Hastalavista Baby

Discussion in 'privacy problems' started by Jeremy, Aug 14, 2003.

Thread Status:
Not open for further replies.
  1. Jeremy

    Jeremy Guest

    I've been attacked! Hastalavista, baby.
    Yea, I got it. Now what do I do about it?
    I've installed Spybot - Search and Destroy which
    claims to have eradicated the rogue. But my
    browser KEEPS REDIRECTING ME to hastalavista.com.
    This sucks!!! I change it - it chages back. Then some
    dumb casino place keeps popping up, too.
    I don't know what to do, but I wish this program
    really would say "Hastalavista" and get off my PC!!!!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Jeremy,

    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hasta nunca would be better then (till never again!)
    Pieter will certainly help you out.
     
  4. Jeremy

    Jeremy Guest

    Here's my list from Hijack This!

    Logfile of HijackThis v1.96.0
    Scan saved at 4:11:32 PM, on 8/14/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\LEXBCES.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\system32\LEXPPS.EXE
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\System32\cisvc.exe
    D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\System32\taskswitch.exe
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\WINDOWS\cyb2k.exe
    D:\WINDOWS\System32\regsvc32.exe
    D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    D:\Program Files\AWS\WeatherBug\Weather.exe
    D:\Program Files\PopUp Killer 4 Free\puk4f.exe
    D:\Program Files\Utilities\Print Now\printnow.exe
    D:\Program Files\Utilities\Tray Minimizer\traymin.exe
    D:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
    D:\WINDOWS\System32\cidaemon.exe
    D:\Documents and Settings\Jeremy Conrad\Local Settings\Temp\HijackThis.exe
    D:\Program Files\SuccessW\SuccessWare Client.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hastalavista.com/2/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hastalavista.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Waldron's Photography
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hastalavista.com/ie/?q=%s
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.DLL__SpybotSDDisabled (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
    O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QD FastAndSafe] D:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
    O4 - HKLM\..\Run: [C2K] D:\WINDOWS\cyb2k.exe
    O4 - HKLM\..\Run: [MSRegSvc] D:\WINDOWS\System32\regsvc32.exe
    O4 - HKLM\..\Run: [regsvc32] D:\WINDOWS\System32\regsvc32.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [Weather] D:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [Terminate Popup] D:\Program Files\PopUp Killer 4 Free\puk4f.exe
    O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Print Now.lnk = D:\Program Files\Utilities\Print Now\printnow.exe
    O4 - Startup: TrayMin.lnk = D:\Program Files\Utilities\Tray Minimizer\traymin.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} - http://a19.g.akamai.net/7/19/7125/1268/ftp.coupons.com/v6/brix6ie.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2DBAA784-69D8-4893-9329-9643B1FA090D}: NameServer = 206.222.97.82,206.222.97.50
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EB79B97D-619D-4D92-82CB-1ADB60EC2249}: NameServer = 206.222.97.82,206.222.97.50
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2DBAA784-69D8-4893-9329-9643B1FA090D}: NameServer = 206.222.97.82,206.222.97.50
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Jeremy,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hastalavista.com/2/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hastalavista.com/ie/

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hastalavista.com/ie/?q=%s

    O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.DLL__SpybotSDDisabled (file missing)

    O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)

    O4 - HKLM\..\Run: [MSRegSvc] D:\WINDOWS\System32\regsvc32.exe
    O4 - HKLM\..\Run: [regsvc32] D:\WINDOWS\System32\regsvc32.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


    Reboot after doing so, preferably into safe mode
    and delete:
    D:\WINDOWS\System32\regsvc32.exe

    Regards,

    Pieter
     
  6. Jeremy

    Jeremy Guest

    Did all that. Thought it was gone. Just opened up IE and hastalavista.com came up again.
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    In case your are running an O/S with System Restore, Like XP for example, that figures. Disable System Restore and perform the actions once more. You can safely enable SR after doing so.

    Keep us posted ;)

    regards,

    paul
     
Thread Status:
Not open for further replies.