browser hijacked

Discussion in 'adware, spyware & hijack cleaning' started by Neo, Dec 7, 2003.

Thread Status:
Not open for further replies.
  1. Neo

    Neo Guest

    Can someone help me?! o_O

    Everytime I click on my Internet explorer browser, serveral popups come up. Then this huge maximized window popups. I can't get rid of it.

    It covers all my short cut icons, so I have to use the task bar.

    If it helps it reads the white window reads:


    ********************************************


    Message from Internet Service consultant: This window should NOT remain maximized on most computers. It is SUPPOSED to remain invisible to launch time-delayed pop up messages in accordance with an ad-supported software product that you may have installed on your computer.

    If your computer will NOT hide this big white window, you may have spyware on your computer which is interfering with your ability to control hidden windwos. Spyware also sends you unsolicited advertising, slows down your computer and could capture private infromation like credit card numbers and social security numbers, etc.

    I recomment that you install a "spyware removal" program so you can rid your computer of these parasites.

    **Link is in this line**
    I strongly reommend this link.
    **End of link**

    P.S. If your are expericiencing a higher frequency of pop up messages, you should definately consider downloading the spyware removal program. It will remove all of those annoying advertisements for good.

    Some users have reported that clicking on the wite screen will make the task bar appear below.

    ********************************************

    Can anyone help me get rid of this?

    I have removed it using adware, and one registered things adware pick-up is Market score and some others.
    So far only marketscore is being pick up on second Adware scan.

    I removed it but it still happends!! :mad:

    HELP!!
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    What you need to do is post your HijackThis Log here so the experts can take a look and see if they can identify the cause for you. See this thread about posting a log...

    http://www.wilderssecurity.com/showthread.php?t=15913
     
  3. Neo

    Neo Guest

    Im back

    Okay, I followed the steps in your thread except downloading HijackThis. I don't like the fact it doesn't distinguish between good and bad.

    HijackThis is probably for people who know what there doing, and know what is listed is for, I don't, so I won't bother.

    Anyways, here are my results from Adware:

    ArchiveData(So this is it.....bckp)
    ======================================================

    MARKETSCORE(NETSETTER)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[0]=RegKey : Software\Netsetter

    TRACKING COOKIE
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[1]=File : c:\documents and settings\raul\cookies\raul@advertising[2].txt
    obj[2]=File : c:\documents and settings\raul\cookies\raul@atdmt[2].txt
    obj[4]=File : c:\documents and settings\raul\cookies\raul@doubleclick[2].txt
    obj[5]=File : c:\documents and settings\raul\cookies\raul@ehg-oreilly.hitbox[2].txt
    obj[6]=File : c:\documents and settings\raul\cookies\raul@etype.adbureau[2].txt
    obj[7]=File : c:\documents and settings\raul\cookies\raul@fastclick[1].txt
    obj[8]=File : c:\documents and settings\raul\cookies\raul@gator[1].txt
    obj[9]=File : c:\documents and settings\raul\cookies\raul@hitbox[1].txt
    obj[10]=File : c:\documents and settings\raul\cookies\raul@hotlog[2].txt
    obj[11]=File : c:\documents and settings\raul\cookies\raul@mediaplex[1].txt
    obj[12]=File : c:\documents and settings\raul\cookies\raul@phg.hitbox[2].txt
    obj[13]=File : c:\documents and settings\raul\cookies\raul@qksrv[1].txt
    obj[14]=File : c:\documents and settings\raul\cookies\raul@servedby.advertising[2].txt
    obj[15]=File : c:\documents and settings\raul\cookies\raul@tribalfusion[1].txt

    OTHER
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[3]=File : c:\documents and settings\raul\cookies\raul@cgi-bin[1].txt

    CYDOOR
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[16]=File : c:\documents and settings\raul\local settings\temp\cd_clint.dll
    obj[24]=File : c:\windows\temp\adware\cd_install_291.exe
    obj[25]=File : c:\windows\temp\adware\cd_install_329.exe

    MSVIEW
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[17]=File : c:\documents and settings\raul\local settings\temp\msview.dll
    obj[18]=File : c:\documents and settings\raul\local settings\temp\msvprep.exe
    obj[22]=File : c:\windows\lastgood\msview.dll
    obj[23]=File : c:\windows\lastgood\msvprep.exe
    obj[29]=File : c:\windows\msview.dll
    obj[30]=File : c:\windows\msvprep.exe
    obj[31]=File : c:\windows\inf\msview.inf

    KONTIKI
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[19]=Folder : C:\Documents and Settings\Rolando M\Application Data\Kontiki
    obj[20]=Folder : C:\Program Files\Kontiki

    EACCELERATION
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[21]=File : c:\recycler\s-1-5-21-1801674531-436374069-854245398-1010\dc104\eanthology manager.lnk

    BRILLIANTDIGITAL
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[26]=File : c:\windows\temp\altnet\bdedownloader.dll
    obj[27]=File : c:\windows\temp\altnet\bdefdi.dll

    IPINSIGHT
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[28]=File : c:\windows\ipinsigt.dll



    After I finished using adware I click on my browser, AND i was still hit with a stack of annoying popups.

    This one I found interesting:




    **********************************************

    B U L L E T I N :

    Take control. Don't let spyware software change your start page!
    The newest version of SPY WIPER now stops unauthorized spyware actions
    including the switch of your default start page!

    IT'S ABOUT TIME!

    CLICK HERE TO DOWNLOAD THE NEWEST VERSION OF SPY WIPER!

    Every time you open your Internet Explorer, the page YOU CHOOSE will
    load up, without spyware forcing you to the page of THEIR choice.

    Plus eliminate all annoying spyware-forced POP UP ads!

    It's about time YOU take control over your computer!

    And now it's EASY. Just download SPY WIPER today and
    finally enjoy your computer experience again.

    THIS DOWNLOAD WILL ONLY BE AVAILABLE FOR A VERY LIMITED
    TIME SO IF YOU WANT TO ENJOY YOUR COMPUTER EXPERIENCE
    AGAIN, PLEASE ACT NOW OR YOU MAY MISS OUT FOREVER...

    CLICK HERE TO DOWNLOAD THE NEWEST VERSION OF SPY WIPER!


    (Please note the default-homepage-network.com is NOT itself spyware
    but if you are seeing this message your system needs to be protected
    by SPY WIPER to eliminate spyrware-forced start page switches and
    annoying spyware-forced pop up ads.)


    **********************************************

    and....



    **********************************************


    If your NOTEPAD launched and is displaying this message...

    Then "Spyware" programmers can control applications on
    YOUR computer and it is URGENT that you download SPY WIPER
    immediately. Do not allow spyware programs to damage your
    insecure computer!!

    (See other window)

    **********************************************

    it actually open my notepad!!!!!!!!!!!!!!

    This is also part of it



    ********************************************

    WARNING!!

    If your cd-rom drive(s) open...

    You DESPERATELY NEED to rid of your systyem of spyware pop-ups IMMEDIATELY!

    Spyware programmers can control your computer hardware if you fail to protect you computer right at this momen!

    Download Spy Wiper NOW!

    (See other window)

    **********************************************

    It opened my cd-rom drive. It was kewl, but i'm worried should popups have the power to this, or is it spyware?!

    The link for the site is:

    http://default-homepage-network.com/index2.html

    I don't know if you'll fall through the same trap by going through the link, but go at your on risk. I don;t know.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    That's what we're here for. HijackThis won't automatically fix anything for you. You just follow the steps about generating the log and paste it into a reply here and the experts will analyze it for you and let you know if it found the cause of the problem.

    Without that log, we really can't help you get rid of the pop-ups. :doubt:
     
  5. Neo

    Neo Guest

    Well, I finally downloaded it, and it sure didn't take long to download. The results are down below. have fun!!


    Logfile of HijackThis v1.97.7
    Scan saved at 3:43:58 PM, on 12/7/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\BRMFRSMG.EXE
    C:\WINDOWS\System32\S3apphk.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\Program Files\Kazaa Lite K++\Kazaa.kpp
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\Rar$EX01.796\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?ydtfs about:blank (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    O1 - Hosts: 1089288654 auto.search.msn.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Kazaa\My Shared Folder\WinterSports4 (1).exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\Kazaa.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\System32\soundmx.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IM] C:\PROGRA~1\EARTHL~1\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
    O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Yes, it's a small download and a powerful little tool. :)

    Now, there is no telling when the next expert will stop through and analyze the log, (many are in different time zones), so check back periodically and look for replies.
     
  7. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Here is some reading material you might find interesting about this hijacker while you are waiting for one of the experts here to decipher your Hijack It log. The help you will receive here is top notch. :cool:

    http://www.computing.net/security/wwwboard/forum/7791.html
     
  8. Neo

    Neo Guest

    Wow, peachez4u :D

    I think u hit the nail on head. Too bad those guys there too, are still trying to figure it out.
     
  9. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Neo - I meant you will get top notch help at Wilders - after reading my post again I was not too specific. :oops: Anyway that forum I pointed you to is good reading until your log is read. Meanwhile, rest assured that here at Wilders, your log will be read and they will help you. :cool:

    http://www.gifs.net/animate/welcome5.gifWILDERS, a place of learning and sharing knowledge.
     
  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi neo,

    Welcome to Wilders! :)

    There are a couple things on the log that I am unsure of (more below) but at least to get you started in the right direction on the more certain ones...

    Please close out of all other programs/windows and select and fix the following;

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?ydtfs about:blank (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    O1 - Hosts: 1089288654 auto.search.msn.com

    O10 - Broken Internet access because of LSP provider 'osmim.dll' missing

    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

    O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
    O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

    Once this is done, please reboot and see if the problem goes away. Even if it doesn't I would recommend you return here to see if Pieter, Tony or one of the others has more input on the things I am unsure of, namely

    O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Kazaa\My Shared Folder\WinterSports4 (1).exe

    Which I could find no good or bad or indifferent info on and given the source may be a problem.

    Also, I believe that since you are using Kazaa lite the GMT is just a dummy and not the actual spyware but again, I am not positive on that one either
     
  11. Neo

    Neo Guest

    Job well done guys and especially Dan.

    My Internet explorer is running up as usual. No more annoying popups showing up everytime at startup or that strange homepage u, Dan, help me removed shows up.

    Thanks u guys, u saved me some needed time.

    I'll keep u guys posted if I come up on any problems.

    And as a token of my appreciation I would like to share these sites, unless u guys have already found them then u need to know:



    http://www.mausland.de/

    Funny site, some nudity, skip nudity by clicking

    --Click here for tons of more Mausland -Games and -Movies.--

    on bottom of each page




    http://www.tankmania.com/

    A fun multiplayer tank game. Its simple graphics I know but i enjoy it. The site is some times out of line so keep checking.
     
  12. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi all,

    Good job guys,

    You can add these to Dan's list as well :

    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    Reboot after doing so and remove :

    c:\program files\altnet <- this folder
    c:\Program Files\Common Files\GMT <- this folder

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.