Another Hijack while logged in to CCSP

IACOJ · Site Admin Joined: Oct 15, 2003 Posts: 263 Location: USA

Hi QuietOne.

I'm helping Paul trouble shoot this, and I need some more info. Some of my questions may make you feel like you are being asked to repeat yourself, I apologize if that is the case, it is more or less for my own troubleshoot tactics, and to make sure we are infact talking about the same thing.

Paul · Admin Joined: Feb 22, 2002 Posts: 5154 Location: USA

JD you have duplicated this?

phoenix22 · Posted: Mon Mar 08, 2004 10:33 am Post subject:

sorry......to clarify....it is a valid link w/no complications

QuietOne · Lieutenant Joined: Dec 28, 2003 Posts: 227 Location: USA

Paul · Admin Joined: Feb 22, 2002 Posts: 5154 Location: USA

You don't have HijackThis installed? Grab it from here and post your logfile.

http://computercops.biz/downloads-file-...11.03.html

QuietOne · Lieutenant Joined: Dec 28, 2003 Posts: 227 Location: USA

OK, HiJackThis dnld'd. Will be installed ASAP.

Here's the alerts file too.

Edited topic and deleted alerts file 3/9/04-0727

Paul · Admin Joined: Feb 22, 2002 Posts: 5154 Location: USA

I checked your alerts and searched on:

QuietOne · Lieutenant Joined: Dec 28, 2003 Posts: 227 Location: USA

Paul · Admin Joined: Feb 22, 2002 Posts: 5154 Location: USA

Actually you can search that text file too without taking my word. If you resolve computercops.biz via nslookup and search on that IP you won't find it in the list. Neither will you find computercops.biz in it.

QuietOne · Lieutenant Joined: Dec 28, 2003 Posts: 227 Location: USA

Here's the hijackthis log. After I logged off and got it installed I realized what kind of software it was and so, decided not to make you wait till tomorrow. Had to change the name to hijackrthis.log.txt since CCSP won't accept .log extensions.

Anyway, here it is.

QuietOne · Lieutenant Joined: Dec 28, 2003 Posts: 227 Location: USA

That's not what I'm confused about. I'm confused about the fact that this is happening while I'm browsing CCSP but there are no links or other indicators of it happening associated with CCSP. I'm glad it's that way, but still confused as to why things are happening the way they are. That's all.

QuietOne · Lieutenant Joined: Dec 28, 2003 Posts: 227 Location: USA

Here's an updated copy of the HiJackThis.log file from my computer, just in case something new has cropped up since I submitted the original.

IACOJ · Site Admin Joined: Oct 15, 2003 Posts: 263 Location: USA

Hi Quietone,

Sorry for the delay. I was asking for some additional input on a couple things in your first hijacklog, and ended up getting busy and neglected to get back to you. I apologize. I have asked for some assistance on a few things from your second hijacklog because there are a few things that aren't showing up on any reference. I'll get back to you with that information as soon as I have it.

Until then have hijackthis fix the following, and please post another hijacklog after it's done:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ceoexpress.com/personal.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O15 - Trusted Zone: www.ad-aware.nu
O15 - Trusted Zone: www.ceoexpress.com

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

The reason I'm suggesting you remove ceoexpress from both startup and from trusted zone is because they are affiliated with TribalFusion and have been known to dump zedo.com tracking cookies on people machines. Ad-aware.nu is a dead link which is why I'm saying to remove it from trusted zone.

You have many things running on startup which don't need to be there. Most of them are related to special characters, it is entirely up to you whether you want them changed or not. If you want the unnecessary things removed, because they will simply work when required to work, please advise and I'll give you a list.

IACOJ · Site Admin Joined: Oct 15, 2003 Posts: 263 Location: USA

Hi Quietone,

Please also have hjackthis fix the following before reposting your log.

O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll

O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll

QuietOne · Lieutenant Joined: Dec 28, 2003 Posts: 227 Location: USA

Hi IACOJ,

Have had HiJackThis fix all entries you requested EXCEPT for the two listed immediately below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ceoexpress.com/personal.asp
O15 - Trusted Zone: www.ceoexpress.com

These entries (ceoexpress) are references to my home page and I don't wish to change that page as I have used it for more than seven years. I'll contact ceoexpress and see what they say about the Tribalfusion cookies. In the meantime, I'm running, and have been running for some time, Ad-Aware Pro each time I quit an Inet session and deleting any spyware (tracking) cookies, but as mentioned this is not a new routine for me. Additionally I've just recently decided to switch browsers to Opera in the last few days and currently have it set up to block 3rd party cookies, so hope that will help. Your comments appreciated.

With respect to the special chars issue, the three entries below are related to MS's Input Method Editors and I use them quite a bit in creating some of the docs I'm writing (WW2 stuff). They make extended access to Eurpopean language chars much quicker and easier for me, vice repeatedly going for the MS Char Map or some other mini-app. On the other hand, if the entries don't need to be loaded in order to access the IME's I'll be happy to delete them. Again, your comments appreciated.

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\System32\IME\PINTLGNT\ImScInst.exe /SYNC

I'd like to get rid of the two entries immediately below, but don't see any entries in either Add/Remove Programs for related apps or in any of the registry keys to identify what apps they are related to. Both are web page entries but I'm unsure when/where they came from and whether they can be safely removed.

O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesui...anager.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/ko...nt/kdx.cab

Have uninstalled several apps I had installed a long time ago and that were loading stuff on startup because I now no longer need them. Should have done it a long time ago but ...

Attached is the updated run of HiJackThis you requested.

As for the unnecessary things being removed that you mentioned, sure! Let me have a list and I'll sure dump as much as I can. It never hurts to clean house now and then.

Thanks again and I look forward to hearing back from you.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 809 pages served in previous 5 minutes. Page Generation: 2.870 seconds.