Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer Gets Redirected


  • This topic is locked This topic is locked
13 replies to this topic

#1 osaidiado

osaidiado

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 07 May 2006 - 08:23 AM

Please help me someone. When I click on a link internet explorer opens google or a porn site, some of which are: //www.hotsearcher.com
//www.findtoads.com
//www.findweed.com

//Mod edit: To modify Hot Links above to protect others.

Below is my most recent hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 15:11:54, on 07/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\ewido anti-malware\ewidoctrl.exe
C:\Programme\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programme\Windows Defender\MSASCui.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\HistoryKill 2006\histkill.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\DOKUME~1\SUMMER~1\LOKALE~1\Temp\Temporδres Verzeichnis 1 fόr hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = osaidiado
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: POPStopperIE.CToolbar - {4B7B69EB-A00F-4FCD-B601-ACCBB86ED528} - C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [histkill] "C:\Programme\HistoryKill 2006\histkill.exe" /STARTUP
O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1E3A46D-0726-479A-8204-2A5B4C8EE8F0}: NameServer = 85.255.116.107 85.255.112.83
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

:huh: :thumbsup: :flowers: :huh: :huh:

Edited by KoanYorel, 07 May 2006 - 01:23 PM.


BC AdBot (Login to Remove)

 


#2 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 07 May 2006 - 03:52 PM

You are running Hijackthis from a temp location or from the ZIP file with out unzipping it first. Please extract a copy to it's own, permanent folder.
Help with unzipping files is HERE


First of all, you will need to print out this post and/or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
You can reenable TeaTimer once your system is clean.
IF, when you run HijackThis and reboot, you get a popup telling you about a change to the registry, you should ALLOW the change.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it on your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish. After the fix begins just follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

After your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please run it by clicking Scan Only,
and check the following items:
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{D1E3A46D-0726-479A-8204-2A5B4C8EE8F0}: NameServer = 85.255.116.107 85.255.112.83
Click Fix Checked. Close HijackThis, and click OK to proceed.

Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Run the program, accept statement>next>click> scan>next.
If any items are detected have blacklite rename them except for "wbemtest.exe".
Do not rename "wbemtest.exe" its a windows file.
If there are any other files you THINK may be valid don't rename them. Help is available HERE

The tool will ask if you want to reboot (restart) choose yes.

Finally, please post
  • the contents of report.txt (it should open; If it does not open or you close it..find a copy in c:\fixwareout folder.)
  • a new HijackThis log
  • log from blacklight; log will be named fsbl-<date/time>.log eg. fsbl-20051213134642.log.
Note: IF you are having connection problems follow the directions below
(These instruction's are basically for home users.)
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available one some systems

#3 osaidiado

osaidiado
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 08 May 2006 - 11:04 AM

I have followed all instructions given me and here is a log of the blaklight report:

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSXYVE~1.REN

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMCPL.EXE 225,280 2002-02-01

#4 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 08 May 2006 - 04:18 PM

What you posted was the report.txt from the Wareout fix..
I still need
1)A new HijackThis log
2) Blacklight report..just do a search for fsbl*.log, a search like that should find it no problem.

NOTE Please do NOT start a new topic....look below THIS post and click the ADDREPLY button..that way your response will go here instead of a new thread.

#5 osaidiado

osaidiado
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 09 May 2006 - 09:48 AM

Thanks . Ok here is the blacklight log:

05/08/06 17:57:07 [Info]: BlackLight Engine 1.0.36 initialized
05/08/06 17:57:07 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/08/06 17:57:07 [Note]: 7019 4
05/08/06 17:57:07 [Note]: 7005 0
05/08/06 17:57:09 [Note]: 7006 0
05/08/06 17:57:09 [Note]: 7011 1520
05/08/06 17:57:10 [Note]: 7026 0
05/08/06 17:57:10 [Note]: 7026 0
05/08/06 17:57:14 [Note]: FSRAW library version 1.7.1015
05/08/06 17:57:47 [Note]: 7007 0

And then the hijackthis log(copied just this minute):
Logfile of HijackThis v1.99.1
Scan saved at 16:45:00, on 09/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\ewido anti-malware\ewidoctrl.exe
C:\Programme\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programme\Windows Defender\MSASCui.exe
C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\HistoryKill 2006\histkill.exe
C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Outlook Express\msimn.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Summerrain\Eigene Dateien\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = osaidiado
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: POPStopperIE.CToolbar - {4B7B69EB-A00F-4FCD-B601-ACCBB86ED528} - C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [histkill] "C:\Programme\HistoryKill 2006\histkill.exe" /STARTUP
O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{4837B872-7FF6-48E4-94DC-7083DD2AD2C2}: NameServer = 85.255.116.107 85.255.112.83
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

#6 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 10 May 2006 - 01:13 AM

Something is stopping some of our changes.You will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Please again disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

As you computer is starting ;Boot it to Safemode

Once you are in safemode, Open HijackThis and click ScanOnly
Put a check next to the following:
17 - HKLM\System\CCS\Services\Tcpip\..\{4837B872-7FF6-48E4-94DC-7083DD2AD2C2}: NameServer = 85.255.116.107 85.255.112.83

Close all browser and other windows except for HijackThis, and click "Fix Checked".
Reboot back to normal mode

IF, when you reboot, you get a popup telling you about a change to the registry, you must ALLOW the change.

Please run this online virus scan:(MUST use IE) ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button - Enter your Country - Enter your State/Province - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this) - Select either Home User or Company
  • Click the big Scan Now button
  • If/when you get a notice that Panda wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.
Post the Panda results and a new HijackThis

#7 osaidiado

osaidiado
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 10 May 2006 - 12:58 PM

Ok, I did as you recommended but there was a slight deviation from the expected:

The 17 -HKLM thing with the Nameserver didn't show up on the hijackthis log, so I had to go and manually remove it from the registry.
Anyway, here are the logs, first Activescan and then hijackthis:


Incident Status Location

Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\slx.exe2
Adware:adware/cws Not disinfected C:\Dokumente und Einstellungen\All Users\Favoriten\Stop PopUps On Your Computer.url
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Summerrain\Eigene Dateien\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Summerrain\Eigene Dateien\SmitfraudFix\SmitfraudFix\Process.exe

Logfile of HijackThis v1.99.1
Scan saved at 19:07:41, on 10/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\ewido anti-malware\ewidoctrl.exe
C:\Programme\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programme\Windows Defender\MSASCui.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\HistoryKill 2006\histkill.exe
C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Summerrain\Eigene Dateien\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = osaidiado
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: POPStopperIE.CToolbar - {4B7B69EB-A00F-4FCD-B601-ACCBB86ED528} - C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [histkill] "C:\Programme\HistoryKill 2006\histkill.exe" /STARTUP
O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A961389-CD84-4D99-9065-528F6FD2BEF8}: NameServer = 85.255.116.107 85.255.112.83
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

#8 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 11 May 2006 - 03:37 AM

Well it's still there...the item we are trying to get rid of is the 85.255.116.107 85.255.112.83

The CLSID may change (the 32 digit "number" that preceeds the IP.

Please repeat again and check ANY 017 you may have. Don't forget to diable teatimer and/or ALLOW any registry change

#9 osaidiado

osaidiado
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 12 May 2006 - 09:38 AM

Ok, I did run hijackthis again, in fact several times but the 017- thing just doesn't show. I found it in the registry under HKLM\System\Current Control Set\Services\Tcpip\Parameters\Interfaces... and while looking at it I ran hijackthis and it did show up so I ticked it and clicked fix. But when I checked again it was still there. Now I run hijackthis and it simply does not show up. Teatimer is disabled as you sugested.

#10 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 14 May 2006 - 03:14 PM

Now I run hijackthis and it simply does not show up

That is the important part......Tea Timer has been know to be somewhat temperamental in the past......There are instances of ppl having to completely remove it(TeaTimer not Spybot) to get the lines out of HijackThis...

Download KillBox http://www.downloads.subratam.org/KillBox.zip.
Place it in a folder on your Desktop.
Help with unzipping files is HERE

In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files. Use the drop down box and clear ALL profiles this way.

Back at the main Killbox screen check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Click the button marked ALL FILES(lower right of Killbox) Left click and drag cursor to highlight ALL files listed in the quote box below, right click and choose copy click. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\SYSTEM32\DMCPL.EXE
C:\WINDOWS\system32\slx.exe
C:\Dokumente und Einstellungen\All Users\Favoriten\Stop PopUps On Your Computer.url


If you get a PendingOperations message, ignore/close it and restart your computer manually.

You should be good to go after that. Please post any final concerns /comments on how the computer is running along with a final(?) HijackThis log for review

Edited by jwbirdsong, 14 May 2006 - 03:15 PM.


#11 osaidiado

osaidiado
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 16 May 2006 - 10:47 AM

I downloaded KillBox and unzipped to My documents folder. I clicked on the Tools menu, but when I click on Delete Temp Files in the drop down menu I get the following error message:
[b]Run-time error '9'
Subscript out of range.
What should I do then. Below is, however, a new hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 17:43:49, on 16/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Windows Defender\MSASCui.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Programme\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Outlook Express\msimn.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Dokumente und Einstellungen\Summerrain\Eigene Dateien\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = osaidiado
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: POPStopperIE.CToolbar - {4B7B69EB-A00F-4FCD-B601-ACCBB86ED528} - C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Programme\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "C:\Programme\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Programme\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programme\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Programme\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programme\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A961389-CD84-4D99-9065-528F6FD2BEF8}: NameServer = 62.27.27.62 195.247.247.195
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

#12 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 16 May 2006 - 02:19 PM

It seems to be a language issue with KillBox....The developer has been notified...
As a side note when I got your response to this..I was in a chat room with another user who had the same issue with Killbox ..German Windows....

Check those 3 files listed in Killbox instructions and delete manually; if they are still present.

You can always clean your temp files out manually
Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
  • C:\Windows\Temp\
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested. But you will have to manually log on to all internet sites the first time you visit them again.
  • C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
  • Empty your "Recycle Bin"
There are always a couple of files that you will not be able to delete..this is normal and expected

or by using start > run and type cleanmgr and click ok.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Then as long as you have no issues not reflected in your logs... Congratulations, your log is clean.

First, you should clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

Make SURE to read and follow the guidance in How Did I Get Infected in the First Place??

Edited by jwbirdsong, 16 May 2006 - 02:27 PM.


#13 osaidiado

osaidiado
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 17 May 2006 - 10:12 AM

Thank you so very much. The redirect is gone. PEACE AT LAST!!! Well, for now. Thanks again.

#14 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 17 May 2006 - 05:24 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users