1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

hijacker did it to me

Discussion in 'Malware and Virus Removal Archive' started by johngkerr, 2003/10/23.

Thread Status:
Not open for further replies.
  1. 2003/10/23
    johngkerr

    johngkerr Inactive Thread Starter

    Joined:
    2002/10/22
    Messages:
    193
    Likes Received:
    0
    My EE was hijack got most of it with spyboot and hijackthis.

    I am posting my statup list to see if anyone see anything.
    They changed my sysini file to run a file called tapicfg.exe. The path was c:\tapicfg.exe. Also a entery hijackthis found and no outher spywere program found 019-userstyesheet:c:\windows\web\win.def

    This is my startup list

    StartupList report, 10/23/2003, 7:03:18 PM
    StartupList version: 1.52
    Started from : C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE
    Detected: Windows 98 Gold (Win9x 4.10.1998)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\CMMPU.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\EZ-S.M.A.R.T\EZSMART.EXE
    C:\WINDOWS\RSRCMTR.EXE
    C:\PROGRAM FILES\CALLWAVE\IAM.EXE
    C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WALLSMART.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    EZSMART App.lnk = C:\Program Files\EZ-S.M.A.R.T\EZSMART.exe
    Resource Meter.lnk = C:\WINDOWS\RSRCMTR.EXE
    Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
    WallSmart.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = c:\windows\scanregw.exe /autorun
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SystemTray = SysTray.Exe

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 25/7/2003, 16:29:42)


    --------------------------------------------------


    Enumerating Browser Helper Objects:

    CCHelper - D:\PANICWARE\POP-UP STOPPER\CCHELPER.DLL - {0CF0B8EE-6596-11D5-A98E-0003470BB48E}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    {D34F18B0-576E-11D0-B28C-00C04FD7CD22}_Unknown User.job
    {D34F18B0-576E-11D0-B28C-00C04FD7CD22}_John Kerr.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37877.528287037

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [{486E48B5-ABF2-42BB-A327-2679DF3FB822}]
    InProcServer32 = C:\WINDOWS\SYSTEM\IA.DLL
    CODEBASE = http://akamai.downloadv3.com/binaries/IA/ia.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 3,526 bytes
    Report generated in 0.495 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    don't know if i got it all my page run much better after I deleted styesheet ???????
     
    johngkerr,
    #1
  2. 2003/10/24
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    johngkerr
    Its practically impossible to help fix someone's hijack if they've already partially started the fix, and if they exclude something,

    Please wait until the hijack come's back, run CWShredder.exe
    clean up with SpyBot , restart the PC even if not asked to(prompted) connect again and post your hijackthis log.
    not the startup list

    You do know a style-sheet is the hallmark of the coolwebsearch
    hijacker/trojan.. it evolves almost every day sometimes twice
    http://www.spywareinfo.com/~merijn/cwschronicles.html

    regards
    lonny
     
    Last edited: 2003/10/24
    Lonny Jones,
    #2


  3. to hide this advert.

  4. 2003/10/25
    dr_gle

    dr_gle Inactive

    Joined:
    2002/01/14
    Messages:
    40
    Likes Received:
    0
    dr_gle,
    #3
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...