Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Getting Unhijacked


  • Please log in to reply
8 replies to this topic

#1 ronnie1027

ronnie1027

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 November 2004 - 05:55 PM

I was following the directions from this site to rid this from my computer. The directions say I will have a 020 entry. I don't have one. Hopefully you can still help me out. The log is attached. Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:36 PM

Posted 23 November 2004 - 06:53 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://win-eto.com/hp.htm?id=31403
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\FW8KO7~1.DLL
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\LY7EWMK0FSG9THD.EXE
O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\OTGF7PXRS89E9YI.EXE
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\SYSTEM\FW8KO7~1.DLL
C:\WINDOWS\SYSTEM\LY7EWMK0FSG9THD.EXE
C:\WINDOWS\SYSTEM\OTGF7PXRS89E9YI.EXE

Reboot your computer to go back to normal mode and post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#3 ronnie1027

ronnie1027
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 November 2004 - 07:50 PM

I failed to mention that I am a computer moron. Is Safe Mode the same thing as MS DOS mode? If so, how do you pull up those files and directories? Thanks.

#4 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:36 PM

Posted 23 November 2004 - 08:59 PM

Safe Mode Tutorial

http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#5 ronnie1027

ronnie1027
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 November 2004 - 09:35 PM

I noticed on the log some of the deleted files reappeared in the log. While in safe mode trying to :\WINDOWS\SYSTEM\FW8KO7---------- I got an error message that said "Cannot Delete The specified file is being used by Windows". Anyway, here is the latest log. Thanks.

Attached Files



#6 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:36 PM

Posted 24 November 2004 - 11:16 AM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\FW8KO7~1.DLL
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL


After clicking "Fix Checked":
  • Click Config - in the lower right corner
  • Click Misc Tools - top right
  • Click Delete A File on Reboot
  • Browse to: C:\WINDOWS\SYSTEM\FW8KO7~1.DLL
  • HijackThis will prompt you to reboot


Reboot your computer to go back to normal mode and post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#7 ronnie1027

ronnie1027
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 24 November 2004 - 11:50 AM

The show all files box was already checked from last time.

The new log is attached.

Attached Files



#8 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:36 PM

Posted 24 November 2004 - 12:42 PM

Something there HijackThis is not finding.Do this:

Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to guarantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.

Using Spybot - Search & Destroy to remove Spyware, Malware, & Hijackers from Your Computer.


When you scan with both programs, fix everything that it finds.

Then run HijackThis and fix these:

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://win-eto.com/hp.htm?id=31403
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:PROGRAM FILESACCELERATION SOFTWARESTOPSIGNWEBCBROWSE.DLL
O4 - HKLM..Run: [EanthologyApp] "C:Program FilesCommon FileseAccelerationeanthology.exe" /b Startup Although Stop-Sign is no longer considered "rogue software" it's still not as good as Ad-Aware and Spybot

Reboot and post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#9 ronnie1027

ronnie1027
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 27 November 2004 - 03:37 PM

Problem solved. Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users