Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I am receiving a popup from http://trafficex.org/trs/console.php?adv=aI8pgk in my browser window and can't get rid of it. I ran hijack this but don't see anything recognizable in the log.
Any suggestions would be appreciated.best regards and many thanks,
Cam
I'm attaching the hijackthis log in hopes it will help.
Cam
Logfile of HijackThis v1.97.7
Scan saved at 8:02:26 AM, on 4/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\consol32.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Netscape\NETSCA~1\Netscp.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Steve\backup\HijackThis.exeR3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\system32\services\winlogon.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http:/www.msn.com"); (C:\Documents and Settings\steve cameron\Application Data\Mozilla\Profiles\default\0vkv7ql8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNETSCA%7E1%5Csearchplugins%5CSBWeb_06.src"); (C:\Documents and Settings\steve cameron\Application Data\Mozilla\Profiles\default\0vkv7ql8.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {F4A27D22-E603-4B1B-B8D0-1CF7D57E56F2} - C:\Program Files\NetLeech\IEExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
O4 - HKLM\..\Run: [Cons] C:\WINDOWS\consol32.exe
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape 6\Netscp.exe" -turbo
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O8 - Extra context menu item: Download With NetLeech - C:\Program Files\NetLeech\NLExtMenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38023.7333217593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
0 
Hi Cam
I have the same problem. I am a newcomer to computers but if you think it would help I could post my log for comparison.
If you've found a solution PLEASE let me know.
Thanks
Paul
0
This is some sort of trojan/hijack program.
The files, dl.exe, dlm.exe are definitely not part of your regular system.
My system had these, as well as a file called sxchost.exe, which is not a real file, but is designed to look like it is relevant/similar to svchost.exe. Most likely the files scchost.exe and swchost.exe listed in your running processes are part of the same program or series of programs. You can do a search of the C:\windows directory and it will turn up the .exe files, along with the prefetch files that help call the programs when windows starts. Just remember you will have to stop the processes before you delete the files or they will not let you delete them.
I'm not sure where these were from and what they are trying to do so good luck.
0
also be on the look out for reg33.exe teen.exe secure.html and i think there were a few others. what i did to remove this was search my computer for files modified or created at the time of infection. just run hijackthis select the files mentioned in this thread and clean, then ctrl+alt+delete go to processes and find those .exe programs running. select them and "end process" on all. then go and delete the files which are stored in your windows directory as well as other places. i even found this thing digging so far as C:\WINNT\system32\drivers\etc where it made some changes to my hosts file! there are probably different versions around as well. this thing seems to operate by executing code sent from a website. i had 2 command prompt type windows open and close briefly at the time of infection.
more info on this at http://www.computercops.biz/postitle23613-0-0-.html as well as good old google.com
0
Guess I'm next....about 3-5 days now, same annoying problem with the trafficex popup. Also one dl.html In fact since I've been tryingto post this they have appeared no less than five times.
Really ANNOYING, I promise....
Problem is, as far as you guys are describing how to get rid of it? Let me just say that in the field of computer lingo? I'm really good as a....piano player. Can you please descibe the solution in piano player terms? Thanks
ps that's my cd below....http://www.cdbaby.com/cd/soundslikeus
0
Hey, guys, I might have the answer.
Do this:
http://www.microsoft.com/windows/ie/using/howto/restrictedsites/stoppopups.aspHaven't seen it again since....yet.
Wish me luck and good luck to everyone above me on this thing :)
Radice
0
New day,still coming up. Relentless motherf**ker. Wish I knew where they were, would love to bring a bat. If anyone figures out how to stop it (JUST STARTED AGAIN HERE MID SENTENCE DAMN IT!!!!!) PUH-LEEEZE tell us.
0
Well .. the same just happened to me and I have traced most of the activity. Unfortunately I rebooted - and ran the programs that were inserted into the registry.
In addition to killing the processes, deleting the files and editing the registry, you should ALSO -> Reset your Internet Explorer setting to default and make whatever normal security changes you make AND be sure to clear your cached files (if reset does not do it) because your IE settings have been corrupted by the infection.
Here is what I found deposited on my machine at infection time:
(DELETE ALL OF THESE FILES and their coppies in the PREFETCH (xp only) - after stopping the processes using TASK MANAGER)
C:\WINDOWS\DL.exe
C:\WINDOWS\DL.HTM
C:\WINDOWS\DLM.HTM
C:\WINDOWS\DLM.exe
C:\WINDOWS\REG33.exe
C:\WINDOWS\MSSTASKS.exe
C:\WINDOWS\TOFFEL32.exe
C:\WINDOWS\CONSOL32.exe
C:\WINDOWS\SECURE.HTML
C:\WINDOWS\SECUREA.HTML
C:\WINDOWS\SECUREB.HTML
C:\WINDOWS\SXCHOST.exe
C:\WINDOWS\MSTASKSS.exe
C:\WINDOWS\DORU32.DLL
----------
FOllowup Investigation:
File C:\WINDOWS\SETUPAPI.LOG excerpt:
[2004/04/06 19:51:36 464.37]
#-198 Command line processed: "C:\Program Files\Internet Explorer\iexplore.exe"
#-024 Copying file "C:\Documents and Settings\<myuseraccount>\Local Settings\Temporary Internet Files\Content.IE5\W9GHURCT\load[1].exe" to "C:\WINDOWS\Downloaded Program Files\load.exe".#E361 An unsigned or incorrectly signed file "C:\Documents and Settings\<my user account>\Local Settings\Temporary Internet Files\Content.IE5\W9GHURCT\load[1].exe" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
--------
(run MSCONFIG and uncheck these entries all but the 'upgrade service is there - you must use Registry Editor to delete it)
Registry entries added:
HKLM\Software\Microsoft\Windows\Current Version\RUN:
Dial32 c:\windows\dl.exe
Dial33 c:\windows\dlm.exe
Reg32 c:\windows\reg33.exe
Upgrade Service c:\windows\sxchost.exeSorry if this info is too complex. Print out the message and ask a friend or the local computer shop to walk you though these things. Do not edit the registry yourself if you are not comfortable doing it.
Good Luck and I hope this helps.
0
Go to the site below. Please do not just show
up and post Hijack This logs. Read the guides
and follow them. There are people there who
can assit you with dealing with these things.
http://help.lockergnome.com/index.php?act=idx
0
I had the same problem. Think I've cleared it by deleting c:\windows\consol32.exe (had to reboot in DOS to do this as windows said it was running even though not shown in Task Manager). Also fixed O4 - HKLM\..\Run: [Cons] C:\WINDOWS\consol32.exe in HijackThis.
Hope this helps.
0
Hi!
I also had a similar attack. It seems to me that the "load[1].exe" was downloaded and executed all by itself, at least no "Security Warning" showed up. This is scary indeed, does anyone know if it is a known security hole in internet explorer?
Excerpt from setupapi.log below.
Regards / Z
[2004/04/24 02:45:16 1616.15]
Munged cmdline: "C:\Program Files\Internet Explorer\IEXPLORE.exe"
EXE name: C:\Program Files\Internet Explorer\IEXPLORE.exe
Copying file C:\Documents and Settings\Administrator.ZERVER\Local Settings\Temporary Internet Files\Content.IE5\2NGNUX2H\load[1].exe to C:\WINNT\Downloaded Program Files\load.exe.
An unsigned or incorrectly signed file (C:\Documents and Settings\Administrator.ZERVER\Local Settings\Temporary Internet Files\Content.IE5\2NGNUX2H\load[1].exe) was installed. Error 0x800b0100: No signature was present in the subject.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
