Well hello

I suppose I should elaborate on what my "Topic Title" implies.

I found BleepingComputer a few months ago because I went looking for trouble.

Some people are content to live quietly within safe, sterile, boundaries, but I question how much educational experience they might encounter if they are not willing to get dirty every once in a while.

I am relatively new to the Internet myself. I have a background in computer programming, desktop publishing, and advertising, so it is almost a mystery to me why it has taken so long to become immersed in the web.

It's too late to back out now ... I have fallen in love with the vastness and potential for adventure.

My first visit here came about because I picked up an horrendous infection of viruses, adware, malware, and spyware, in my first few weeks of exploring. This site, along with the TomCoyote Forums, provided me with both a cure, and some innoculation. That only made me more bold and daring.

For example:
I have returned to BleepingComputer in an effort to return my gratitude for previous asssistance. I intend to become more involved with this forum because I was hijacked by an insidious little website called 24-7-search. It is now six days of effort trying to rid my computer of that little demon.

The following is an obviously edited URL of the site that has caused me so many problems for so long. This URL is very "hot". I strongly suggest that it be carefully reassembled and installed in your "Restricted Zone" so you never have to deal with it's infestation.

h t t p : / / w w w . 2 4 - 7 - s e a r c h . c o m

It replaces all tool and search bars with it's own search bar; your own toolbars mysteriously vanish. It replaces itself as the only available homepage on every re-start. It locks you out of every folder, and icon, on your desktop, including "My Computer". It causes evrything on the desktop to open as an Internet Explorer window, but open blank, with the message that your current security settings will not allow ActiveX to run in this window so nothing will display correctly. It "represents" itself as the only available option you have to do ... to go explore the products and links provided by this website.

If anyone else has had any similar experience of this, I would really like to know.

This is a very nasty infection and my warning is a gift in the form of my introduction.

I hope to use BleepingComputer as an educational base, but I plan to venture into any kind of nasty realms that I find in order to gain more experience. Whatever I learn from those adventures, I would like to share in my posts in the forum. Things like the problems I encounter, the cures for my afflictions, the sources for those cures, and obvious warnings about what to beware of.

I hope that I can put back into this forum a small fraction of what I have already received as a small token of my appreciation.

Good fortune to you all ... and good hunting.

Theron

Welcome

Aside from the infection issue (which someone will pick up, but you need to check out the HJT forum for further instructions), i would say that if you intend to purposefully infect machines, you really should use a non production environment (ie a test system) rather than your standard machine to get these infections. 24/7 search has been around a while, and although there arent a great many examples of it on HJT forums, the ones that do exist have been cleaned up without too much fuss so you should be in safe hands on this board

Thanks Paperghost

I don't mean to imply that I "want" those infections; I just don't intend to fear the possibility of becoming infected.

If it wasn't for those nasty experiences, I wouldn't have a folder of the finest anti-bug software available on the Internet, all recomended by trustworthy technical people from forums like BleepingComputer and TomCoyote. Gifts like that can never be responded to with enough appreciation.

As far as my latest infection is concerned, it's mostly cleared up now. I just haven't found the solution to my problem with the inability to open my desktop items yet. Still working on that.

Is there anywhere on the Internet that a person could acquire a posting of "hot" URL's to add to their Restricted Sites Zone? Maybe save a little grief along the way?
Just wondering.

Theron

Have you got Spyware Blaster? It has a list of restricted sites that it prevents you from connecting to. It also runs in the background to prevent the installation of ActiveX controls.

This is a good read. It talks about using a Hosts file to block bad sites and includes one that you can read or download and use.

You're right Leurgy ... a very good read indeed

I just learned about the creation of a Hosts File yesterday and want to get started creating one as soon as I get my "desktop" dilema fixed.

Your link will help a lot to get me started on that project.

I have the spyware program and that certainly is a good beginning to ensure protection, which I can also highly recommend to anyone else who reads this.

Great stuff ... thanks again.

Theron

and Welcome to Bleeping Computer theronkellystalker

So happy that you stopped by and decided to stay. You seem to have aquired a wealth of experience. We cover all topics of computing here @ BC. The more knowledgeable and intelligent members that sign on the better for BC and everyone involved. So I for one am thrilled to see that you have become a member. Who is also planning on becoming an active one.



You and countless others here. I have been hooked from day one. I never thought of myself as a geek. But now I could not deny it no matter how hard I tried.


BTW Canada is the land of my birth.

Well Happy BirthLand scarlett ...

And thank you for your welcome.

Leurgy doesn't know it but we're almost neighbors.

I hope to be able to bring back to this forum, at the very least, as much as I take away.

Theron

Leurgy, can you run this with spybot and adware.

Sy...

Yes you can. I use all three. Link in my sig.

Thanks, Scarlett.

Sy...

~theronkellystalker Feb 15th
Love is a many splendored thing, indeed.

I need some advice here.

I want to raise the issue of my inability to open anything on my desktop as a result of being hijacked.

I'm looking for assistance to solve the problem, and explanations of whatever assistance is being suggested, so everyone can see the value that certain advice is useful for.

I like to try to clearly define what the problem is, but I really want to have a relatively detailed account of someone's analysys of the problem so this is available information for anyone who might be encountering similar problems.

I'm not sure which part of the forum to start a new topic in.

I use windows 2k, but this is the aftermath of a hijacking, so there is a bit of ambiguity about where my thread would belong.

Could a moderator please suggest a place to begin?

Thanks

Theron

Hi almost neighbour

Right click your icons and click properties. What do you see in the target box?

Whoaa ...

You're going to need to be more specific than that. You're assuming that I know "something" (which isn't very likely).

I did learn one thing in the past half hour.

When I log on as the "administrator" instead of as "myself", all of the folders and icons on the administrator's desktop open up just fine. So the problem seems to be isolated or localized to this particular desktop. Whenever I try to open anything I get the message that "Your security settings do not permit running ActiveX controls on this page so the ... blah blah"

Believe me, this is progressive news.

Uhhh ... shouldn't we be doing this somewhere else?

Theron

Is this happening under the user account? You would seem to still have some hijacking problems. There is no way that clicking an icon should prompt activex to run. Open IE and go to Tools>Internet Options>General tab>Settings>View objects and post a screenshot of whats in there. This will tell you how to do that.

The target box is accessed from the properties box for the icon. The target would be the path to the application that the icon refers to.

Unless you wish to submit a Highjack This Log. I suggest that you post in the Antivirus, Firewall, Privacy Products and Protection Methods Forum.

Highjack This Logs and Analysis

Antivirus, Firewall, Privacy Products and Protection Methods

My question to you is, have you ever ran Highjack This? After all you have been through. It may be a good idea to do so. This way you could ensure that your computer is now clean. And you are completly recovered from that nasty, nasty infection.


Edit: This thread or parts of it could be split off to another forum. From what I see. It all could be moved. I could do that for you if you like.

I agree

I must still have some more serious problems.

I can't seem to get full screen shots for some reason.

Here are the two I could get:






I realize that Internet Explorer shouldn't have anything to do with whether I can open a folder or not, but that's what is happening. Try to open just a folder and I get a blank window with that "warning" message about ActiveX. Same goes for "My Computer".

Shouldn't we be doing this somewhere else?

Theron

Right click that first one and let us know what it says in the properties. Looks like it doesn't belong.

Perhaps post your reply in the viruses forum.

Hi scarlett

Yes. Could we sort of start this again in the appropriate forum.

Wherever you decide that should be is fine with me.

I have been running HijackThis logs for about five days now and most of the major problems are cleared up, but not finished.

I would like people to be able to view what is going on here in the appropriate place. I think there may be something unique to this problem and a record of this should be available to all.

I won't post again until you have sorted it out.

Sorry about this ... I didn't really want it to get messy at all.

Theron

No worries. It has already been moved . Look and see.

Please continue.

Good Luck!

Alrighiiight ... let's take a deep breath and try this again.

I'm sorry this got messy ... I wanted it to be as straight forward and clear as possible.

I picked up this hijacker, "24-7-search", about a week ago. I have been working through this with the TomCoyote Forums. I certainly didn't come here to get away from them ... there isn't enough praise that I could heap upon them. I felt that my "problem" should probably be aired here too for the enlightenment of anyone who falls into the same pit.

Part of the result of that hijacking was the fact that none of my desktop items can be opened without the message you see posted below, and a blank window.






When I log on as the Administrator, all of the folders and desktop items open just fine. So the problem only exists when I am logged on as Theron Kelly Stalker (a user).


This next image is from the Internet Explorer Properties window:




Just to demonstrate what condition the computer is in right now, I'll post this HijackThis log too:

---------------------------------------------------------------

Logfile of HijackThis v1.99.0
Scan saved at 11:59:45 AM, on 2/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Instant Buzz\IBDaemon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\dllhost.exe
C:\Documents and Settings\Theron Kelly Stalker\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by104fd.bay104.hotmail.msn.com/cgi-...fe31357&fti=yes
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [KenKeybd] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\WINDOWS\Messenger\ypager.exe -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Copy Location - C:\WINNT\WEB\graburl.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINNT\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINNT\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINNT\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINNT\system32\webzone.dll
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINNT\system32\oline.dll
O9 - Extra button: Desktop Currency Converter - {676D40B8-BEDD-4313-9AD9-1FD38762F82A} - C:\Program Files\Mioplanet\Desktop Currency Converter\Desktop Currency Converter.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.linkshare.com
O15 - Trusted Zone: http://by104fd.bay104.hotmail.msn.com
O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - https://www.opinionsquare.com/Config/setup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TKSNET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TKSNET
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = TKSNET
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


--------------------------------------------------------------------------------------

Now assuming I don't know anything at all, and with respect for the fact that nice clear simple explanations would be quite useful in the long run, what else would you like me to do?

Thank you for any assistance with this predicament.

Theron

WOW ... So nobody has any ideas about how to deal with this eh?

Well how's this more more interesting developments.

I created a "new" user account and opened it up with all new folders. All the folders and icons responded properly to doubleclicks... no warning messages.

I then copied all of the folders in my own user account and pasted them into the "new" account, obviously overwriting the windows account folders that are automatically installed.

I rebooted and logged in to the new account and guess what?

None of the folders and icons would open up and I got the same message again.



So the problem seems to be isolated to the folders in my own user account in the "Documents and Settings" area of "My Computer".

I'm going to start again and try to be more selective when I copy the folders again into the new account. Maybe I can isolate which folder it is.

I'll let you know.

Theron

You have a couple of specialized programs on there that tend to muddy the waters. From what I've read about instant buzz, I wouldn't touch it with a ten foot pole, and I suspect it uses activex controls. But its your machine. Linkshare and Opinionsquare are suspect to me also. Try leaving those three behind.

Thanks for this tip Leurgy

I'm a little suspisious about The Buzz, but in all good faith I ned to say that Instant Bazz has been on my computer for quite a while with no problem, and they went through their upgrade change before I ran into this problem, so I don't think it is them. But I will keep that in mind as a complete the "duplicate account" test today.

I need Linkshare for my own business, and that has never caused a problem before. Opinnionsquare is a more likely possible suspect, but that too was around for quite a while.

I should be able to isolate what folder the nasty varmint is hiddin' in today. I'll let you know.


Theron

Awwlllrriigghhhhttt ....


My deskop is back to working normally , but it is one of those situations where you fix something ... but don't know what was wrong.

I wound up copying all of the folders to a new account, except the "Local Settings" folder. My new desktop is identical to my old desktop and there is no more error messages.

I examined everything in the old "Local Settings" folder and a few things looked suspicious but I wouldn't know why, or what to do to investigate them more thoroughly.

The point is that I didn't seem to need that old folder copied to replace a new "local Settings" folder in the new account for everything about the new account to work just fine.

Just letting you know what the outcome is ... even though I still don't have a clue what the original problem was.

Bye for now.

I'll be back with an interesting network challenge, if anyone likes to tackle stuff like that.

Theron