http://1-2-3-4-5-6-7-8-9-8-7-6-5-4-3-2-1.sexocean.biz/bonus.htm

Discussion in 'adware, spyware & hijack cleaning' started by clarkm72, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. clarkm72

    clarkm72 Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    2
    o_O Every time I click on a link I am forwarded to the following page; http://1-2-3-4-5-6-7-8-9-8-7-6-5-4-3-2-1.sexocean.biz/bonus.htm. It is driving me crazy. I have adware and stopzilla on my computer along with norton. I have read seveal threads and download and run startchmfiz and host file reader

    result form startchmfix
    The bad files found are:

    

    Here is the log page from Hijackthis.
    Logfile of HijackThis v1.97.7
    Scan saved at 1:39:31 PM, on 4/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\services\winlogon.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Internet Optimizer\actalert.exe
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\David Kassoff\Application Data\acao.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\David Kassoff\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=C:\WINDOWS\System32\services\winlogon.exe
    O1 - Hosts: Usage Information:
    O1 - Hosts: Save Changes - Save any changes you make to hosts file
    O1 - Hosts: Reset Default - Will Replace any existing Hosts with a Windows Default one, original file doesn't have to exist
    O1 - Hosts: Save Log - Will Save the Hosts as a Text file, Good for Posting
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: Enable and Disable - Will Swap Hosts Files On the Fly for those that want to use Hosts, and Temporarily Disable it.
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: Scan for Hosts - Will Search your Windows Drive for Hosts Files, useful if Hosts is in wrong location or installed to Alternate location by Trojan.
    O1 - Hosts: Delete - Does exactly that, Delete and Hosts File Selected in the Listbox.
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: By Option^Explicit, techcd@shaw.ca
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\CONFLICT.19\bridge.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\winlogon.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\CONFLICT.19\bridge.dll",Load
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\winlogon.exe
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=C:\WINDOWS\System32\services\winlogon.exe

    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\CONFLICT.19\bridge.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\winlogon.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\CONFLICT.19\bridge.dll",Load
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\winlogon.exe

    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

    Reboot, and delete

    files
    C:\WINDOWS\System32\services\winlogon.exe

    folders
    C:\WINDOWS\Downloaded Program Files\CONFLICT.19

    These may be hidden files. See HERE for how to show hidden files.
     
  3. clarkm72

    clarkm72 Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    2
    I have done what you suggested. Which was having Hijackthis fix all items in log report. However, my systems does not have the following files to delete. And yes I do have exploreer set to display hidden files.

    files
    C:\WINDOWS\System32\services\winlogon.exe

    folders
    C:\WINDOWS\Downloaded Program Files\CONFLICT.19

    I am still having problems. When I click on something I am forwarded to the link in the subjet line.

    Please let me know what else I can do?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot and post a new HijackThis log.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.