HELP! >:(I am having problems with some type of hijacker that will replace web pages I am
visiting with various adult pages that are aggressive and way too rauchy for my teenagers
to see. We can even be searching in Google and the pages will pop up to take the place of
the Google site on the screen. Before this weekend when I installed Spybot Search and
Destroy, Ad-aware 6, SpywareBlaster, and BrowserHijackBlaster, we couldn’t even surf
the internet without all types of popups, including the adult ones referred to above. (I may
have gone overboard with all this downloaded software, but we really want to get rid of
this stuff.) Now I have managed to get rid of all except for the adult ones described
above. Is it possible to find what is causing these (I assume it’s something hidden in my
computer) and get rid of it? My computer runs Windows 98 Second Edition.

I must apologize upfront to anyone who gets involved in helping me, as I would describe
my computer skills as novice at best. As such, you might go stark raving mad trying to
provide basic instructions.

Thanks for any help!

BeenBit HELP! I am having problems with some type of hijacker that will replace web pages I am
visiting with various adult pages that are aggressive and way too rauchy for my teenagers
to see. We can even be searching in Google and the pages will pop up to take the place of
the Google site on the screen. Before this weekend when I installed Spybot Search and
Destroy, Ad-aware 6, SpywareBlaster, and BrowserHijackBlaster, we couldn’t even surf
the internet without all types of popups, including the adult ones referred to above. (I may
have gone overboard with all this downloaded software, but we really want to get rid of
this stuff.) Now I have managed to get rid of all except for the adult ones described
above. Is it possible to find what is causing these (I assume it’s something hidden in my
computer) and get rid of it? My computer runs Windows 98 Second Edition.

I must apologize upfront to anyone who gets involved in helping me, as I would describe
my computer skills as novice at best. As such, you might go stark raving mad trying to
provide basic instructions.

Thanks for any help!

BeenBit ???

Ah, good Paul saw and moved the thread before I could ask. But here's what I was going to post in response:

I've looked at another thread to see how you can provide more info that may be helpful to determine what you have on your PC and how to get rid of it. Pieter Arntz suggested to another poster with similar problems:

"Could you post your HijackThis log
Download, Unzip and run HijackTHis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet."

Hijack this is available here: http://www.tomcoyote.org/hjt/

If you can run the app and post the log it makes here, people maybe can narrow down the culprit and help you out. As Pieter noted to the other poster, don't fix anything with Hijack This since if you try to fix a legit process you could run into worse problems. Just post the log.

Hi BeenBit,

In this particular case (am I correct that the adult links appear to be on the Google site) use this download location for the latest HijackThis beta: direct download link
http://www.spywareinfoforum.com/~merijn/files/beta/hijackthis.zip and post the log as sig described.

Regards,

Pieter

Thanks very much, Sig and Pieter. I'll download and run HijackThis tonight when I get home and follow your directions to the letter. Don't worry -- I won't try to fix anything without the help of someone knowledgeable (not sure I'd know where to start anyway!).

To answer your question, Pieter, the adult links do popup when certain words or phrases are typed into Google, but other words or phrases will not bring them to life. But they also appear when we are looking at other web pages that have absolutely nothing to do with sex.

I really appreciate your responses. Have a nice day!

BeenBit

Hello,

This is the result of the HijackThis scan. Thank you.



Logfile of HijackThis v1.95.1
Scan saved at 10:10:17 PM, on 7/7/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\RAY.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TEMP\ZTV8365\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yourbookmarks.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://itseasy.us/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchxp.com/search.php?qq=%s (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net/
R3 - Default URLSearchHook is missing
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PrecisionTime] C:\PROGRA~1\PrecisionTime\PrecisionTime.exe
O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [Shell] c:\ray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\Program Files\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\Program Files\billmind.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Instant Messenger (SM) (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/1114030225/VBouncerOuter1114.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe"
this looks like a version of gator.spybot should take care of this, but you will have to kill this process before doing a scan with spybot..
kill the process then scan, fix selected reboot then do another scan again fix selected
spybot is not able to delete items related to this if the damn thing is running
someone with more knowledge will tell you about the rest

illuka is right:

Date Manager - calender program. Spyware/adware based provided by The Gator Corporation :-X

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://itseasy.us/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchxp.com/search.php?qq=%s
R3 - Default URLSearchHook is missing
O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H
O4 - HKLM\..\Run: [Shell] c:\ray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/1114030225/VBouncerOuter1114.exe

Reboot after doing so, preferably into safe mode and delete:
C:\PROGRAM FILES\Date Manager <= entire folder
C:\Program Files\MoviePlace <= entire folder
c:\ray.exe

When you´re done and you want to reset the IE restrictions you can do that in Spybot S&D under Immunize.

Regards,

Pieter

;D

Followed your instructions last night (which were very clear. . .and I think you guys licked it! I spent about 30 minutes surfing, especially using Google to search. Not a single objectionable web page popped up.

Thanks Pieter and all of you who figured this thing out!

BeenBit

Glad we could help, BeenBit. :)

Regards,

Pieter