Hijacked by terra.es

Discussion in 'adware, spyware & hijack cleaning' started by holland76, May 28, 2004.

Thread Status:
Not open for further replies.
  1. holland76

    holland76 Registered Member

    Joined:
    May 28, 2004
    Posts:
    6
    Please help me:

    My browser is hijacked by www.terra.es/personal7/korona01/1.html
    It comes up in 2 screens that want me to go to a spyware search screen and buy pain killers.
    It has placed several unsavory items in my favorites and on my desktopthat I cannot delete.

    I also have a note pad pop up that keeps coming up called asd.hta it reads:
    ed<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=ISO-8859-1"><TITLE>Not Found</TITLE></HEAD>
    <H1>Not Found</H1> The requested object does not exist on this server. The link you followed is either outdated, inaccurate, or the server has been instructed not to let you have it.

    I have run Spybot and CWShredder many times but no help
    I have run Hijackthis and removed the items I felt comfortable removing but the terra just comes right back

    below is my latest Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:20:31 AM, on 5/28/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\USBMONIT.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.terra.es/personal7/korona01/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.es/personal7/korona01/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terra.es/personal7/korona01/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.es/personal7/korona01/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.terra.es/personal7/korona01/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terra.es/personal7/korona01/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terra.es/personal7/korona01/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.terra.es/personal7/korona01/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.terra.es/personal7/korona01/search.html
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.conwaycorp.net/"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [SystemTray] systray.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O8 - Extra context menu item: Blubster Support - file://C:\Program Files\BlubsterSupport\System\Temp\blubstershop_script0.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.697650463
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000_cert1.dll
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab


    thanks for any help you can give me
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi holland76,


    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.terra.es/personal7/korona01/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.es/personal7/korona01/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terra.es/personal7/korona01/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.es/personal7/korona01/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.terra.es/personal7/korona01/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terra.es/personal7/korona01/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terra.es/personal7/korona01/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.terra.es/personal7/korona01/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.terra.es/personal7/korona01/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.terra.es/personal7/korona01/search.html

    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

    O8 - Extra context menu item: Blubster Support - file://C:\Program Files\BlubsterSupport\System\Temp\blubstershop_script0.htm

    O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000_cert1.dll
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

    Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Then reboot. If it did not help in HijackThis click Config > Misc Tools > Generate Startuplist and post the txt file that will produce.

    Regards,

    Pieter
     
  3. holland76

    holland76 Registered Member

    Joined:
    May 28, 2004
    Posts:
    6
    Pieter

    downloaded new version of CWShredder
    it asked if 'winfavorites.exe' was a random string I said no.

    was tempted to let CWS fix but was warned to sek advice.
    problems still persist, here is log from HJT Startupist:


    StartupList report, 5/28/04, 7:25:35 AM
    StartupList version: 1.52
    Started from : C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\USBMONIT.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = systray.exe
    AtiCwd32 = Aticwd32.exe
    USBMonit.exe = "C:\WINDOWS\SYSTEM\USBMonit.exe"
    CriticalUpdate = c:\windows\SYSTEM\wucrtupd.exe -startup
    Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    (Default) =

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Yahoo! Pager = C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\hta_auto_file\shell\open\command

    (Default) = c:\windows\NOTEPAD.EXE "%1"

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 27/5/2004, 17:3:4:cool:

    NUL=c:\windows\TEMP\GLB1A2B.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    c:\windows\cwcdata\cwcdos.exe

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Windows Critical Update Notification.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.697650463

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Yahoo! Audio Conferencing]
    InProcServer32 = C:\PROGRA~1\YAHOO!\MESSEN~1\YACSCOM.DLL
    CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

    [WMService Class]
    InProcServer32 = C:\WINDOWS\WILDAPP.DLL
    CODEBASE = http://download.overpro.com/WildApp.cab

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
    CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 4,781 bytes
    Report generated in 0.129 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hmm. Nothing in there either.

    Could you please download:
    http://www.zerosrealm.com/downloads/pv.zip

    Unzip the file and save it. Then doubleclick runme9x.bat, choose option 2 with exactly one Internet Explorer windows open please.
    This will produce a txt file. Post the content.

    Under the Post Windows you will find the Additional Options, please check Disable smilies in text, or you will get an error when trying to post the log.

    Regards,

    Pieter
     
  5. holland76

    holland76 Registered Member

    Joined:
    May 28, 2004
    Posts:
    6
    Pieter
    it says 'bad command or file name' and opens an empty notepad file
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Errrmm. I will have to ask the guy that wrote that file.
    I have no 98 computer around to test it.

    Hang in there. I saw him here a little while ago.

    Reagrds,

    Pieter
     
  7. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    it will say that if you dont unzip it first. You must unzip it so the whole extracted folder is on your desktop. Close winzip than go into the folder and run it.
     
  8. holland76

    holland76 Registered Member

    Joined:
    May 28, 2004
    Posts:
    6
    Guys Thanks so much for your help
    I did unzip it and i clicked on the runme9x.bat icon on my desk top.
    I have down loadd it 2 times, Am not sure what i am doing wrong...
     
  9. holland76

    holland76 Registered Member

    Joined:
    May 28, 2004
    Posts:
    6
    Now it is saying 'no matching processes found'
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I think the files should all be in one folder. I could be wrong, but can you make a folder called pv on your desktop and put all the files in that folder.
    Then try again.

    Regards,

    Pieter
     
  11. holland76

    holland76 Registered Member

    Joined:
    May 28, 2004
    Posts:
    6
    I did that just be fore my last post.
    folder is on my desk top and is called pv
    it has 8 icons in it:
    appkey.reg
    IEFIX.reg
    prcview.htm
    pv.exe
    pv.txt
    RegSrch.vbs
    runme.BAT
    shadow.txt
    log.txt

    when I choose option 2 in runme9x.BAT it says pv: no matching processes found" then gives me a blank notepad window
     
  12. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    Make sure you have one internet explorer window open. Otherwise you will get that message. You need to have internet explorer open to generate the log.
     
Thread Status:
Not open for further replies.