Neophyte

Discussion in 'adware, spyware & hijack cleaning' started by MikeP_ski, Apr 19, 2004.

Thread Status:
Not open for further replies.
  1. MikeP_ski

    MikeP_ski Guest

    Hi. My name is Mike, and my toolbar got completely hijacked. I went to a kind of questionable area of the internet, and now I have a bunch of things on my computer that I would prefer not to have. I ran Ad-Aware, and it found a bunch of stuff that I got rid of, but there is still more. Here is what I got from hijack this:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:01:24 PM, on 4/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Mike\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://lolatgp.offhost.info/out.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pages.slc.edu/~eraymond/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://lolatgp.offhost.info/out.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://lolatgp.offhost.info/out.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://lolatgp.offhost.info/out.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lolatgp.offhost.info/out.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://pages.slc.edu/~eraymond/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 69.61.33.183 thehun.com
    O1 - Hosts: 69.61.33.183 www.thehun.com
    O1 - Hosts: 69.61.33.183 thehun.net
    O1 - Hosts: 69.61.33.183 www.thehun.net
    O1 - Hosts: 69.61.33.183 www.yahoo.com
    O1 - Hosts: 69.61.33.183 yahoo.com
    O1 - Hosts: 69.61.33.183 www.google.com
    O1 - Hosts: 69.61.33.183 google.com
    O1 - Hosts: 69.61.33.183 www.altavista.com
    O1 - Hosts: 69.61.33.183 altavista.com
    O1 - Hosts: 69.61.33.183 search.microsoft.com
    O1 - Hosts: 69.61.33.183 search.msn.com
    O1 - Hosts: 69.61.33.183 www.msn.com
    O1 - Hosts: 69.61.33.183 msn.com
    O1 - Hosts: 69.61.33.183 www.search.com
    O1 - Hosts: 69.61.33.183 search.com
    O1 - Hosts: 69.61.33.183 www.teoma.com
    O1 - Hosts: 69.61.33.183 teoma.com
    O1 - Hosts: 69.61.33.183 www.alltheweb.com
    O1 - Hosts: 69.61.33.183 alltheweb.com
    O1 - Hosts: 69.61.33.183 www.wisenut.com
    O1 - Hosts: 69.61.33.183 wisenut.com
    O1 - Hosts: 69.61.33.183 www.dmoz.org
    O1 - Hosts: 69.61.33.183 dmoz.org
    O1 - Hosts: 69.61.33.183 www.excite.com
    O1 - Hosts: 69.61.33.183 excite.com
    O1 - Hosts: 69.61.33.183 www.lycos.com
    O1 - Hosts: 69.61.33.183 lycos.com
    O1 - Hosts: 69.61.33.183 www.hotbot.com
    O1 - Hosts: 69.61.33.183 hotbot.com
    O1 - Hosts: 69.61.33.183 www.casino.com
    O1 - Hosts: 69.61.33.183 casino.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    O4 - Global Startup: logon.bat
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs2beta2.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {4E8C3231-1C78-412F-8F0F-056210BA5C14} (YVidCapture Class) - http://ybcontent.bcst.yahoo.com/yvidcap/ie/v1.0.0.4/YVidCapCtrl.cab
    O16 - DPF: {B3E0F81F-73F8-470B-A56B-D895EFF19260} (ATLF3D Class) - http://www.famous3d.com/viewer/latest/axf3d.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    Anyway, it's a total bummer, and I haven't been able to use Google or anything. Could you help me out?
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi MikeP_ski,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://lolatgp.offhost.info/out.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://lolatgp.offhost.info/out.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://lolatgp.offhost.info/out.php

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://lolatgp.offhost.info/out.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://lolatgp.offhost.info/out.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O1 - Hosts: 69.61.33.183 <-- ALL of these entries.

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  3. MikeP_Ski

    MikeP_Ski Guest

    Hi. Thank you so much for your help. That appears to have fixed it. I am donating money right now.



    Logfile of HijackThis v1.97.7
    Scan saved at 2:10:45 PM, on 4/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Mike\Local Settings\Temp\Temporary Directory 4 for hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pages.slc.edu/~eraymond/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://pages.slc.edu/~eraymond/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    O4 - Global Startup: logon.bat
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs2beta2.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {4E8C3231-1C78-412F-8F0F-056210BA5C14} (YVidCapture Class) - http://ybcontent.bcst.yahoo.com/yvidcap/ie/v1.0.0.4/YVidCapCtrl.cab
    O16 - DPF: {B3E0F81F-73F8-470B-A56B-D895EFF19260} (ATLF3D Class) - http://www.famous3d.com/viewer/latest/axf3d.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. MikeP_Ski

    MikeP_Ski Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    1
    Location:
    New York
    I can't find anywhere to give you guys money. What gives? Why do you offer this service for free? This is starting to freak me out...
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi MikeP_Ski,

    Your log is clean, so hopefully your problems are fixed.

    The owner of this forum has decided not to take donations and would rather everyone support some of the freeware software that different people provide to combat spyware.

    The following will give you some tools and info to help keep your system clean. All of these programs below are free and some accept donations to help fund their research. Check out these programs and if you like them and would like to make a donation to help, I would recommend donating to one of them.

    Some things you should read and check into:

    Some tips and links that will help you stay safe on-line can be found HERE.

    And here is a good read about how to be better protected : Click Me.

    To help keep your system clean, these are also freeware programs that we recommend:
    SpywareBlaster - will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.
    SpywareGuard - provides a degree of real-time protection against spyware that is a great addition to SpywareBlaster's protection method.
    IE-Spyad - will put a list of bad domains and sites into the Restricted Site Zone of your IE Browser. This will help protect IE and prevent those drive-by downloads, browser hijacking, ActiveX, Java, popups, cookies, etc, from compromising your computer while you surf.

    And of course, you should have a trusted spyware removal program (I recommend having them both as one may catch what the other may not, since they update at different times):
    Spybot Search&Destroy
    SpybotS&D Setup Tutorial.
    Ad-Aware
    Ad-Aware Setup Tutorial.
    Before scanning with either Ad-Aware or Spybot S&D, remember to bring them up-to-date first.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.