Hijacking

Discussion in 'Computer Support' started by Bob Brister, May 22, 2004.

  1. Bob Brister

    Bob Brister Guest

    Somehow I have gotten a program that hijacks my home address and adds an
    icon on my desktop. The icon says "sexdial" and when I click on it I go to
    www.casinopalazzo.com. I have used Adaware and Spybot but still have the
    same problem. Oh yes, the thing automatically pops up every 20 minutes or so
    and opens a new browser window to the casinopalazzo. I have found the
    address, but I don't know how to delete it. The address is "C:\Program
    files\Internet Explorer\Iexplore.exe"http://www.casinopalazzo.com. I have
    Windows 98 SE. Any help will be greatly appreciated.

    Bob
     
    Bob Brister, May 22, 2004
    #1

    1. Advertisements

  2. Bob Brister

    Scott Freeman Guest

    Are you running adwatch? That should prevent browser hijacks. Go to
    settings, and make sure 'block hijack attemmpts' is checked.
     
    Scott Freeman, May 22, 2004
    #2

    1. Advertisements

  3. Bob Brister

    Richard Guest

    1) run msconfig and in the startup tab, uncheck the box for "sexdial" or the
    casino site or both.
    2) check the "ini" files for any entry and delete them.
    3) run regedit and search the registry for both items and delete all entries
    found.
    4) in the start button check the "startup" item and make sure nothing is
    referred to here. Delete if it is.
    5) In IE, go to internet options advanced tab. Uncheck "Enable install on
    demand".

    If you are on dialup, be sure to check your phone bill for any item that you
    know you did not create.
    "sexdial" is an autodialer and will call a specified number, probably a 900
    number, or overseas number, and you will unwittingly pay the bill.

    Spyware programs may not catch autodialers. As these change names as often
    as they are distributed.
     
    Richard, May 23, 2004
    #3
  4. Bob Brister

    zaax Guest

    1) run msconfig and in the startup tab, uncheck the box for "sexdial" or the
    casino site or both.
    2) check the "ini" files for any entry and delete them.
    3) run regedit and search the registry for both items and delete all entries
    found.
    4) in the start button check the "startup" item and make sure nothing is
    referred to here. Delete if it is.
    5) In IE, go to internet options advanced tab. Uncheck "Enable install on
    demand".

    If you are on dialup, be sure to check your phone bill for any item that you
    know you did not create.
    "sexdial" is an autodialer and will call a specified number, probably a 900
    number, or overseas number, and you will unwittingly pay the bill.

    Spyware programs may not catch autodialers. As these change names as often
    as they are distributed.
    [/QUOTE]
    If they are in your country prepare a bill / invoice for damages and
    send it to them, take them to court if they don't pay
     
    zaax, May 23, 2004
    #4
  5. Bob Brister

    Richard Guest

    zaax wrote:

    yeah, right. USA courts would not accept that as a legitimate case.
     
    Richard, May 23, 2004
    #5
  6. Bob Brister

    Bob Brister Guest

    I have done everything Richard said, but the problem is still there. The
    home page it goes to is www.easy-search.biz. When I try to delete or modify
    the registry to get rid of this address, it comes right back. I deleted
    every reference to easy-search but when I reran regedit and searched for it,
    there it was! I can find no reference to casino, sexdial or easy-search in
    the startup. I could remove IE6 and reinstall if that would help. Oh yes, I
    tried SpyBouncer, and it didn't find the problem either.

    Bob
     
    Bob Brister, May 23, 2004
    #6
  7. Bob Brister

    Boomer Guest

    Hi

    Download and install HijackThis
    http://tomcoyote.com/hjt/

    Then post your log over here:
    HijackThis forum/HijackThis Logs
    http://www.lavasoftsupport.com/index.php?act=idx

    Also could you please include some of the message you are responding
    to,
    in your reply?
    (Tools> Options> Send tab, tick the "Include message in Reply" box.)


    Thanks. :)
     
    Boomer, May 23, 2004
    #7
  8. Bob Brister

    zaax Guest

    So if someone smashed you car you could not sue them for damages?
     
    zaax, May 23, 2004
    #8
  9. Bob Brister

    °Mike° Guest

    Then you're either a fool, or very naive about usenet.
    Never, repeat never, take any notice of "advice" given
    by Richard (RtS) Bullis.


    <snip>
     
    °Mike°, May 23, 2004
    #9
  10. Bob Brister

    °Mike° Guest

    °Mike°, May 23, 2004
    #10
  11. Bob Brister

    Bob Brister Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 12:34:09 PM, on 5/23/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSGLOOP.EXE
    C:\WINDOWS\SYSTEM\MSG32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\STICKUPS\STICKUPS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
    C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\RUNWIN32.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\HIGHSTREAM TURBO\HSTURBO.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\WININET32.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://easy-search.biz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyOverride = local
    F1 - win.ini: run=c:\stickups\stickups.exe
    O1 - Hosts: 69.50.170.20 www.google.com
    O1 - Hosts: 69.50.170.21 search.yahoo.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM
    FILES\MYWEBSEARCH\BAR\2.BIN\MWSBAR.DLL__SpybotSDDisabled (file missing)
    O2 - BHO: MyWebSearch Search Assistant BHO -
    {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM
    FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL__SpybotSDDisabled (file
    missing)
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} -
    C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\MWSBAR.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch
    Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
    /P23 "EPSON Stylus C84 Series" /O7 "EPUSB1:" /M "Stylus C84"
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
    deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Cosmi\HelpExpress\Robert
    Brister\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Cosmi\HelpExpress\Robert
    Brister\Client\HelpExp.exe
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: HighStream Turbo.lnk = C:\Program Files\HighStream
    Turbo\HSTurbo.exe
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
    Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
    Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: &Search -
    http://bar.mywebsearch.com/menusearch.html?p=ZNxdm800
    O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM
    FILES\HIGHSTREAM TURBO\HSTURBO.EXE/227
    O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM
    FILES\HIGHSTREAM TURBO\HSTURBO.EXE/250
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37976.3532407407
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
    http://software-dl.real.com/18f0566e29b1011e4216/netzip/RdxIE601.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
    http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
    http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
    http://www.mt-download.com/MediaTicketsInstaller.cab

    These are the files found by Hijackthis. I still have the problem, of
    course.

    Bob
     
    Bob Brister, May 24, 2004
    #11
  12. Bob Brister

    docmill Guest

    I didn't refresh back far enough to see your question Bob,
    But you are hosed.
     
    docmill, May 24, 2004
    #12
  13. Bob Brister

    Bob Brister Guest

    So how do I get unhosed? Reformat the hard drive and reinstall all my
    software? I was hoping for an easier solution!

    Bob
     
    Bob Brister, May 24, 2004
    #13
  14. Bob Brister

    °Mike° Guest

    I'm not sure what the above is; if you don't know,
    terminate it and see my comments below [*****].

    The above program is spyware.

    The above is a password stealing trojan (PWSteal.AlLight)
    http://www.symantec.com/avcenter/venc/data/pwsteal.allight.html

    Have HijackThis fix ALL of the above. See comments below [+++++]

    [*****] See my comments about stickups above.
    Fix this if you don't know what it is, or didn't install it.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Password trojan; see comments above and have HijackThis fix
    the above.

    Hijack Trojan. See comments above [+++++]
    http://fr.trendmicro-europe.com/ent...tail.php?id=59220&VName=TROJ_AGENT.AD&VSect=T

    Shorter link for above:
    http://makeashorterlink.com/?F2BD12368

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Have HijackThis fix the above.

    Run a complete system antivirus scan with *at least* two
    online scanners, and update your normal scanner.

    Online Antivirus scanners:
    ================
    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www3.ca.com/virusinfo/virusscan.aspx
    http://security.symantec.com/sscv6/default.asp
    http://www.pandasoftware.com/activescan/activescan.asp


    Download, update and use *all* of the following:

    Spybot Search & Destroy
    http://spybot.eon.net.au/
    http://www.safer-networking.org/
    http://spybot.safer-networking.de/
    SpyBot S&D guide
    http://www.chem.wisc.edu/~network/spybot/

    Ad-Aware
    http://www.lavasoftusa.com/
    http://www.lavasoft.nu/

    Spyware Blaster
    http://www.wilderssecurity.net/spywareblaster.html
    http://www.javacoolsoftware.com/spywareblaster.html
    http://www.net-integration.net/tools/spywareblaster.html

    CWShredder (CoolWebSearch remover)
    http://www.spywareinfo.com/~merijn/cwschronicles.html
    http://www.spywareinfo.com/~merijn/files/cwshredder.zip
     
    °Mike°, May 25, 2004
    #14
  15. Bob Brister

    Bob Brister Guest

    Again, I did everything you said, then went to the web sites you recommended
    and finally, at last, my computer is cured. I'm not exactly sure which fix
    or deletion did the trick, but I am very grateful for your help. I
    appreciate all of you who took the time and trouble to give me advice. I
    have learned a lot form this newsgroup.

    Thanks!
     
    Bob Brister, May 25, 2004
    #15
  16. Bob Brister

    °Mike° Guest

    All of them, and you're welcome.


     
    °Mike°, May 25, 2004
    #16
  17. Bob Brister

    St?phane Guest

    Hi,

    .... sorry for my english! I'm a french canadian from Montreal in
    Quebec.

    I Have the same problem! I tryed -Spy Ferret- and -NoAdware-. The
    scans saw some things, but they ask to registrate... 30$ US and more!

    If somebody find the solution, contact me please.

    Thank you!

    Stéphane
     
    St?phane, Jun 9, 2004
    #17

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. Mozilla & LowerMyBills browser hijacking help

  2. Hijacking a thread

  3. Virus hijacking Google from my Internet options home page????

  4. Hijacking detected

  5. Modem hijacking/internet dumping

  6. Update on Modem hijacking/internet dumping

  7. Toolbar Hijacking attempt in progress

  8. A Hijacking Problem

Loading...