browser hijacked

Can someone help me?!

Everytime I click on my Internet explorer browser, serveral popups come up. Then this huge maximized window popups. I can't get rid of it.

It covers all my short cut icons, so I have to use the task bar.

If it helps it reads the white window reads:


********************************************


Message from Internet Service consultant: This window should NOT remain maximized on most computers. It is SUPPOSED to remain invisible to launch time-delayed pop up messages in accordance with an ad-supported software product that you may have installed on your computer.

If your computer will NOT hide this big white window, you may have spyware on your computer which is interfering with your ability to control hidden windwos. Spyware also sends you unsolicited advertising, slows down your computer and could capture private infromation like credit card numbers and social security numbers, etc.

I recomment that you install a "spyware removal" program so you can rid your computer of these parasites.

**Link is in this line**
I strongly reommend this link.
**End of link**

P.S. If your are expericiencing a higher frequency of pop up messages, you should definately consider downloading the spyware removal program. It will remove all of those annoying advertisements for good.

Some users have reported that clicking on the wite screen will make the task bar appear below.

********************************************

Can anyone help me get rid of this?

I have removed it using adware, and one registered things adware pick-up is Market score and some others.
So far only marketscore is being pick up on second Adware scan.

I removed it but it still happends!!

HELP!!

 

Im back

Okay, I followed the steps in your thread except downloading HijackThis. I don't like the fact it doesn't distinguish between good and bad.

HijackThis is probably for people who know what there doing, and know what is listed is for, I don't, so I won't bother.

Anyways, here are my results from Adware:

ArchiveData(So this is it.....bckp)
======================================================

MARKETSCORE(NETSETTER)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegKey : Software\Netsetter

TRACKING COOKIE
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[1]=File : c:\documents and settings\raul\cookies\raul@advertising[2].txt
obj[2]=File : c:\documents and settings\raul\cookies\raul@atdmt[2].txt
obj[4]=File : c:\documents and settings\raul\cookies\raul@doubleclick[2].txt
obj[5]=File : c:\documents and settings\raul\cookies\raul@ehg-oreilly.hitbox[2].txt
obj[6]=File : c:\documents and settings\raul\cookies\raul@etype.adbureau[2].txt
obj[7]=File : c:\documents and settings\raul\cookies\raul@fastclick[1].txt
obj[8]=File : c:\documents and settings\raul\cookies\raul@gator[1].txt
obj[9]=File : c:\documents and settings\raul\cookies\raul@hitbox[1].txt
obj[10]=File : c:\documents and settings\raul\cookies\raul@hotlog[2].txt
obj[11]=File : c:\documents and settings\raul\cookies\raul@mediaplex[1].txt
obj[12]=File : c:\documents and settings\raul\cookies\raul@phg.hitbox[2].txt
obj[13]=File : c:\documents and settings\raul\cookies\raul@qksrv[1].txt
obj[14]=File : c:\documents and settings\raul\cookies\raul@servedby.advertising[2].txt
obj[15]=File : c:\documents and settings\raul\cookies\raul@tribalfusion[1].txt

OTHER
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[3]=File : c:\documents and settings\raul\cookies\raul@cgi-bin[1].txt

CYDOOR
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[16]=File : c:\documents and settings\raul\local settings\temp\cd_clint.dll
obj[24]=File : c:\windows\temp\adware\cd_install_291.exe
obj[25]=File : c:\windows\temp\adware\cd_install_329.exe

MSVIEW
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[17]=File : c:\documents and settings\raul\local settings\temp\msview.dll
obj[18]=File : c:\documents and settings\raul\local settings\temp\msvprep.exe
obj[22]=File : c:\windows\lastgood\msview.dll
obj[23]=File : c:\windows\lastgood\msvprep.exe
obj[29]=File : c:\windows\msview.dll
obj[30]=File : c:\windows\msvprep.exe
obj[31]=File : c:\windows\inf\msview.inf

KONTIKI
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[19]=Folder : C:\Documents and Settings\Rolando M\Application Data\Kontiki
obj[20]=Folder : C:\Program Files\Kontiki

EACCELERATION
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[21]=File : c:\recycler\s-1-5-21-1801674531-436374069-854245398-1010\dc104\eanthology manager.lnk

BRILLIANTDIGITAL
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[26]=File : c:\windows\temp\altnet\bdedownloader.dll
obj[27]=File : c:\windows\temp\altnet\bdefdi.dll

IPINSIGHT
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[28]=File : c:\windows\ipinsigt.dll



After I finished using adware I click on my browser, AND i was still hit with a stack of annoying popups.

This one I found interesting:




**********************************************

B U L L E T I N :

Take control. Don't let spyware software change your start page!
The newest version of SPY WIPER now stops unauthorized spyware actions
including the switch of your default start page!

IT'S ABOUT TIME!

CLICK HERE TO DOWNLOAD THE NEWEST VERSION OF SPY WIPER!

Every time you open your Internet Explorer, the page YOU CHOOSE will
load up, without spyware forcing you to the page of THEIR choice.

Plus eliminate all annoying spyware-forced POP UP ads!

It's about time YOU take control over your computer!

And now it's EASY. Just download SPY WIPER today and
finally enjoy your computer experience again.

THIS DOWNLOAD WILL ONLY BE AVAILABLE FOR A VERY LIMITED
TIME SO IF YOU WANT TO ENJOY YOUR COMPUTER EXPERIENCE
AGAIN, PLEASE ACT NOW OR YOU MAY MISS OUT FOREVER...

CLICK HERE TO DOWNLOAD THE NEWEST VERSION OF SPY WIPER!


(Please note the default-homepage-network.com is NOT itself spyware
but if you are seeing this message your system needs to be protected
by SPY WIPER to eliminate spyrware-forced start page switches and
annoying spyware-forced pop up ads.)


**********************************************

and....



**********************************************


If your NOTEPAD launched and is displaying this message...

Then "Spyware" programmers can control applications on
YOUR computer and it is URGENT that you download SPY WIPER
immediately. Do not allow spyware programs to damage your
insecure computer!!

(See other window)

**********************************************

it actually open my notepad!!!!!!!!!!!!!!

This is also part of it



********************************************

WARNING!!

If your cd-rom drive(s) open...

You DESPERATELY NEED to rid of your systyem of spyware pop-ups IMMEDIATELY!

Spyware programmers can control your computer hardware if you fail to protect you computer right at this momen!

Download Spy Wiper NOW!

(See other window)

**********************************************

It opened my cd-rom drive. It was kewl, but i'm worried should popups have the power to this, or is it spyware?!

The link for the site is:

http://default-homepage-network.com/index2.html

I don't know if you'll fall through the same trap by going through the link, but go at your on risk. I don;t know.

 

Well, I finally downloaded it, and it sure didn't take long to download. The results are down below. have fun!!


Logfile of HijackThis v1.97.7
Scan saved at 3:43:58 PM, on 12/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Kazaa Lite K++\Kazaa.kpp
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\Rar$EX01.796\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?ydtfs about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
O1 - Hosts: 1089288654 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Kazaa\My Shared Folder\WinterSports4 (1).exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\Kazaa.kpp" /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\System32\soundmx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IM] C:\PROGRA~1\EARTHL~1\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

 

Here is some reading material you might find interesting about this hijacker while you are waiting for one of the experts here to decipher your Hijack It log. The help you will receive here is top notch.

http://www.computing.net/security/wwwboard/forum/7791.html

 

Wow, peachez4u

I think u hit the nail on head. Too bad those guys there too, are still trying to figure it out.

 

Neo - I meant you will get top notch help at Wilders - after reading my post again I was not too specific. Anyway that forum I pointed you to is good reading until your log is read. Meanwhile, rest assured that here at Wilders, your log will be read and they will help you.

http://www.gifs.net/animate/welcome5.gifWILDERS, a place of learning and sharing knowledge.

 

Hi neo,

Welcome to Wilders!

There are a couple things on the log that I am unsure of (more below) but at least to get you started in the right direction on the more certain ones...

Please close out of all other programs/windows and select and fix the following;

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?ydtfs about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
O1 - Hosts: 1089288654 auto.search.msn.com

O10 - Broken Internet access because of LSP provider 'osmim.dll' missing

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

Once this is done, please reboot and see if the problem goes away. Even if it doesn't I would recommend you return here to see if Pieter, Tony or one of the others has more input on the things I am unsure of, namely

O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Kazaa\My Shared Folder\WinterSports4 (1).exe

Which I could find no good or bad or indifferent info on and given the source may be a problem.

Also, I believe that since you are using Kazaa lite the GMT is just a dummy and not the actual spyware but again, I am not positive on that one either

 

Job well done guys and especially Dan.

My Internet explorer is running up as usual. No more annoying popups showing up everytime at startup or that strange homepage u, Dan, help me removed shows up.

Thanks u guys, u saved me some needed time.

I'll keep u guys posted if I come up on any problems.

And as a token of my appreciation I would like to share these sites, unless u guys have already found them then u need to know:



http://www.mausland.de/

Funny site, some nudity, skip nudity by clicking

--Click here for tons of more Mausland -Games and -Movies.--

on bottom of each page




http://www.tankmania.com/

A fun multiplayer tank game. Its simple graphics I know but i enjoy it. The site is some times out of line so keep checking.

 

Hi all,

Good job guys,

You can add these to Dan's list as well :

O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

Reboot after doing so and remove :

c:\program files\altnet <- this folder
c:\Program Files\Common Files\GMT <- this folder

Take care

Cheers,