View Full Version : Hastalavista Baby
Jeremy
August 14th, 2003, 03:44 PM
I've been attacked! Hastalavista, baby.
Yea, I got it. Now what do I do about it?
I've installed Spybot - Search and Destroy which
claims to have eradicated the rogue. But my
browser KEEPS REDIRECTING ME to hastalavista.com.
This sucks!!! I change it - it chages back. Then some
dumb casino place keeps popping up, too.
I don't know what to do, but I wish this program
really would say "Hastalavista" and get off my PC!!!!
Pieter_Arntz
August 14th, 2003, 04:03 PM
Hi Jeremy,
Could you post your HijackThis log (http://www.tomcoyote.org/hjt/)
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.
Regards,
Pieter
Jooske
August 14th, 2003, 04:07 PM
Hasta nunca would be better then (till never again!)
Pieter will certainly help you out.
Jeremy
August 14th, 2003, 06:14 PM
Here's my list from Hijack This!
Logfile of HijackThis v1.96.0
Scan saved at 4:11:32 PM, on 8/14/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\System32\cisvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\taskswitch.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\cyb2k.exe
D:\WINDOWS\System32\regsvc32.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
D:\Program Files\AWS\WeatherBug\Weather.exe
D:\Program Files\PopUp Killer 4 Free\puk4f.exe
D:\Program Files\Utilities\Print Now\printnow.exe
D:\Program Files\Utilities\Tray Minimizer\traymin.exe
D:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
D:\WINDOWS\System32\cidaemon.exe
D:\Documents and Settings\Jeremy Conrad\Local Settings\Temp\HijackThis.exe
D:\Program Files\SuccessW\SuccessWare Client.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hastalavista.com/2/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hastalavista.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Waldron's Photography
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hastalavista.com/ie/?q=%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QD FastAndSafe] D:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [C2K] D:\WINDOWS\cyb2k.exe
O4 - HKLM\..\Run: [MSRegSvc] D:\WINDOWS\System32\regsvc32.exe
O4 - HKLM\..\Run: [regsvc32] D:\WINDOWS\System32\regsvc32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Weather] D:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Terminate Popup] D:\Program Files\PopUp Killer 4 Free\puk4f.exe
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Print Now.lnk = D:\Program Files\Utilities\Print Now\printnow.exe
O4 - Startup: TrayMin.lnk = D:\Program Files\Utilities\Tray Minimizer\traymin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} - http://a19.g.akamai.net/7/19/7125/1268/ftp.coupons.com/v6/brix6ie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DBAA784-69D8-4893-9329-9643B1FA090D}: NameServer = 206.222.97.82,206.222.97.50
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB79B97D-619D-4D92-82CB-1ADB60EC2249}: NameServer = 206.222.97.82,206.222.97.50
O17 - HKLM\System\CS1\Services\Tcpip\..\{2DBAA784-69D8-4893-9329-9643B1FA090D}: NameServer = 206.222.97.82,206.222.97.50
Pieter_Arntz
August 15th, 2003, 02:13 AM
Hi Jeremy,
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hastalavista.com/2/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hastalavista.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hastalavista.com/ie/?q=%s
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.DLL__SpybotSDDisabled (file missing)
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O4 - HKLM\..\Run: [MSRegSvc] D:\WINDOWS\System32\regsvc32.exe
O4 - HKLM\..\Run: [regsvc32] D:\WINDOWS\System32\regsvc32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Reboot after doing so, preferably into safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
and delete:
D:\WINDOWS\System32\regsvc32.exe
Regards,
Pieter
Jeremy
August 15th, 2003, 01:52 PM
Did all that. Thought it was gone. Just opened up IE and hastalavista.com came up again.
Paul Wilders
August 15th, 2003, 02:33 PM
-{ Quote: " quoting: Jeremy link=board=34;threadid=12464;start=0#msg80263 date=1060969979]
Did all that. Thought it was gone. Just opened up IE and hastalavista.com came up again.
" }-
In case your are running an O/S with System Restore, Like XP for example, that figures. Disable System Restore and perform the actions once more. You can safely enable SR after doing so.
Keep us posted ;)
regards,
paul
vBulletin® Copyright ©2000-2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums