Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win-eto help!


  • This topic is locked This topic is locked
1 reply to this topic

#1 drgonzo

drgonzo

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 03 January 2005 - 06:12 PM

hi new to the forum. im using windows 2000. and my internet explorer has been hijacked by win-eto.com which then redirects to here4search.com. ive tried adaware aboutbuster spydoctor search and destroy. spywareblaster. stinger. cwshredder. yet i cant get rid of this. could some one please help me bfore i loose my mind.

here is a latest hijack this file.

Logfile of HijackThis v1.97.7
Scan saved at 22:55:31, on 03/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\atlfe.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSDTC32.exe
C:\WINNT\system32\x0g1x6w4iuhwfthd.exe
C:\WINNT\system32\netwv.exe
C:\Program Files\Windows AdTools\WinAdTools.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows AdTools\WinRatchet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.eircom.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.eircom.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.eircom.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.eircom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.eircom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.eircom.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\eircom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\eircom.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://66.103.153.158/cool
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\5626K1~2.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Video Device Loader] MSDTC32.exe
O4 - HKLM\..\Run: [aoxjezao] C:\WINNT\system32\mavbde.exe
O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\x0g1x6w4iuhwfthd.exe
O4 - HKLM\..\Run: [netwv.exe] C:\WINNT\system32\netwv.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\RunServices: [Video Device Loader] MSDTC32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wmpfaqef] C:\WINNT\system32\zgbclu.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Spyware Doctor (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...fe3bba631960d34
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} (PremiumInternacional Class) - http://213.201.69.103/data/dialercab/premi...ternacional.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8088.6555555556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0FFF0C-9305-49AF-8B6C-C184F997AD82}: NameServer = 159.134.237.6 159.134.248.17

cheers

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:40 AM

Posted 04 January 2005 - 08:05 PM

Duplicate

http://www.bleepingcomputer.com/forums/ind...wtopic=8068&hl=

Topic closed
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users