Re: Advice please-browser hijacker..

From: vb (a_at_b.c)
Date: 12/31/04

• Next message: Robert: "Re: Advice please-browser hijacker.."
• Previous message: bj: "CD DRIVE BEHAVING STRANGELY-VIRUS?"
• In reply to: tarquinlinbin: "Advice please-browser hijacker.."
• Next in thread: Robert: "Re: Advice please-browser hijacker.."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 31 Dec 2004 14:56:06 -0500

"tarquinlinbin" <braantispam@hotmail.com> wrote in message
news:mg1bt0t5taatbglh48e1ofnamo02vh8ggc@4ax.com...
> Hello,
> I am currently troubleshooting a friends toshiba laptop which has a
> browser hijacker on board which may also have been linked to a porn
> dialler but not sure.... Its all down to his teenage son who is
> obviously at a curious age. The last time I had his latop,it was a
> full reformat and rebuilt but thats not required now. When MSIE is
> lanuched it automatically goes to http://angelsfucked.com/se,html and
> prompts for a download (activex maybe or dialler??)anyway its about
> impossible to navigate away from this page and so the web broswer is
> practically unuseable. Ive tried adaware/spybot S&D and neither will
> clear it. Ive run regedit and browsed/deleted reg entries but they
> return!!.
>
> My latest attempt is with Hijack this,,again,if i delete the obvious
> hijack this entries then they return,,the log is as follows:
>
> Logfile of HijackThis v1.99.0
> Scan saved at 16:54:51, on 31/12/2004
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\WINDOWS\System32\nvsvc32.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\System32\00THotkey.exe
> C:\WINDOWS\system32\TPWRTRAY.EXE
> C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
> C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
> C:\WINDOWS\system32\TFNF5.exe
> C:\Program Files\Apoint2K\Apoint.exe
> C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
> C:\Program Files\Microsoft Works\WksSb.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Common Files\Microsoft Shared\Works
> Shared\wkcalrem.exe
> C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
> C:\Program Files\Apoint2K\Apntex.exe
> C:\WINDOWS\system32\ntvdm.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> C:\Program Files\Grisoft\AVG Free\avgcc.exe
> C:\Program Files\Grisoft\AVG Free\avgemc.exe
> C:\WINDOWS\system32\drwtsn32.exe
> C:\WINDOWS\system32\drwtsn32.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\DOCUME~1\JOHNDO~1\LOCALS~1\Temp\Temporary Directory 1 for
> hijackthis.zip\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://www.btopenworld.com/searchpane
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://angelsfucked.com/se.html
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://angelsfucked.com/se.html
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> http://bt.yahoo.com
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> http://angelsfucked.com/se.html
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
> Microsoft Internet Explorer
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
> - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
> /Spoil /RemAdvDef /Migration32
> O4 - HKLM\..\Run: [MSPY2002]
> C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
> O4 - HKLM\..\Run: [PHIME2002ASync]
> C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
> O4 - HKLM\..\Run: [PHIME2002A]
> C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
> initialize
> O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
> O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
> O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
> O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
> O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless
> Hotkey\TosHKCW.exe"
> O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
> O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
> O4 - HKLM\..\Run: [TouchED] C:\Program
> Files\TOSHIBA\TouchED\TouchED.Exe
> O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft
> Works\wkfud.exe
> O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
> Files\Microsoft Works\WksSb.exe /AllUsers
> O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
> Files\Microsoft Works\WkDetect.exe
> O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> /STARTUP
> O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
> O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk =
> C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
> - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
> O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
> http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
> O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
> Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
> O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) -
> https://register.btinternet.com/templates/btmailcontrol013.cab
> O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
> (MessengerStatsClient Class) -
> http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
> O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -
> https://register.btinternet.com/templates/btwebcontrol024.cab
> O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
> C:\WINDOWS\System32\nvsvc32.exe
> O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
> Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
>
> *****end of log
>
>
> As a temporary measure ive installed mozilla firefox as a web browser.
> I have also installed MS SP2 and all updates..
>
> any ideas gratefully received!!
>
> jo

Run HijackThis and delete anything suspicious. Then install hguard to keep
your home page.

V.B.

---

• Next message: Robert: "Re: Advice please-browser hijacker.."
• Previous message: bj: "CD DRIVE BEHAVING STRANGELY-VIRUS?"
• In reply to: tarquinlinbin: "Advice please-browser hijacker.."
• Next in thread: Robert: "Re: Advice please-browser hijacker.."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > alt.computer.security  > 2005-01