|
|
#1
July 6th, 2003, 06:45 PM
|
|||
|
|||
Aggressive Web Page Hijacker
HELP!
 I am having problems with some type of hijacker that will replace web pages I amvisiting with various adult pages that are aggressive and way too rauchy for my teenagers to see. We can even be searching in Google and the pages will pop up to take the place of the Google site on the screen. Before this weekend when I installed Spybot Search and Destroy, Ad-aware 6, SpywareBlaster, and BrowserHijackBlaster, we couldn’t even surf the internet without all types of popups, including the adult ones referred to above. (I may have gone overboard with all this downloaded software, but we really want to get rid of this stuff.) Now I have managed to get rid of all except for the adult ones described above. Is it possible to find what is causing these (I assume it’s something hidden in my computer) and get rid of it? My computer runs Windows 98 Second Edition. I must apologize upfront to anyone who gets involved in helping me, as I would describe my computer skills as novice at best. As such, you might go stark raving mad trying to provide basic instructions. Thanks for any help! BeenBit HELP! I am having problems with some type of hijacker that will replace web pages I am visiting with various adult pages that are aggressive and way too rauchy for my teenagers to see. We can even be searching in Google and the pages will pop up to take the place of the Google site on the screen. Before this weekend when I installed Spybot Search and Destroy, Ad-aware 6, SpywareBlaster, and BrowserHijackBlaster, we couldn’t even surf the internet without all types of popups, including the adult ones referred to above. (I may have gone overboard with all this downloaded software, but we really want to get rid of this stuff.) Now I have managed to get rid of all except for the adult ones described above. Is it possible to find what is causing these (I assume it’s something hidden in my computer) and get rid of it? My computer runs Windows 98 Second Edition. I must apologize upfront to anyone who gets involved in helping me, as I would describe my computer skills as novice at best. As such, you might go stark raving mad trying to provide basic instructions. Thanks for any help! BeenBit  |
|
#2
July 6th, 2003, 07:31 PM
|
||||
|
||||
|
Re:Aggressive Web Page Hijacker
Ah, good Paul saw and moved the thread before I could ask. But here's what I was going to post in response:
I've looked at another thread to see how you can provide more info that may be helpful to determine what you have on your PC and how to get rid of it. Pieter Arntz suggested to another poster with similar problems: "Could you post your HijackThis log Download, Unzip and run HijackTHis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post. Don´t fix anything yet." Hijack this is available here: http://www.tomcoyote.org/hjt/ If you can run the app and post the log it makes here, people maybe can narrow down the culprit and help you out. As Pieter noted to the other poster, don't fix anything with Hijack This since if you try to fix a legit process you could run into worse problems. Just post the log. |
|
#3
July 7th, 2003, 03:37 AM
|
||||
|
||||
|
Re:Aggressive Web Page Hijacker
Hi BeenBit,
In this particular case (am I correct that the adult links appear to be on the Google site) use this download location for the latest HijackThis beta: direct download link http://www.spywareinfoforum.com/~merijn/files/beta/hijackthis.zip and post the log as sig described. Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#4
July 7th, 2003, 08:52 AM
|
|||
|
|||
|
Re:Aggressive Web Page Hijacker
Thanks very much, Sig and Pieter. I'll download and run HijackThis tonight when I get home and follow your directions to the letter. Don't worry -- I won't try to fix anything without the help of someone knowledgeable (not sure I'd know where to start anyway!).
To answer your question, Pieter, the adult links do popup when certain words or phrases are typed into Google, but other words or phrases will not bring them to life. But they also appear when we are looking at other web pages that have absolutely nothing to do with sex. I really appreciate your responses. Have a nice day! BeenBit |
|
#5
July 7th, 2003, 10:09 PM
|
|||
|
|||
|
Re:Aggressive Web Page Hijacker
Hello, This is the result of the HijackThis scan. Thank you. Logfile of HijackThis v1.95.1 Scan saved at 10:10:17 PM, on 7/7/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE C:\EXPLORER.EXE C:\WINDOWS\PTSNOOP.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\RAY.EXE C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\TEMP\ZTV8365\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yourbookmarks.info/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://itseasy.us/browser/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchxp.com/search.php?qq=%s (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net/ R3 - Default URLSearchHook is missing F1 - win.ini: load=ptsnoop.exe O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file) O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [PrecisionTime] C:\PROGRA~1\PrecisionTime\PrecisionTime.exe O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe" O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P O4 - HKLM\..\Run: [Shell] c:\ray.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\bagent.exe O4 - Startup: Quicken Startup.lnk = C:\Program Files\QWDLLS.EXE O4 - Startup: Billminder.lnk = C:\Program Files\billmind.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Instant Messenger (SM) (HKLM) O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/1114030225/VBouncerOuter1114.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab |
|
#6
July 8th, 2003, 02:25 AM
|
||||
|
||||
|
Re:Aggressive Web Page Hijacker
O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe"
this looks like a version of gator.spybot should take care of this, but you will have to kill this process before doing a scan with spybot.. kill the process then scan, fix selected reboot then do another scan again fix selected spybot is not able to delete items related to this if the damn thing is running someone with more knowledge will tell you about the rest
__________________
a proud supporter of THE GLORIOUS REDS To Ride, Shoot Straight And Speak TheTruth |
|
#7
July 8th, 2003, 04:50 AM
|
||||
|
||||
|
Re:Aggressive Web Page Hijacker
illuka is right:
Date Manager - calender program. Spyware/adware based provided by The Gator Corporation  Check the following items in HijackThis. Close all windows except HijackThis and click Fix checked: R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://itseasy.us/browser/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchxp.com/search.php?qq=%s R3 - Default URLSearchHook is missing O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file) O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H O4 - HKLM\..\Run: [Shell] c:\ray.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/1114030225/VBouncerOuter1114.exe Reboot after doing so, preferably into safe mode and delete: C:\PROGRAM FILES\Date Manager <= entire folder C:\Program Files\MoviePlace <= entire folder c:\ray.exe When you´re done and you want to reset the IE restrictions you can do that in Spybot S&D under Immunize. Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#8
July 9th, 2003, 01:12 PM
|
|||
|
|||
Re:Aggressive Web Page Hijacker
 Followed your instructions last night (which were very clear. . .and I think you guys licked it! I spent about 30 minutes surfing, especially using Google to search. Not a single objectionable web page popped up. Thanks Pieter and all of you who figured this thing out! BeenBit |
|
#9
July 9th, 2003, 01:14 PM
|
||||
|
||||
|
Re:Aggressive Web Page Hijacker
Glad we could help, BeenBit.
 Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
