Author Topic: money.cafreedom.com (Read 15307 times)

matt · « **on:** November 07, 2004, 10:15:21 AM »

ok, i have the sygate personal firewall on my computer, i run firefox as my browser, but when ever i launch explorer to acesses my computer or my documents, the firwall pops up and says:

Windows Explorer (exploter.exe) is trying to connect to money.cafreedom.com [66.17.180.52] using remote port 80(HTTP - World Wide Web). Do you want to allow this program to access the network?"

i always say no, but then ever i close out to my computer/mydocuments etc., explorere crashed. it reloads fine and the computer still runs, just what is this? and how can i get ride of it? i ran ad-aware but that found nothing.

Raptor · « **Reply #1 on:** November 07, 2004, 10:58:09 AM »

Scan for Spyware.

matt · « **Reply #2 on:** November 07, 2004, 11:31:45 AM »

i ran both ad-aware and spy-bot

Raptor · « **Reply #3 on:** November 07, 2004, 12:12:08 PM »

Reconfigure them to do extensive scans.

matt · « **Reply #4 on:** November 07, 2004, 12:23:41 PM »

i did for ad-aware, im not sure how for spy-bot

Raptor · « **Reply #5 on:** November 07, 2004, 12:26:57 PM »

Have you scanned for Viruses and Trojan Horses?

matt · « **Reply #6 on:** November 07, 2004, 12:42:19 PM »

yea, using AVG anti-virus, i'll run it agian now though, and how can i set spy-bot to deep scan

matt · « **Reply #7 on:** November 07, 2004, 01:11:00 PM »

the virus/trojan scan came up clean

Raptor · « **Reply #8 on:** November 07, 2004, 01:15:00 PM »

I have no experience with Spybot S&D

Do you have programs installed that may be forcing your browser to connect to that adress?

Use HijackThis

matt · « **Reply #9 on:** November 07, 2004, 01:39:08 PM »

not to my knowledge, but i'll try highjack this

matt · « **Reply #10 on:** November 07, 2004, 01:48:30 PM »

here is my hijack this log:

O2 - BHO: (no name) - {11CEFA27-5AE9-46CB-B791-738C242B4761} - E:\WINDOWS\system32\6ji.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Dell AIO Printer A920] "E:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG_CC] E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: PeerGuardian (2).lnk = E:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - e:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

it all seems fine to me, expect the first and third objects, i dont know what they are.

Raptor · « **Reply #11 on:** November 07, 2004, 02:14:23 PM »

The Toolbar & Radio is harmless, I believe. I've seen it before on my PC as well. Must come with Internet Explorer.

Entry number one does seem a bit dubious, no Google search results..

There's a tool that seems to be recommended often. Give it a try: CWShredder

matt · « **Reply #12 on:** November 08, 2004, 10:07:31 AM »

i fooled around with CWShredder, but it didnt find anything. any other ideas, this thing is really anoying.

Raptor · « **Reply #13 on:** November 08, 2004, 10:43:48 AM »

use different spyware/virus scanners. See if any of them picks up any threats the others do not.

2k dummy · « **Reply #14 on:** November 08, 2004, 11:54:27 AM »

Do you have any dealings or relationship to any of the following:

NRSoftware
Bane Media
xeex
Yipes

The url and IP address belongs NRSoftware. They are a rather nefarious outfit and are known to be spammers. They use hosting companies to cover their tracks. You likely have a backdoor that they are trying to use. Use a dedicated trojan detection software and keylogger detection. By all means, keep it blocked in the firewall.

matt · « **Reply #15 on:** November 08, 2004, 03:21:28 PM »

i have none of those programs you mentioned, and i am keeping it blocked. what trojan/keylogger scaning software should i use?

2k dummy · « **Reply #16 on:** November 08, 2004, 03:50:48 PM »

I recommend The Cleaner. It is not freeware but can be downloaded for a 30 day free trial. $49.95 if you you decide to keep it after the trial period.

matt · « **Reply #17 on:** November 09, 2004, 08:19:39 AM »

i also ran a scan with that it too came up empty :-/

Raptor · « **Reply #18 on:** November 09, 2004, 08:47:08 AM »

Have you bothered going to the URL?

Quote

what do you want to find here?

Doesn't even set a cookie.

I think you should scan your entire system to the fullest extent using different spyware and virus scanners and configuring them all to scan each file and folder.

dl65 · « **Reply #19 on:** November 09, 2004, 01:28:16 PM »

matt.....Go to the link below.....it will explain all of the entries and will direct you to various places so you can check each item.
http://computercops.biz/HijackThis.html
I just had a quick look at your log and it doesn't appear to be complete .......did you neglect to post all of it ?
BTW , you asked about your enties 1 and 3

O2 - BHO: (no name) - {11CEFA27-5AE9-46CB-B791-738C242B4761} - E:\WINDOWS\system32\6ji.dll ......this entry looks odd .....

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
This entry is normal and ok

perhaps you should check out all of your log entries after reading the explanation link .

let us know
dl65

merlin_2 · « **Reply #20 on:** November 09, 2004, 01:53:20 PM »

firewall PeerGuardian as well its seems? run my old mate the best there is>http://removespyware.net/ratings/spy-sweeper.htm and sorry to jump into this post....

matt · « **Reply #21 on:** November 10, 2004, 03:52:10 PM »

i have gone to the website, through firefox and saw "what do you want to find here", figured that couldnt be good, i downloaded spysweapers, it found something on my D: (secondhard drive), but i still get the trying to connect to money.cafreedom.

that was my full hijack this file, sense i reinstalled windows i've kept all internet explorer things blocked with my firewall.

here is screenshot of the actuall firewall popup:
http://www.msu.edu/~rosemat2/images/money.htm

and of my hijackthis log:
http://www.msu.edu/~rosemat2/images/hijack.htm

not that that will help, but could this be in a different sectoin of my hd, i've been scanning all:

C: is a fat32 i've used for storage between linux and xp. i currenlty have no linux on my system. it is usually on D: which is a second 6 gb harddrive. my E: is my xp ntfs harddrive.

matt · « **Reply #22 on:** November 10, 2004, 03:53:54 PM »

AHH HAAA!!! its fixed

it was that first entry in hijack this:

O2 - BHO: (no name) - {11CEFA27-5AE9-46CB-B791-738C242B4761} - E:\WINDOWS\system32\6ji.dll

i went to http://computercops.biz/HijackThis.html , and did a search on it, it came up with no responce so i deleted it, and that did it.

THANKS FOR ALL THE HELP!!!!!

matt · « **Reply #23 on:** November 10, 2004, 04:07:10 PM »

*censored*!
no its not, when i delted it from hijack this it went away, how ever when i restarted my computer it came back!, i re-deleated it from hijack this, and uninstalled peer gardiean, then rebooted and it came back, agian

, what could be adding it everytime i reboot?

dl65 · « **Reply #24 on:** November 10, 2004, 11:59:45 PM »

matt......have you had a look in .....
WINDOWS\system32\6ji.dll to see if its there and then manually remove it ....
Keep looking its hiding in there somewhere .

let us know
dl65

matt · « **Reply #25 on:** November 11, 2004, 10:00:22 AM »

im looking in my E:\WINDOWS\system32, i selected show hidden folders too, im not finding it, could it be in my temp file somewhere? im still looking but cant seem to find it. ive done a windows search too.

merlin_2 · « **Reply #26 on:** November 11, 2004, 11:35:47 AM »

it maybe lurking in the reg...disable system restore and delete it again...and to be sure disconnect your pc from the net..

matt · « **Reply #27 on:** November 11, 2004, 06:34:25 PM »

i dont have system restor set up, how do i go about disabling it

Raptor · « **Reply #28 on:** November 11, 2004, 11:14:11 PM »

Right click My Computer -> Properties -> System Restore (tab) Disable it on all partitions/HDD's.

matt · « **Reply #29 on:** November 12, 2004, 01:11:52 AM »

i undid it, rebooted still had it, allowed it then undid it agian, and rebooted, still have it $:-\$

2k dummy · « **Reply #30 on:** November 12, 2004, 11:25:42 AM »

This thing is very persistent and difficult to get rid of. The reason you can't find the .dll is because everytime you reboot the file name is regenerated, and it is random. When it next tries to connect, before you dismiss the window, bring up task manager and see what processes are running. Make note of any odd .exe files that should not be there. Make sure system restore is off and you have stopped the processes from running. Locate the odd files and delete them. Go into the registry and delete any entries that are "run once". Search for any entries for the files name(s) that you have found and delete the keys for those files.

matt · « **Reply #31 on:** November 12, 2004, 03:22:07 PM »

ok, but im not sure which .exe processes are considered normal, here are the ones i'm running after rebooting.

http://www.msu.edu/~rosemat2/images/processes.htm

also, where is the regestry, and how do i delete the 'run once' objects?

matt · « **Reply #32 on:** November 12, 2004, 03:32:09 PM »

also here are my running processes after a reboot and trying to open 'my computer'

i went through them, they are in a different order, but they are the same

matt · « **Reply #33 on:** November 12, 2004, 03:38:03 PM »

sorry, my after starting 'my computer' the processes are this:

http://www.msu.edu/~rosemat2/images/processes2.htm

matt · « **Reply #34 on:** November 20, 2004, 08:45:42 PM »

anyone? how can i get to the regestry and clear that out?

dl65 · « **Reply #35 on:** November 20, 2004, 11:45:30 PM »

matt...to get into the registry......do the following click Start.....then Run .......then type Regedit in the run box and enter......( make sure you back up your registry just in case your remove the wrong thing ) .....Now when the registry editor opens.....up at the top click edit......now go down to..... find..... and click on it .....the find box will open enter what your looking for and press enter it will search and if it finds what it is your looking for it will be displayed ........so just delete it .........or if it finds nothing try searching for something else.

dl65

matt · « **Reply #36 on:** November 21, 2004, 02:31:38 PM »

sweet, i did a search for 6ji.dll with in regestiry after a reboot and it found something, first i delet the entire entry with everthingin it correct? second how do i back up the regestry first? thanks

Neil · « **Reply #37 on:** November 21, 2004, 02:52:24 PM »

http://www.computerhope.com/registry.htm

matt · « **Reply #38 on:** December 02, 2004, 09:57:40 AM »

ok, i made a back-up, ran regedit, did a search for 6ji.dll. i found it and delted the entire folder it was in. that worked, however when i rebooted it came back agian. this thing is persestant. could it be tied in with someprogram i have? i cant think of what it would be, i am carefull about what i download. anyideas of what might be putting it back in the regestry every reboot?

matt · « **Reply #39 on:** December 02, 2004, 10:40:15 AM »

ok, i booted into safemode and logged in as administrator, did the regedit thing, and cleared out c:\windows\temp and c:\d+s\default user(and matt)\local settings\temp, then rebooted in to normal. when i open my documents or my computer, the firewall doesnt show anything trying to connect, but after i close, maybe 5 or 6 seconds later, explorer restarts like it did before, and when i run hijack this i am still getting 6ji.dll in there, as removing it, as before, fixed the problem. so i think i got at least part of it in the temp folders, but something is still putting 6ji.dll in the regestry every reboot.

merlin_2 · « **Reply #40 on:** December 04, 2004, 01:34:07 AM »

two things to remember here is the system restore and system file prrotection thats why the file keeps reappearing try this..>.http://www.dougknox.com/xp/tips/xp_undeletable_file.htm

matt · « **Reply #41 on:** December 04, 2004, 02:11:58 PM »

in hijack this it shows 6ji.dll in E:\windows\system32\6ji.dll, when i try and delete it in command promt it says it can not find the file. i tried closeing exploroer and removing it from the regertry using regedit, i actually found two entires for 6ji.dll but when i restarted explororer it came back agian. i can get rid of it using hijack this but when ever explorer is restarted it comes back.

Raptor · « **Reply #42 on:** December 04, 2004, 04:08:41 PM »

Then stop using Internet Explorer. There are alternative browsers out there.

matt · « **Reply #43 on:** December 05, 2004, 12:25:58 PM »

i have been using only firefox 1.0, which suprisses me that i have sometime like this. the only thing that bugs me is it's all explorer windows, My Computer and My Documents included. i guess i'll keep fooling around with it, but thanks for the help so far!!

Computer Hope Forum

News:

Author Topic: money.cafreedom.com (Read 15307 times)

matt

Raptor

matt

Raptor

matt

Raptor

matt

matt

Raptor

matt

matt

Raptor

matt

Raptor

2k dummy

matt

2k dummy

matt

Raptor

dl65

merlin_2

matt

matt

matt

dl65

matt

merlin_2

matt

Raptor

matt

2k dummy

matt

matt

matt

matt

dl65

matt

Neil

matt

matt

merlin_2

matt

Raptor

matt