New Member---Strange Problem

Discussion in 'adware, spyware & hijack cleaning' started by RIFLEMAN, Feb 1, 2004.

Thread Status:
Not open for further replies.
  1. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Hello. I have been online for two years now and always thought I was buttoned up tight. I never got pop up ads and the like and never had a virus or trojan.
    A week ago I was looking for song lyrics and clicked a link on a seemingly innocent website and immediately my AV went nuts with downloader trojan alerts--I had to cut my online connection to stop the downloads.
    After days of searching and downloading many many removal programs--I still seem to have 1 problem that I cannot find the answer for.
    I run Hijack this and I am informed I have a o17---domain hijack. My firewall asks me if any new program I use can connect to this strange IP. I think it is piggybacking on Explorer or Winlogon. I can fix the problem with Hijack this--but as soon as I connect and surf--the problem is back.
    I have disabled system restore and finally reinstalled XP after removing some items from the registry and royally screwing my machine up.
    I hope someone can help me out as I am almost ready to let them have their way with my machine. I lost valuable files in the process and am royally upset. I will try to attach a hijack log but if unsuccesful will print it out. Thanks for your time and help.
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi RIFLEMAN :)

    Welcome to Wilders.

    If u can manage to post your HJT log, one of the experts will be happy to look at it for u.




    snowbound
     
  3. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Hi--when I try to attach my log--it tells me I cannot use that type of file? I saved the log to my documents and it opens with notepad--any Ideas how to rig it to an acceptable file?
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Just copy the contents from notepad and paste it into your post.




    snowbound
     
  5. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Logfile of HijackThis v1.97.7
    Scan saved at 1:21:00 PM, on 01/02/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\CTFMON.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [CyberScurb] "C:\PROGRA~1\CYBERS~1\silent.exe" /R
    O4 - HKCU\..\RunOnce: [Eraser Clear XP] "C:\PROGRA~1\CYBERS~1\silent.exe" -XP
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E7E75997-EA11-48EF-8F86-A4D33B8AEF00}: NameServer = 207.236.176.27 206.47.244.42

    AHH----That's a lot easier--thanks a lot. My concern is 017?
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    That's one of the smallest logs i have ever seen. ;)

    Just be patient and one of the experts will be along to give u recommendations on your log.


    Thanks.


    snowbound
     
  7. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    I lost all my files and programs after an xp reinstall. I took something from the registry that screwed everything up badly. Lost over 5000 songs I had on there and am royally upset. Thanks for the help from a fellow Canadian. :mad:
     
  8. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Ouch! :eek:

    Anytime, it's nice to see another Canadain member.



    snowbound
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi RIFLEMAN,

    Bell Canada BELLGLOBAL-2 (NET-207-236-0-0-1)
    207.236.0.0 - 207.236.255.255

    I get a DNS error trying to get information about the second P address
    12 64.230.243.238 79.310 ms DNS error [AS577] Bell Backbone

    This entry is a bit strange:
    O4 - HKCU\..\RunOnce: [CyberScurb] "C:\PROGRA~1\CYBERS~1\silent.exe" /R

    Strange typo or something trying to mimick something trusted?

    Regards,

    Pieter
     
  10. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Thanks Pieter----the Cyberscrub entry is a file wiping program I use. As for the IP--is it legitimate? It belongs to Firmbuy--and I cannot understand why EVERY program I install or use needs to connect to that IP. I suspect they get credit for my surfing to increase ad revenue? I can delete it with hijack this--but it returns after I connect to the net and use my browser. o_O
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi RIFLEMAN,

    Those IP addresses are contacted to "translate" URL addresses into IP addresses, so it is only natural that they get contacted often.

    A better explanation and an alternative are presented here: http://accs-net.com/hosts/what_is_hosts.html

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.