http://1-2-3-4-5-6-7-8-9-8-7-6-5-4-3-2-1.sexocean.biz/bonus.htm

Discussion in 'adware, spyware & hijack cleaning' started by clarkm72, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. clarkm72

    clarkm72 Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    2
    o_O Every time I click on a link I am forwarded to the following page; http://1-2-3-4-5-6-7-8-9-8-7-6-5-4-3-2-1.sexocean.biz/bonus.htm. It is driving me crazy. I have adware and stopzilla on my computer along with norton. I have read seveal threads and download and run startchmfiz and host file reader

    result form startchmfix
    The bad files found are:

    

    Here is the log page from Hijackthis.
    Logfile of HijackThis v1.97.7
    Scan saved at 1:39:31 PM, on 4/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\services\winlogon.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Internet Optimizer\actalert.exe
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\David Kassoff\Application Data\acao.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\David Kassoff\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=C:\WINDOWS\System32\services\winlogon.exe
    O1 - Hosts: Usage Information:
    O1 - Hosts: Save Changes - Save any changes you make to hosts file
    O1 - Hosts: Reset Default - Will Replace any existing Hosts with a Windows Default one, original file doesn't have to exist
    O1 - Hosts: Save Log - Will Save the Hosts as a Text file, Good for Posting
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: Enable and Disable - Will Swap Hosts Files On the Fly for those that want to use Hosts, and Temporarily Disable it.
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: Scan for Hosts - Will Search your Windows Drive for Hosts Files, useful if Hosts is in wrong location or installed to Alternate location by Trojan.
    O1 - Hosts: Delete - Does exactly that, Delete and Hosts File Selected in the Listbox.
    O1 - Hosts: _________________________________________________________________
    O1 - Hosts: By Option^Explicit, techcd@shaw.ca
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\CONFLICT.19\bridge.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\winlogon.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\CONFLICT.19\bridge.dll",Load
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\winlogon.exe
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=C:\WINDOWS\System32\services\winlogon.exe

    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\CONFLICT.19\bridge.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\winlogon.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\CONFLICT.19\bridge.dll",Load
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\winlogon.exe

    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

    Reboot, and delete

    files
    C:\WINDOWS\System32\services\winlogon.exe

    folders
    C:\WINDOWS\Downloaded Program Files\CONFLICT.19

    These may be hidden files. See HERE for how to show hidden files.
     
  3. clarkm72

    clarkm72 Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    2
    I have done what you suggested. Which was having Hijackthis fix all items in log report. However, my systems does not have the following files to delete. And yes I do have exploreer set to display hidden files.

    files
    C:\WINDOWS\System32\services\winlogon.exe

    folders
    C:\WINDOWS\Downloaded Program Files\CONFLICT.19

    I am still having problems. When I click on something I am forwarded to the link in the subjet line.

    Please let me know what else I can do?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot and post a new HijackThis log.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.