how-to block ads
|
mdbaird76
join:2003-06-26
Oaklyn, NJ
| wabu.com nightmare
i ran hijack this and came up with this. can anyone help
Logfile of HijackThis v1.95.0
Scan saved at 10:23:29 PM, on 6/26/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\DELFIN\PROMULGATE\PGMONITR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://i13889.wabu.com/passthrough/index.html?»www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
N2 - Netscape 6: user_pref("browser.startup.homepage", "yahoo.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7a9hfd9d.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7a9hfd9d.slt\prefs.js)
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL
O2 - BHO: (no name) - {6cca2ac0-8ca5-11d7-b277-0030ab220690} - C:\WINDOWS\APPLICATION DATA\BRLQGLQUBLLY.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: tkugrgloogc - {6cca2ac1-8ca5-11d7-b277-0030ab220690} - C:\WINDOWS\APPLICATION DATA\BRLQGLQUBLLY.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TpHotkey] C:\THINKPAD\tphkmgr.exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [LTWinModem3] ltmsg.exe 7
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [IBMUltraBayHotSwapSound] c:\windows\SYSTEM\IBMBAYSN.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
O4 - HKLM\..\Run: [prqubll] C:\WINDOWS\APPLIC~1\ookwrgpr.exe -QuieT
O4 - HKLM\..\Run: [win32app] c:\windows\System\winpup32.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O15 - Trusted Zone: »free.aol.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/1750cb631ca6ead87f···xIE6.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - »www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - »stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···wdir.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - »www.wildtangent.com/install/wdri···inst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···35416667
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - »secure2.comned.com/signuptemplat···rity.cab
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - »www.goinnow.com/tl4000.dll
O16 - DPF: Yahoo! Hearts (TIBSLoader Class) - »download.games.yahoo.com/games/c···t0_x.cab | |
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
 ·Speakeasy
| I can't don't know how to read hijack this, but I can tell you what Google says, plain and simple about the site...
Sounds fascinating. What have you been doing. 
Search The Web!
Online Gambling Adult Entertainment Viagra Diet Pills E-mail Weight Loss Inkjet
Cartridge Home Business Money Business Opportunity Domain Names Credit Cards ...
--
JKK Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature! | |
Zupe
Premium,MVM
join:2001-11-29
New York, NY
clubs:
| reply to mdbaird76
said by mdbaird76  :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://i13889.wabu.com/passthrough/index.html?
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL
O2 - BHO: (no name) - {6cca2ac0-8ca5-11d7-b277-0030ab220690} - C:\WINDOWS\APPLICATION DATA\BRLQGLQUBLLY.DLL
O3 - Toolbar: tkugrgloogc - {6cca2ac1-8ca5-11d7-b277-0030ab220690} - C:\WINDOWS\APPLICATION DATA\BRLQGLQUBLLY.DLL
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
O4 - HKLM\..\Run: [prqubll] C:\WINDOWS\APPLIC~1\ookwrgpr.exe -QuieT
O4 - HKLM\..\Run: [win32app] c:\windows\System\winpup32.exe
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - »www.goinnow.com/tl4000.dll
Ok, these are the ones that caught my eye on a quick read through.
First off, Winpup32.exe is reported as being a trojan of some sort, though I couldn't find any details (Edit: It appears this is an app. that pops up ads for a porn site, it should be detected by Ad-Aware and probably Spybot as well). You should run a scan with an updated AV, and also consider downloading Trojan Hunter or TDS-3's demos and scanning with them.
rb32.exe is Rapid Blaster spyware. If you try to remove it with HijackThis, it may rename itself and hide somewhere else, so use JavaCool's removal tool instead - »www.wilderssecurity.net/speciali···#removal
Have you run Ad-Aware or Spybot Search and Destroy to try to remove any of this? You have several other spyware/adware programs here
MediaLoads Enhanced is a spyware program called Network Essentials - »www.doxdesk.com/parasite/Network···als.html
The Wabu entry and the ones with the gibberish names are LOP spyware - »www.doxdesk.com/parasite/lop.html
The last one, goinnow, is a porn dialer, you should be able to check this in HijackThis and tell it to remove it.
Also, Promulgate is an adware based media player, not sure if you want that or not.
***Edit***
O15 - Trusted Zone: »free.aol.com[?]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/1750cb631ca6ead87f04/net..[?]
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - »stream10k.redhotnetworks.com/cabs/vide..[?]
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - »secure2.comned.com/signuptemplates/Act..[?]
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - »www.goinnow.com/tl4000.dll[?]
Check all of these in HijackThis and have it remove them. Most are porn dialer related, the aol one is just an annoyance added by Aim.
***Edit 2***
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
As Engsetter pointed out below, this one is also spyware, known as ISTBar - »www.doxdesk.com/parasite/ISTbar.html
--
Pinky: I think so, Brain, but "Snowball for Windows"?
[text was edited by author 2003-06-27 00:48:15] | |
Engsetter
join:2002-09-08
| reply to mdbaird76
Run Spybot S&D with the latest updates and remove all items in Red.
You have Rapidblaster, so run RapidBlaster Killer found here »www.wilderssecurity.net/speciali···#removal
After doing the above close all browsers and fix what is left in this list using HijackThis.
------------------------------------------
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=»i13889.wabu.com/passthrough/index.html.">www.yahoo.com/">i13889.wabu.com/passth..[?].[?]
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL
Installed by ActiveX drive-by-download using the ActiveInstall control on web pages, found here »www.spywareinfo.com/bhos/
O2 - BHO: (no name) - {6cca2ac0-8ca5-11d7-b277-0030ab220690} - C:\WINDOWS\APPLICATION DATA\BRLQGLQUBLLY.DLL
Could not find anything on this one. Betting it is Rapidblaster. (if it is not, it will not hurt anything to remove this)
O3 - Toolbar: tkugrgloogc - {6cca2ac1-8ca5-11d7-b277-0030ab220690} - C:\WINDOWS\APPLICATION DATA\BRLQGLQUBLLY.DLL
What is this toolbar? Could not find anything on this either. Betting it is Rapidblaster (if it is not, it will not hurt anything to remove this)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
Application Scheduler installed along with RealOne Player. Runs independently of RealOne Player, to remind AutoUpdate and Message Center to perform their tasks at pre-scheduled intervals. If it can't be disabled try deleting or renaming realsched.exe and then delete the entry in the registry. »www.pacs-portal.co.uk/startup_pa···p#Search
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
Adware based media viewer by The Delfin Project »www.pacs-portal.co.uk/startup_pa···p#Search
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
RapidBlaster - Homepage hijacker (adult content) »www.pacs-portal.co.uk/startup_pa···p#Search
O4 - HKLM\..\Run: [prqubll] C:\WINDOWS\APPLIC~1\ookwrgpr.exe –QuieT
Could not find what this one was.
O4 - HKLM\..\Run: [win32app] c:\windows\System\winpup32.exe
Added as a result of an unidentified VIRUS! »www.pacs-portal.co.uk/startup_pa···p#Search
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
Tinybar variant. Spyware »www.doxdesk.com/parasite/TinyBar.html
O15 - Trusted Zone: »free.aol.com[?]
-------------------------------------------
I recommend fixing these files using HijackThis, these file were downloaded by you (then again maybe not!), especially if you don't know what they are for. If you need them at a later time, you will then be prompted to download them again at that time.
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/1750cb631ca6ead87f04/net..[?]
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - »www.ipix.com/viewers/ipixx.cab[?]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab[?]
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - »stream10k.redhotnetworks.com/cabs/vide..[?]
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - »www.wildtangent.com/install/wdriver/dd..[?]
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - »secure2.comned.com/signuptemplates/Act..[?]
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - »www.goinnow.com/tl4000.dll[?]
O16 - DPF: Yahoo! Hearts (TIBSLoader Class) - »download.games.yahoo.com/games/clients..[?]
I would recommend installing SpywareBlaster and Spywareguard to stop the installation of many different spyware stuff.
If you had Spywareblaster installed it would have provided protection from Rapidblaster: A database update was released on (6/7/2003) for SpywareBlaster that covers the latest variant of RapidBlaster. This will prevent the installation, but cannot prevent RapidBlaster from running once it is installed.
Good Luck!
[text was edited by author 2003-06-27 00:54:56] | |
Engsetter
join:2002-09-08
| reply to mdbaird76
LOL Zupe, ya beat me too it.
I was thinking about mentioning the N2 group, but really was not sure if I should, as I don't use Netscape.
(Edit) mdbaird76, make sure you run a virus scan also.
[text was edited by author 2003-06-27 00:52:55] | |
Gavin_TH
join:2003-04-03
Australia
| reply to mdbaird76
I would recommend you send winpup32.exe to submit@diamondcs.com.au and we will let you know if it is a trojan. Meanwhile yes, scan your system with TDS free
That would go for any instances where something doesnt look like a known spyware or adware, users are encouraged to send the file in and we will let them know ASAP
--
Gavin Coe
DiamondCS Analyst
»www.diamondcs.com.au
| |
|
