I've been attacked! Hastalavista, baby. Yea, I got it. Now what do I do about it? I've installed Spybot - Search and Destroy which claims to have eradicated the rogue. But my browser KEEPS REDIRECTING ME to hastalavista.com. This sucks!!! I change it - it chages back. Then some dumb casino place keeps popping up, too. I don't know what to do, but I wish this program really would say "Hastalavista" and get off my PC!!!!
Hi Jeremy, Could you post your HijackThis log Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post. Don´t fix anything yet. Most of what it finds is harmless. Regards, Pieter
Here's my list from Hijack This! Logfile of HijackThis v1.96.0 Scan saved at 4:11:32 PM, on 8/14/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\LEXBCES.EXE D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\system32\LEXPPS.EXE D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe D:\WINDOWS\System32\cisvc.exe D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\System32\taskswitch.exe D:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\WINDOWS\cyb2k.exe D:\WINDOWS\System32\regsvc32.exe D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe D:\Program Files\AWS\WeatherBug\Weather.exe D:\Program Files\PopUp Killer 4 Free\puk4f.exe D:\Program Files\Utilities\Print Now\printnow.exe D:\Program Files\Utilities\Tray Minimizer\traymin.exe D:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe D:\WINDOWS\System32\cidaemon.exe D:\Documents and Settings\Jeremy Conrad\Local Settings\Temp\HijackThis.exe D:\Program Files\SuccessW\SuccessWare Client.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hastalavista.com/2/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hastalavista.com/ie/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Waldron's Photography R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hastalavista.com/ie/?q=%s O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.DLL__SpybotSDDisabled (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file) O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [QD FastAndSafe] D:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup O4 - HKLM\..\Run: [C2K] D:\WINDOWS\cyb2k.exe O4 - HKLM\..\Run: [MSRegSvc] D:\WINDOWS\System32\regsvc32.exe O4 - HKLM\..\Run: [regsvc32] D:\WINDOWS\System32\regsvc32.exe O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [Weather] D:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [Terminate Popup] D:\Program Files\PopUp Killer 4 Free\puk4f.exe O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Print Now.lnk = D:\Program Files\Utilities\Print Now\printnow.exe O4 - Startup: TrayMin.lnk = D:\Program Files\Utilities\Tray Minimizer\traymin.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} - http://a19.g.akamai.net/7/19/7125/1268/ftp.coupons.com/v6/brix6ie.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2DBAA784-69D8-4893-9329-9643B1FA090D}: NameServer = 206.222.97.82,206.222.97.50 O17 - HKLM\System\CCS\Services\Tcpip\..\{EB79B97D-619D-4D92-82CB-1ADB60EC2249}: NameServer = 206.222.97.82,206.222.97.50 O17 - HKLM\System\CS1\Services\Tcpip\..\{2DBAA784-69D8-4893-9329-9643B1FA090D}: NameServer = 206.222.97.82,206.222.97.50
Hi Jeremy, Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hastalavista.com/2/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hastalavista.com/ie/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hastalavista.com/ie/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hastalavista.com/ie/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hastalavista.com/ie/?q=%s O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.DLL__SpybotSDDisabled (file missing) O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file) O4 - HKLM\..\Run: [MSRegSvc] D:\WINDOWS\System32\regsvc32.exe O4 - HKLM\..\Run: [regsvc32] D:\WINDOWS\System32\regsvc32.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Reboot after doing so, preferably into safe mode and delete: D:\WINDOWS\System32\regsvc32.exe Regards, Pieter
In case your are running an O/S with System Restore, Like XP for example, that figures. Disable System Restore and perform the actions once more. You can safely enable SR after doing so. Keep us posted regards, paul