Monitor Canon S520.lnk = C:\Documents and Settings\Jim Morrison\cnmss3m.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - 63.102.226.240:8000 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe |
B.M. (505) | ||
| 382008 | 2005-08-18 03:52:00 | Maybe you're thinking of Ewido. There was a thread recently when someone tried everything and then Ewido got the nasty. Maybe bartsdadhomer. Can't remember exactly. I don't have any experience of the program but it stuck in my mind as yet another last resort. HTH.........m pressf1.pcworld.co.nz that's the thread there. It was bartsdadhomer about redirecting to porn site and ewido got it in the end.. |
mark c (247) | ||
| 382009 | 2005-08-18 04:05:00 | Tick these (close the browsers), and click on fix checked, , and reboot. C:\WINDOWS\system32\usbn.exe This is an adult dialler O2 - BHO: (no name) - {588EDA85-434B-4C12-A5F2-0E6DF42957C7} - (no file) Not nasty but not needed O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c59 -w Part of the dialler |
Speedy Gonzales (78) | ||
| 382010 | 2005-08-18 09:20:00 | Got the sod!! (I think) :rolleyes: Yep, Ewido was what I was looking for Mark . Thanks for that . So what I did was download and run ewido, which found another 8 intruders as follows . --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 4:52:04 PM, 18/08/2005 + Report-Checksum: 9DC3A9F1 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware . SaveNow : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{9603A736-05B9-4D78-BDD5-BDCB0914E522} -> Spyware . WurldMedia : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{BC12B055-C9F5-407D-9B66-1851973F32AF} -> Spyware . WurldMedia : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware . SaveNow : Cleaned with backup HKU\ . DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10} -> Spyware . eXact : Cleaned with backup HKU\ . DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware . MySearch : Cleaned with backup HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{014DA6C1-189F-421A-88CD-07CFE51CFF10} -> Spyware . eXact : Cleaned with backup HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware . MySearch : Cleaned with backup ::Report End Then I ran Hijack this again and C:Windows\system32\usbn . exe was gone but the other two were still there . So, I restarted to see what happened and lo and behold the ISP dial-up number had been changed to 003718400480 this time . This made me just Soooooooo happy! OK, back to hijack this and delete the two remaining entries that Speedy suggested and Whippy do, it seems to be fixed . I’ve restarted half a dozen times and the Paradise number remains correct . Conclusion: Neither Nortons, Spybot, Ad-Aware, or Ewido could capture this sod, but if you know how to read Hijack-Then you’ve got a chance . I must say I quite like this Ewido and it did find 8 items that Ad-Aware and Spybot missed . That’s it, thanks again to Mark and Speedy . :thumbs: |
B.M. (505) | ||
| 382011 | 2005-08-18 09:28:00 | Yay! Pleased to see it. I've had lots of help here and only too happy to put some back:) (and I agree with your multiple boot practice before you can be confident simething's gone. I do that too.) :thumbs: |
mark c (247) | ||
| 382012 | 2005-08-18 09:50:00 | Good to hear its fixed BM . :thumbs: A hijacker is different from a dialler . A hijacker affects the browser, a dialler as it says replaces the dialup . So, it'll dial elsewhere (usually overseas), if u disconnect from the net . You'll soon find out if u had one, (and its been on your system for a while), it'll appear on your phone bill . And depending on how long someone has had it, it'll be a BIG bill . |
Speedy Gonzales (78) | ||
| 1 | |||||