New Member---Strange Problem

Discussion in 'adware, spyware & hijack cleaning' started by RIFLEMAN, Feb 1, 2004.

Thread Status:
Not open for further replies.
  1. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Hello. I have been online for two years now and always thought I was buttoned up tight. I never got pop up ads and the like and never had a virus or trojan.
    A week ago I was looking for song lyrics and clicked a link on a seemingly innocent website and immediately my AV went nuts with downloader trojan alerts--I had to cut my online connection to stop the downloads.
    After days of searching and downloading many many removal programs--I still seem to have 1 problem that I cannot find the answer for.
    I run Hijack this and I am informed I have a o17---domain hijack. My firewall asks me if any new program I use can connect to this strange IP. I think it is piggybacking on Explorer or Winlogon. I can fix the problem with Hijack this--but as soon as I connect and surf--the problem is back.
    I have disabled system restore and finally reinstalled XP after removing some items from the registry and royally screwing my machine up.
    I hope someone can help me out as I am almost ready to let them have their way with my machine. I lost valuable files in the process and am royally upset. I will try to attach a hijack log but if unsuccesful will print it out. Thanks for your time and help.
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi RIFLEMAN :)

    Welcome to Wilders.

    If u can manage to post your HJT log, one of the experts will be happy to look at it for u.




    snowbound
     
  3. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Hi--when I try to attach my log--it tells me I cannot use that type of file? I saved the log to my documents and it opens with notepad--any Ideas how to rig it to an acceptable file?
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Just copy the contents from notepad and paste it into your post.




    snowbound
     
  5. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Logfile of HijackThis v1.97.7
    Scan saved at 1:21:00 PM, on 01/02/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\CTFMON.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [CyberScurb] "C:\PROGRA~1\CYBERS~1\silent.exe" /R
    O4 - HKCU\..\RunOnce: [Eraser Clear XP] "C:\PROGRA~1\CYBERS~1\silent.exe" -XP
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E7E75997-EA11-48EF-8F86-A4D33B8AEF00}: NameServer = 207.236.176.27 206.47.244.42

    AHH----That's a lot easier--thanks a lot. My concern is 017?
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    That's one of the smallest logs i have ever seen. ;)

    Just be patient and one of the experts will be along to give u recommendations on your log.


    Thanks.


    snowbound
     
  7. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    I lost all my files and programs after an xp reinstall. I took something from the registry that screwed everything up badly. Lost over 5000 songs I had on there and am royally upset. Thanks for the help from a fellow Canadian. :mad:
     
  8. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Ouch! :eek:

    Anytime, it's nice to see another Canadain member.



    snowbound
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi RIFLEMAN,

    Bell Canada BELLGLOBAL-2 (NET-207-236-0-0-1)
    207.236.0.0 - 207.236.255.255

    I get a DNS error trying to get information about the second P address
    12 64.230.243.238 79.310 ms DNS error [AS577] Bell Backbone

    This entry is a bit strange:
    O4 - HKCU\..\RunOnce: [CyberScurb] "C:\PROGRA~1\CYBERS~1\silent.exe" /R

    Strange typo or something trying to mimick something trusted?

    Regards,

    Pieter
     
  10. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Thanks Pieter----the Cyberscrub entry is a file wiping program I use. As for the IP--is it legitimate? It belongs to Firmbuy--and I cannot understand why EVERY program I install or use needs to connect to that IP. I suspect they get credit for my surfing to increase ad revenue? I can delete it with hijack this--but it returns after I connect to the net and use my browser. o_O
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi RIFLEMAN,

    Those IP addresses are contacted to "translate" URL addresses into IP addresses, so it is only natural that they get contacted often.

    A better explanation and an alternative are presented here: http://accs-net.com/hosts/what_is_hosts.html

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.