Security

General discussion

Gravatar
Locked

help with hijacking

By Tink! ·
We have one Dell workstation that is over a year old and has a problem with pop-ups for a while now. A while back I managed to stop them temporarily by removing miscellaneous programs (except Weatherbug), but now they are back with a vengeance. I removed any software or programs that looked frivolous to her system. (Including WeatherBug) and AOL toolbar (She does continue to use AIM). But still more popups.

I am now pretty sure her browser is hijacked. It doesn't change her home page or take her to any unwanted sites, but the popups are not linked to any clear separate process. They appear to link most often to iexplore.exe or explore.exe
Sometimes even taskmanager! They only appear when she is online, but they come from her computer, not the websites. (thereby getting past IE's popup blocker) I did see "Inqwire" as the title of a few of the popups and searched that. But after downloading and running HijackThis I did not see any of the things that they say to remove if you get hijacked by Inqwire.

So...below is the HijackThis log. I cannot see any apparent problems. Can anyone else spot what is amiss? thanks for any help! Tink

Logfile of HijackThis v1.99.1
Scan saved at 10:36:48 AM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\carinsdell\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kolorcure.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Tracker] C:\Program Files\MySoftware\MyInvoices\tracker.exe
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kolorcure.local
O17 - HKLM\Software\..\Telephony: DomainName = kolorcure.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kolorcure.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

This conversation is currently closed to new comments.

23 total posts (Page 1 of 3)   01 | 02 | 03   Next
+ Follow this Discussion ·
| Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

hkcmd.exe

by lmnogoldfish In reply to help with hijacking

Check the manufacturer and date on this exe.
Try going to Intel and reloading your chipset 810 software.
Then go to Trend Micro and run the free spy ware tool.
Also, I'd anonymize anything like this you post. This one's a bit of a giveaway.
Good luck!

gravatar
Collapse -

thanks

by Tink! In reply to hkcmd.exe

I'll check your suggestions out.

As for the anonyminity. I don't mind showing that I don't know something. This is how I've gotten where I am now, by learning OJT. I only get my official title because I'm the only one here who understand these things.=-)

gravatar
Collapse -

short of a rootkit

by Dr Dij In reply to help with hijacking

combine anti-spyware to find this. it's probably in a startup key in registry key somewhere.

spybot, ad-aware are good but won't get all.
add ms anti-spyware, and download the trial vsn of webroot after above have run.

disable active-x on this pc in internet zone. don't let them install anything, don't give admin rights. update all patches to prevent buffer overflow / malformed takeovers.

if you spend too much time, re-image it. but lock it down too so you don't have to repeat every few..

gravatar
Collapse -

Suggestions

by BFilmFan In reply to help with hijacking

Check and see if services.msc is set to enabled and is running. You could get pop-up's through the Messenger service.

Also, remove the AIM program and see if the popups stop. If they do, then AIM has been compromised.

gravatar
Collapse -

doh!

by Tink! In reply to Suggestions

I can't believe I didn't think of uninstalling AIM!

Well I did uninstall it today after your suggestion. It looked like it stopped up until she went to close down and she got 1 popup. We are going to try browsing again tomorrow and see if the popups continue.

gravatar
Collapse -

oh, this looks familiar.....!

by gadgetgirl In reply to help with hijacking

I have the feeling I know where this landed from - same place as mine did, WeatherBug. Had the same problem on my home lappie - all because I wanted to look at a particular countrys' weather over Xmas to ensure a mate was skiing on snow and not grass.....

There seem to be numerous variations of this program; some legit, some not. The legit ones seem to be clean (seem!) but with all the variations when you google it, you have no way of really knowing the good from the bad! (or even for which country - that one caught me out, too!)

The only way I got this to stop was not simply re-imaging - I ended up using a proprietary data destruction program on the drive, as the image (which I knew was clean) kept stalling (no idea why, I'm not that technical)

Just trying to tip you off to allow time for a total blat of the drive, as well as re-imaging...

I HATE WEATHERBUG!



GG

gravatar
Collapse -

Kill Weatherbug!

by Tink! In reply to oh, this looks familiar.. ...

yea, I kinda had a feeling Weatherbug might have been more of a bug than just the weather! But in this case I'm not sure if it was the one and only culprit. It may be an affliction arising from several sources. I'm not sure. Because I don't know exactly what is causing the popups because I can't find the files that are supposed to be there if it's Inqwire.

Have already run Ad-Aware and Spybot in both safe and normal modes, as well as Norton and Panda. They all got rid of certain things, but none have stopped the popups. The programs now installed all look legit. We still have further testing to do today because we uninstalled AIM yesterday and didn't get any popups for quite a while, until the very end. I'll keep you posted. Still open to suggestions!

gravatar
Collapse -

One More Malware Removal Tool

by Dave the Computer Guy In reply to Kill Weatherbug!

One other program you may want to try is called Malware Destroyer by a company called EMCO. It can be downloaded for free at:

http://www.emco.is/malwaredestroyer/features.html

Can't hurt.......

gravatar
Collapse -

Strange, Weatherbug seems just fine ...

by Too Old For IT In reply to oh, this looks familiar.. ...

... here. gives the alerts, and precious little else. Must have been my install.

I wish I could find a better solution for the wife, however. She could have been a first rate meteorologist if her mother hadn't been such a squeezing, wrenching, grasping, scraping, clutching, covetous old sinner when it came time to talk about financing college.

gravatar
Collapse -

You can spend all of this time troubleshooting . . . OR

by nowikn In reply to help with hijacking

Rebuild your PC and be malware / virus / etc. free in less than 3 hours. :)

Back to Security Forum
23 total posts (Page 1 of 3)   01 | 02 | 03   Next

Start or search

Related Discussions

Related Forums