Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Hijacking

Reply
Thread Tools

Hijacking

 
 
Bob Brister
Guest
Posts: n/a
 
      05-24-2004
Logfile of HijackThis v1.97.7
Scan saved at 12:34:09 PM, on 5/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\STICKUPS\STICKUPS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HIGHSTREAM TURBO\HSTURBO.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\WININET32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = local
F1 - win.ini: run=c:\stickups\stickups.exe
O1 - Hosts: 69.50.170.20 www.google.com
O1 - Hosts: 69.50.170.21 search.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM
FILES\MYWEBSEARCH\BAR\2.BIN\MWSBAR.DLL__SpybotSDDi sabled (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO -
{00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM
FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL__Spy botSDDisabled (file
missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} -
C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\MWSBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch
Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
/P23 "EPSON Stylus C84 Series" /O7 "EPUSB1:" /M "Stylus C84"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Cosmi\HelpExpress\Robert
Brister\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Cosmi\HelpExpress\Robert
Brister\Client\HelpExp.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: HighStream Turbo.lnk = C:\Program Files\HighStream
Turbo\HSTurbo.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZNxdm800
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM
FILES\HIGHSTREAM TURBO\HSTURBO.EXE/227
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM
FILES\HIGHSTREAM TURBO\HSTURBO.EXE/250
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.co...976.3532407407
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/18f0566e...p/RdxIE601.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
http://www.mt-download.com/MediaTicketsInstaller.cab

These are the files found by Hijackthis. I still have the problem, of
course.

Bob


 
Reply With Quote
 
 
 
 
docmill
Guest
Posts: n/a
 
      05-24-2004
"Bob Brister" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> Logfile of HijackThis v1.97.7
> Scan saved at 12:34:09 PM, on 5/23/04
> Platform: Windows 98 SE (Win9x 4.10.2222A)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>

I didn't refresh back far enough to see your question Bob,
But you are hosed.

--
+++++++++++ SEND ME A LINK +++++++++++
docmill's Home Of HotLinks In The Frying SPAM
 
Reply With Quote
 
 
 
 
Bob Brister
Guest
Posts: n/a
 
      05-24-2004
So how do I get unhosed? Reformat the hard drive and reinstall all my
software? I was hoping for an easier solution!

Bob


 
Reply With Quote
 
°Mike°
Guest
Posts: n/a
 
      05-25-2004
On Sun, 23 May 2004 20:38:47 -0500, in
<(E-Mail Removed)>
Bob Brister scrawled:

>Logfile of HijackThis v1.97.7
>Scan saved at 12:34:09 PM, on 5/23/04
>Platform: Windows 98 SE (Win9x 4.10.2222A)
>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
>Running processes:
>C:\STICKUPS\STICKUPS.EXE


I'm not sure what the above is; if you don't know,
terminate it and see my comments below [*****].


>C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE


The above program is spyware.


>C:\WINDOWS\RUNWIN32.EXE


The above is a password stealing trojan (PWSteal.AlLight)
http://www.symantec.com/avcenter/ven...l.allight.html


>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
>http://easy-search.biz
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
>http://easy-search.biz
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
>http://easy-search.biz
>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
>http://easy-search.biz
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
>http://easy-search.biz
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
>http://easy-search.biz
>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
>http://easy-search.biz
>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
>http://easy-search.biz
>R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
>http://easy-search.biz
>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
>Settings,ProxyServer = 127.0.0.1:8080
>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
>Settings,ProxyOverride = local


Have HijackThis fix ALL of the above. See comments below [+++++]


>F1 - win.ini: run=c:\stickups\stickups.exe


[*****] See my comments about stickups above.
Fix this if you don't know what it is, or didn't install it.


>O1 - Hosts: 69.50.170.20 www.google.com
>O1 - Hosts: 69.50.170.21 search.yahoo.com


Have HijackThis fix the above.


>O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM
>FILES\MYWEBSEARCH\BAR\2.BIN\MWSBAR.DLL__SpybotSDD isabled (file missing)


Have HijackThis fix the above.


>O2 - BHO: MyWebSearch Search Assistant BHO -
>{00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM
>FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL__Sp ybotSDDisabled (file
>missing)


Have HijackThis fix the above.


>O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} -
>C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\MWSBAR.DLL (file missing)


Have HijackThis fix the above.


>O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1


Spyware.


>O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe


Password trojan; see comments above and have HijackThis fix
the above.


>O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe


Hijack Trojan. See comments above [+++++]
http://fr.trendmicro-europe.com/ente...ENT.AD&VSect=T

Shorter link for above:
http://makeashorterlink.com/?F2BD12368


>O8 - Extra context menu item: &Search -
>http://bar.mywebsearch.com/menusearch.html?p=ZNxdm800


Have HijackThis fix the above.


>O9 - Extra button: WeatherBug (HKCU)


Spyware.

>O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
>http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab


Have HijackThis fix the above.


>O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
>http://www.mt-download.com/MediaTicketsInstaller.cab


Have HijackThis fix the above.


>These are the files found by Hijackthis. I still have the problem, of
>course.


Run a complete system antivirus scan with *at least* two
online scanners, and update your normal scanner.

Online Antivirus scanners:
================
http://housecall.trendmicro.com/hous...start_corp.asp
http://www3.ca.com/virusinfo/virusscan.aspx
http://security.symantec.com/sscv6/default.asp
http://www.pandasoftware.com/activescan/activescan.asp


Download, update and use *all* of the following:

Spybot Search & Destroy
http://spybot.eon.net.au/
http://www.safer-networking.org/
http://spybot.safer-networking.de/
SpyBot S&D guide
http://www.chem.wisc.edu/~network/spybot/

Ad-Aware
http://www.lavasoftusa.com/
http://www.lavasoft.nu/

Spyware Blaster
http://www.wilderssecurity.net/spywareblaster.html
http://www.javacoolsoftware.com/spywareblaster.html
http://www.net-integration.net/tools...reblaster.html

CWShredder (CoolWebSearch remover)
http://www.spywareinfo.com/~merijn/cwschronicles.html
http://www.spywareinfo.com/~merijn/files/cwshredder.zip


--
Basic computer maintenance
http://uk.geocities.com/personel44/maintenance.html
 
Reply With Quote
 
Bob Brister
Guest
Posts: n/a
 
      05-25-2004
Again, I did everything you said, then went to the web sites you recommended
and finally, at last, my computer is cured. I'm not exactly sure which fix
or deletion did the trick, but I am very grateful for your help. I
appreciate all of you who took the time and trouble to give me advice. I
have learned a lot form this newsgroup.

Thanks!


--
Bob


 
Reply With Quote
 
°Mike°
Guest
Posts: n/a
 
      05-25-2004
All of them, and you're welcome.


On Tue, 25 May 2004 16:01:07 -0500, in
<(E-Mail Removed)>
Bob Brister scrawled:

>Again, I did everything you said, then went to the web sites you recommended
>and finally, at last, my computer is cured. I'm not exactly sure which fix
>or deletion did the trick, but I am very grateful for your help. I
>appreciate all of you who took the time and trouble to give me advice. I
>have learned a lot form this newsgroup.
>
>Thanks!


--
Basic computer maintenance
http://uk.geocities.com/personel44/maintenance.html
 
Reply With Quote
 
St?phane
Guest
Posts: n/a
 
      06-09-2004
"Bob Brister" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> I have done everything Richard said, but the problem is still there. The
> home page it goes to is www.easy-search.biz. When I try to delete or modify
> the registry to get rid of this address, it comes right back. I deleted
> every reference to easy-search but when I reran regedit and searched for it,
> there it was! I can find no reference to casino, sexdial or easy-search in
> the startup. I could remove IE6 and reinstall if that would help. Oh yes, I
> tried SpyBouncer, and it didn't find the problem either.
>
> Bob


Hi,

.... sorry for my english! I'm a french canadian from Montreal in
Quebec.

I Have the same problem! I tryed -Spy Ferret- and -NoAdware-. The
scans saw some things, but they ask to registrate... 30$ US and more!

If somebody find the solution, contact me please.

Thank you!

Stéphane
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Session Hijacking vjmaker78@gmail.com Java 5 02-10-2006 12:33 AM
Is the way i do, secure enought to avoid session hijacking Hope Paka ASP .Net 13 07-15-2005 02:23 PM
Mozilla & LowerMyBills browser hijacking help ringo Firefox 5 12-13-2004 11:53 PM
Session Hijacking? Kevin ASP .Net 3 10-27-2004 11:49 AM
Hijacking Hibernate and restore backgrounds Mark ASP .Net 0 09-29-2003 05:21 AM



Advertisments