Aggressive Web Page Hijacker

Discussion in 'privacy problems' started by BeenBit, Jul 6, 2003.

Thread Status:
Not open for further replies.
  1. BeenBit

    BeenBit Registered Member

    Joined:
    Jul 5, 2003
    Posts:
    24
    HELP! :mad:I am having problems with some type of hijacker that will replace web pages I am
    visiting with various adult pages that are aggressive and way too rauchy for my teenagers
    to see. We can even be searching in Google and the pages will pop up to take the place of
    the Google site on the screen. Before this weekend when I installed Spybot Search and
    Destroy, Ad-aware 6, SpywareBlaster, and BrowserHijackBlaster, we couldn’t even surf
    the internet without all types of popups, including the adult ones referred to above. (I may
    have gone overboard with all this downloaded software, but we really want to get rid of
    this stuff.) Now I have managed to get rid of all except for the adult ones described
    above. Is it possible to find what is causing these (I assume it’s something hidden in my
    computer) and get rid of it? My computer runs Windows 98 Second Edition.

    I must apologize upfront to anyone who gets involved in helping me, as I would describe
    my computer skills as novice at best. As such, you might go stark raving mad trying to
    provide basic instructions.

    Thanks for any help!

    BeenBit HELP! I am having problems with some type of hijacker that will replace web pages I am
    visiting with various adult pages that are aggressive and way too rauchy for my teenagers
    to see. We can even be searching in Google and the pages will pop up to take the place of
    the Google site on the screen. Before this weekend when I installed Spybot Search and
    Destroy, Ad-aware 6, SpywareBlaster, and BrowserHijackBlaster, we couldn’t even surf
    the internet without all types of popups, including the adult ones referred to above. (I may
    have gone overboard with all this downloaded software, but we really want to get rid of
    this stuff.) Now I have managed to get rid of all except for the adult ones described
    above. Is it possible to find what is causing these (I assume it’s something hidden in my
    computer) and get rid of it? My computer runs Windows 98 Second Edition.

    I must apologize upfront to anyone who gets involved in helping me, as I would describe
    my computer skills as novice at best. As such, you might go stark raving mad trying to
    provide basic instructions.

    Thanks for any help!

    BeenBit o_O
     
  2. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Ah, good Paul saw and moved the thread before I could ask. But here's what I was going to post in response:

    I've looked at another thread to see how you can provide more info that may be helpful to determine what you have on your PC and how to get rid of it. Pieter Arntz suggested to another poster with similar problems:

    "Could you post your HijackThis log
    Download, Unzip and run HijackTHis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet."

    Hijack this is available here: http://www.tomcoyote.org/hjt/

    If you can run the app and post the log it makes here, people maybe can narrow down the culprit and help you out. As Pieter noted to the other poster, don't fix anything with Hijack This since if you try to fix a legit process you could run into worse problems. Just post the log.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi BeenBit,

    In this particular case (am I correct that the adult links appear to be on the Google site) use this download location for the latest HijackThis beta: direct download link
    http://www.spywareinfoforum.com/~merijn/files/beta/hijackthis.zip and post the log as sig described.

    Regards,

    Pieter
     
  4. BeenBit

    BeenBit Registered Member

    Joined:
    Jul 5, 2003
    Posts:
    24
    Thanks very much, Sig and Pieter. I'll download and run HijackThis tonight when I get home and follow your directions to the letter. Don't worry -- I won't try to fix anything without the help of someone knowledgeable (not sure I'd know where to start anyway!).

    To answer your question, Pieter, the adult links do popup when certain words or phrases are typed into Google, but other words or phrases will not bring them to life. But they also appear when we are looking at other web pages that have absolutely nothing to do with sex.

    I really appreciate your responses. Have a nice day!

    BeenBit
     
  5. BeenBit

    BeenBit Registered Member

    Joined:
    Jul 5, 2003
    Posts:
    24
    Hello,

    This is the result of the HijackThis scan. Thank you.



    Logfile of HijackThis v1.95.1
    Scan saved at 10:10:17 PM, on 7/7/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\EXPLORER.EXE
    C:\WINDOWS\PTSNOOP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\RAY.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TEMP\ZTV8365\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yourbookmarks.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://itseasy.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchxp.com/search.php?qq=%s (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net/
    R3 - Default URLSearchHook is missing
    F1 - win.ini: load=ptsnoop.exe
    O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [PrecisionTime] C:\PROGRA~1\PrecisionTime\PrecisionTime.exe
    O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe"
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H
    O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
    O4 - HKLM\..\Run: [Shell] c:\ray.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
    O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
    O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\bagent.exe
    O4 - Startup: Quicken Startup.lnk = C:\Program Files\QWDLLS.EXE
    O4 - Startup: Billminder.lnk = C:\Program Files\billmind.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Instant Messenger (SM) (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/1114030225/VBouncerOuter1114.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe"
    this looks like a version of gator.spybot should take care of this, but you will have to kill this process before doing a scan with spybot..
    kill the process then scan, fix selected reboot then do another scan again fix selected
    spybot is not able to delete items related to this if the damn thing is running
    someone with more knowledge will tell you about the rest
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    illuka is right:

    Date Manager - calender program. Spyware/adware based provided by The Gator Corporation :blink:

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://itseasy.us/browser/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchxp.com/search.php?qq=%s
    R3 - Default URLSearchHook is missing
    O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
    O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H
    O4 - HKLM\..\Run: [Shell] c:\ray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/1114030225/VBouncerOuter1114.exe

    Reboot after doing so, preferably into safe mode and delete:
    C:\PROGRAM FILES\Date Manager <= entire folder
    C:\Program Files\MoviePlace <= entire folder
    c:\ray.exe

    When you´re done and you want to reset the IE restrictions you can do that in Spybot S&D under Immunize.

    Regards,

    Pieter
     
  8. BeenBit

    BeenBit Registered Member

    Joined:
    Jul 5, 2003
    Posts:
    24
    :D

    Followed your instructions last night (which were very clear. . .and I think you guys licked it! I spent about 30 minutes surfing, especially using Google to search. Not a single objectionable web page popped up.

    Thanks Pieter and all of you who figured this thing out!

    BeenBit
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Glad we could help, BeenBit. :)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.