Sign in to follow this  
cwwllcadaware

Browser Hijacked

Recommended Posts

I thought I was done until I ran MWAV on my other system and got the following (log excerpt):

 

 

Thu Jun 29 11:28:57 2006 => Offending file found: C:\WINDOWS\Temporary Internet Files\content.ie5\yp2xibq9\class3codesigningca2001[1].crl

Thu Jun 29 11:28:57 2006 => System found infected with surfplayer Spyware/Adware (class3codesigningca2001[1].crl)! Action taken: No Action Taken.

 

Thu Jun 29 11:29:10 2006 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

 

Thu Jun 29 11:29:10 2006 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

 

---------------------------

NOTE:

 

The cfd.exe file was originally found in the following location and was deleted, but it keeps re-appearing when I re-scan MWAV:

 

Program Files\Broadjump\Client Foundation\CFD.exe

 

 

 

---------------------------

 

Following is the HJT Log:

 

Logfile of HijackThis v1.99.1

Scan saved at 8:00:04 PM, on 6/29/06

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\WILD FILE\GOBACK\GBPOLL.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ICSMGR.EXE

C:\WINDOWS\TPPALDR.EXE

C:\PROGRAM FILES\GE\97769 DUAL SCROLL OPTICAL MOUSE\AMOUMAIN.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\WINDOWS\TPPSTRAY.EXE

C:\WINDOWS\SYSTEM\CTFMON.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

\\GATEWAY1\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medicalprovisions.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [iCSMGR] ICSMGR.EXE

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE

O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~8\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class)

Share this post


Link to post
Share on other sites
Thu Jun 29 11:29:10 2006 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

 

Thu Jun 29 11:29:10 2006 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

 

---------------------------

NOTE:

 

The cfd.exe file was originally found in the following location and was deleted, but it keeps re-appearing when I re-scan MWAV:

 

Program Files\Broadjump\Client Foundation\CFD.exe

 

---------------------------

That is another false detection by MWAV. BroadJump Client Foundation. Broadband troubleshooting software installed by various companies.

 

The first one is a webpage viewed in your cache (TIF) folder. Just clear your IE cache to get rid of it and I'll have to see what the 2nd item is, but I suspect another FP

Share this post


Link to post
Share on other sites
That is another false detection by MWAV. BroadJump Client Foundation. Broadband troubleshooting software installed by various companies.

 

The first one is a webpage viewed in your cache (TIF) folder. Just clear your IE cache to get rid of it and I'll have to see what the 2nd item is, but I suspect another FP

 

Any success in identifying the following:

 

Thu Jun 29 11:29:10 2006 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

 

Thu Jun 29 11:29:10 2006 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

Share this post


Link to post
Share on other sites
Any success in identifying the following:

 

Thu Jun 29 11:29:10 2006 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

 

Thu Jun 29 11:29:10 2006 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

cfd.exe is Broadjump (not Cydoor) so that is a False Detection.

 

This one:

Thu Jun 29 11:28:57 2006 => Offending file found: C:\WINDOWS\Temporary Internet Files\content.ie5\yp2xibq9\class3codesigningca2001[1].crl

Thu Jun 29 11:28:57 2006 => System found infected with surfplayer Spyware/Adware (class3codesigningca2001[1].crl)! Action taken: No Action Taken.

 

Is a webpage in your Cache (clear your Temporary Internet Files) and the second item is related to that but it doesn't tell me where. You can read the description here and see if you have any of those files or entries on your system (but I really think it is just an item in the TIF.)

Surfplayer (this is some sort of Adware - doesn't look dangerous - just displays some ads)

http://www.pestpatrol.com/spywarecenter/pe...px?id=453060671

Share this post


Link to post
Share on other sites
Sign in to follow this