Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can someone please help


  • This topic is locked This topic is locked
1 reply to this topic

#1 albert4286

albert4286

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 19 October 2004 - 02:58 AM

i seem to have a problem with "spryware.com
" redirecting almost all my sites, if someone can please help, id really appreciate it, im so frustrated.





Logfile of HijackThis v1.98.2
Scan saved at 12:55:31 AM, on 10/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Albert Nguyen\Application Data\ustc.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\cdspace\CDSLicenseMng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hjt\HijackThis.exe
C:\WINDOWS\system32\w?wexec.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\System32\StopziIlaBHO.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - C:\WINDOWS\System32\mtc2608.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\System32\wer1306.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Albert Nguyen\Local Settings\Temp\ud32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Configuration Service] C:\WINDOWS\System32\suchost.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uobb] C:\Documents and Settings\Albert Nguyen\Application Data\ustc.exe
O4 - HKCU\..\Run: [Gmlq] C:\WINDOWS\System32\w?wexec.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: LCDPlayer.lnk = ?
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O13 - DefaultPrefix: http://
O13 - WWW Prefix: http://
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O16 - DPF: {14B9C4A0-D586-6D9E-FB43-6C07561E4823} - http://205.252.249.254/1/rdgUS1077.exe
O16 - DPF: {57F66D57-386A-730B-9FCC-729C622B06C7} - http://205.252.249.254/1/rdgUS1077.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

BC AdBot (Login to Remove)

 


#2 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:07:58 AM

Posted 19 October 2004 - 08:52 AM

albert4286, welcome.

Please print this out and follow ALL these directions carefully.

Make sure 'show all files' is enabled:
http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=

Boot into Safe Mode by tapping F8 key repeatedly at bootup.
More detailed instructions here:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Go to Add/Remove Programs and uninstall StopZilla and Viewpoint Manager The Google toolbar is much better than StopZilla.

Delete if still present:
C:\WINDOWS\_h.html
C:\WINDOWS\_s.html
C:\WINDOWS\System32\MTC.dll
C:\WINDOWS\System32\StopziIlaBHO.dll
C:\WINDOWS\System32\mtc2608.dll
C:\WINDOWS\System32\wer1306.dll
C:\WINDOWS\System32\w?wexec.exe
C:\Documents and Settings\Albert Nguyen\Application Data\ustc.exe
<== files

C:\Program Files\Viewpoint <== folder

C:\Documents and Settings\Albert Nguyen\Local Settings\Temp <== empty the contents of this folder

Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked" if still present.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\System32\StopziIlaBHO.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - C:\WINDOWS\System32\mtc2608.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\System32\wer1306.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Albert Nguyen\Local Settings\Temp\ud32.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Uobb] C:\Documents and Settings\Albert Nguyen\Application Data\ustc.exe
O4 - HKCU\..\Run: [Gmlq] C:\WINDOWS\System32\w?wexec.exe
O13 - DefaultPrefix: http://
O13 - WWW Prefix: http://
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab


Reboot and Install the prevention protection below and help your friends from being infected on the Internet.

Empty the Recycle Bin.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://support.it-mate.co.uk/?mode=Products&p=index.datsuite

Insure that Index.dat Suite is Setup to empty the Temp folders especially
C:\Documents and Settings\{user}\Local Settings\Temp
then run the Find and create the run.bat and reboot to have it remove what it finds.

{user} is the Albert Nguyen User Account ID.
Removal of infections and prevention protection should be installed on ALL User Account IDS.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html

Install Windows Service Pack 2 and ALL Critical Updates.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users