Browser Hijack!! - dslreports.com

Author	All Replies
Paul928 join:2000-05-06 Haverhill, MA ·Comcast	Browser Hijack!! Hoping someone here can help me, or lead me in the right direction. I had my browser hijacked, where I couldn't change my homepage. It was like some search engine hijack, and I don't remember the name of it, but I ran Spy Bot, and it detected the hijack files, and I got rid of them. I now have my homepage back normally, but I still can't use any search engines (Yahoo, Google) Every time I go to use the search engines I get "page can't be displayed" BTW this was using IE 6 and Windows XP pro. I downloaded Mozilla, and tried using the search engines using that, with the same results. I think there has to be a system file or registry entry that is duped. I don't remember the name of the hijack, so that's my problem...I can't look for registry entries referring to it.....can anyone make any suggestions?
	to forum · permalink · · 2003-11-03 07:27:24 ·
Nam Vet Premium join:2001-12-03 Allentown, PA	check your hosts file!!!!
	to forum · permalink · · 2003-11-03 08:21:18 ·
RankAmateur join:2001-07-03 Niagara Falls, NY	reply to Paul928 »mjc1.com/mirror/hjt/ Explains "HiJackThis" program and gives a link to download it. Post the log from that program back here for more help.
	to forum · permalink · · 2003-11-03 08:31:38 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	reply to Paul928 I agree with Nam Vet. He only has to edit his Hosts File.
	to forum · permalink · · 2003-11-03 09:51:52 ·
pieter arntz join:2002-02-26 Netherlands	reply to Paul928 Not quite. Since he is using XP, Windows will be looking in the wrong location for the Hosts file. Copy and paste the following into notepad, name it restorehostspath.reg, doubleclick it and confirm that you want to merge it with the registry: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00 -- Metallica rulez
	to forum · permalink · · 2003-11-03 10:08:29 ·
Zupe Premium,MVM join:2001-11-29 New York, NY clubs:	reply to Paul928 I think there are actually two variants of the search engine hijack seen in connection with the QHosts trojan. The first just modifies the standard Hosts file, so all that needs to be done is to remove the entries. The second, which is what pieter arntz is referring to, actually changes the path that windows uses for the hosts file, and then places a hijacking hosts file in the C:\Windows\Help directory. -- Brain: Pinky, are you pondering what I'm pondering? Pinky: I think so, Brain, but "Snowball for Windows"? [text was edited by author 2003-11-03 10:37:42]
	to forum · permalink · · 2003-11-03 10:36:57 ·
pieter arntz join:2002-02-26 Netherlands	It was my understanding, that win9x computers were not vulnerable to the hosts location change, only NT based were. Which might account for mistaking them for two different hijacks. But I could well be lagging in this regard. -- Metallica rulez
	to forum · permalink · · 2003-11-03 11:16:18 ·
Reverend Ike Premium join:2001-08-24 Sacramento, CA	reply to Paul928 It wouldn't hurt to post the HijackThis log. There could be other more subtle parasites present, or some housecleaning needed. I think the assumption here is Qhosts, but if it wasn't, it would be helpful to see what the various Search registry keys are pointing to. If a search option is hijacked to point at hijacksearchadware.com and that address is being blocked by the Hosts file (so the "cannot be displayed" screen would appear), the user wouldn't want to alter their Hosts file, but fix the registry keys instead ... [text was edited by author 2003-11-03 11:22:36]
	to forum · permalink · · 2003-11-03 11:20:40 ·
Paul928 join:2000-05-06 Haverhill, MA ·Comcast	reply to RankAmateur Here is my log file from Hijackthis...kind of a long one. Logfile of HijackThis v1.97.3 Scan saved at 1:04:31 PM, on 11/3/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\slmss\slmss.exe C:\WINDOWS\mwsvm.exe C:\WINDOWS\System32\tbctray.exe C:\Program Files\AOL Companion\companion.exe C:\Program Files\America Online 9.0\aoltray.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\My Music\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »tooncomics.com/main/sp.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »tooncomics.com/main/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »rd.yahoo.com/customize/ymsgr/def···ahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »rd.yahoo.com/customize/ymsgr/def···rch.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »www.seekseek.com/quicksearch.asp···on_id=18 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = »www.fastwebfinder.com/hp.php R1 - HKCU\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated) O1 - Hosts file is located at: C:\WINDOWS\help\hosts O1 - Hosts: 88.88.88.88 elite O1 - Hosts: 207.44.220.30 www.google.akadns.net O1 - Hosts: 207.44.220.30 www.google.com O1 - Hosts: 207.44.220.30 google.com O1 - Hosts: 207.44.220.30 www.altavista.com O1 - Hosts: 207.44.220.30 altavista.com O1 - Hosts: 207.44.220.30 search.yahoo.com O1 - Hosts: 207.44.220.30 uk.search.yahoo.com O1 - Hosts: 207.44.220.30 ca.search.yahoo.com O1 - Hosts: 207.44.220.30 jp.search.yahoo.com O1 - Hosts: 207.44.220.30 au.search.yahoo.com O1 - Hosts: 207.44.220.30 de.search.yahoo.com O1 - Hosts: 207.44.220.30 search.yahoo.co.jp O1 - Hosts: 207.44.220.30 www.lycos.de O1 - Hosts: 207.44.220.30 www.lycos.ca O1 - Hosts: 207.44.220.30 www.lycos.jp O1 - Hosts: 207.44.220.30 www.lycos.co.jp O1 - Hosts: 207.44.220.30 alltheweb.com O1 - Hosts: 207.44.220.30 web.ask.com O1 - Hosts: 207.44.220.30 ask.com O1 - Hosts: 207.44.220.30 www.ask.com O1 - Hosts: 207.44.220.30 www.teoma.com O1 - Hosts: 207.44.220.30 search.aol.com O1 - Hosts: 207.44.220.30 www.looksmart.com O1 - Hosts: 207.44.220.30 auto.search.msn.com O1 - Hosts: 207.44.220.30 search.msn.com O1 - Hosts: 207.44.220.30 ca.search.msn.com O1 - Hosts: 207.44.220.30 fr.ca.search.msn.com O1 - Hosts: 207.44.220.30 search.fr.msn.be O1 - Hosts: 207.44.220.30 search.fr.msn.ch O1 - Hosts: 207.44.220.30 search.latam.yupimsn.com O1 - Hosts: 207.44.220.30 search.msn.at O1 - Hosts: 207.44.220.30 search.msn.be O1 - Hosts: 207.44.220.30 search.msn.ch O1 - Hosts: 207.44.220.30 search.msn.co.in O1 - Hosts: 207.44.220.30 search.msn.co.jp O1 - Hosts: 207.44.220.30 search.msn.co.kr O1 - Hosts: 207.44.220.30 search.msn.com.br O1 - Hosts: 207.44.220.30 search.msn.com.hk O1 - Hosts: 207.44.220.30 search.msn.com.my O1 - Hosts: 207.44.220.30 search.msn.com.sg O1 - Hosts: 207.44.220.30 search.msn.com.tw O1 - Hosts: 207.44.220.30 search.msn.co.za O1 - Hosts: 207.44.220.30 search.msn.de O1 - Hosts: 207.44.220.30 search.msn.dk O1 - Hosts: 207.44.220.30 search.msn.es O1 - Hosts: 207.44.220.30 search.msn.fi O1 - Hosts: 207.44.220.30 search.msn.fr O1 - Hosts: 207.44.220.30 search.msn.it O1 - Hosts: 207.44.220.30 search.msn.nl O1 - Hosts: 207.44.220.30 search.msn.no O1 - Hosts: 207.44.220.30 search.msn.se O1 - Hosts: 207.44.220.30 search.ninemsn.com.au O1 - Hosts: 207.44.220.30 search.t1msn.com.mx O1 - Hosts: 207.44.220.30 search.xtramsn.co.nz O1 - Hosts: 207.44.220.30 search.yupimsn.com O1 - Hosts: 207.44.220.30 uk.search.msn.com O1 - Hosts: 207.44.220.30 search.lycos.com O1 - Hosts: 207.44.220.30 www.lycos.com O1 - Hosts: 207.44.220.30 www.google.ca O1 - Hosts: 207.44.220.30 google.ca O1 - Hosts: 207.44.220.30 www.google.uk O1 - Hosts: 207.44.220.30 www.google.co.uk O1 - Hosts: 207.44.220.30 www.google.com.au O1 - Hosts: 207.44.220.30 www.google.co.jp O1 - Hosts: 207.44.220.30 www.google.jp O1 - Hosts: 207.44.220.30 www.google.at O1 - Hosts: 207.44.220.30 www.google.be O1 - Hosts: 207.44.220.30 www.google.ch O1 - Hosts: 207.44.220.30 www.google.de O1 - Hosts: 207.44.220.30 www.google.se O1 - Hosts: 207.44.220.30 www.google.dk O1 - Hosts: 207.44.220.30 www.google.fi O1 - Hosts: 207.44.220.30 www.google.fr O1 - Hosts: 207.44.220.30 www.google.com.gr O1 - Hosts: 207.44.220.30 www.google.com.hk O1 - Hosts: 207.44.220.30 www.google.ie O1 - Hosts: 207.44.220.30 www.google.co.il O1 - Hosts: 207.44.220.30 www.google.it O1 - Hosts: 207.44.220.30 www.google.co.kr O1 - Hosts: 207.44.220.30 www.google.com.mx O1 - Hosts: 207.44.220.30 www.google.nl O1 - Hosts: 207.44.220.30 www.google.co.nz O1 - Hosts: 207.44.220.30 www.google.pl O1 - Hosts: 207.44.220.30 www.google.pt O1 - Hosts: 207.44.220.30 www.google.com.ru O1 - Hosts: 207.44.220.30 www.google.com.sg O1 - Hosts: 207.44.220.30 www.google.co.th O1 - Hosts: 207.44.220.30 www.google.com.tr O1 - Hosts: 207.44.220.30 www.google.com.tw O1 - Hosts: 207.44.220.30 go.google.com O1 - Hosts: 207.44.220.30 google.at O1 - Hosts: 207.44.220.30 google.be O1 - Hosts: 207.44.220.30 google.de O1 - Hosts: 207.44.220.30 google.dk O1 - Hosts: 207.44.220.30 google.fi O1 - Hosts: 207.44.220.30 google.fr O1 - Hosts: 207.44.220.30 google.com.hk O1 - Hosts: 207.44.220.30 google.ie O1 - Hosts: 207.44.220.30 google.co.il O1 - Hosts: 207.44.220.30 google.it O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O9 - Extra button: AIM (HKLM) O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM) O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM) O16 - DPF: Win32 Classes - O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···tc_x.cab O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - »office.microsoft.com/templates/ieawsdc.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - »www.ipix.com/viewers/ipixx.cab O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - »thesims.ea.com/teleport/hotdate/···eleX.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - »aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/254e0d9dc812f8d037···E601.cab O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - »thesims.ea.com/teleport/supersta···eleX.cab O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - »cs6b.instantservice.com/jars/cus···ed35.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - »us.dl1.yimg.com/download.yahoo.c···mapi.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - »download.abacast.com/download/fi···etup.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - »fdl.msn.com/public/chat/msnchat45.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CCS\Services\Tcpip\..\{33480BEB-FB8D-465D-AE4A-6BB4469C927C}: NameServer = 216.127.92.38 O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB061A3-A055-43A0-9B3B-2003FA486F41}: NameServer = 216.127.92.38 O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38 O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38 O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
	to forum · permalink · · 2003-11-03 13:07:13 ·
Paul928 join:2000-05-06 Haverhill, MA	Thanks for the help people. What I did was actually delete the whole host file,re-booted and everything was cool....thanks for all the help
	to forum · permalink · · 2003-11-03 13:19:28 ·
Nam Vet Premium join:2001-12-03 Allentown, PA	reply to Paul928 I am going to defer here to someone more knowledgeable. but look at you host file path (it's wrong) and all the url's in the hosts file redirect you to 207.44.220.30 which is "ns1.sitething.net" [text was edited by author 2003-11-03 13:25:36]
	to forum · permalink · · 2003-11-03 13:22:56 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	reply to Paul928 said by Paul928 : Thanks for the help people. What I did was actually delete the whole host file,re-booted and everything was cool....thanks for all the help It might pay you to read this: »securityresponse.symantec.com/av···sts.html -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2003-11-03 14:04:32 ·
Zupe Premium,MVM join:2001-11-29 New York, NY clubs:	reply to Paul928 said by Paul928 : R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »tooncomics.com/main/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »tooncomics.com/main/sp.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »www.seekseek.com/quicksearch.asp···on_id=18 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = »www.fastwebfinder.com/hp.php R1 - HKCU\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated) O1 - Hosts file is located at: C:\WINDOWS\help\hosts O1 - Hosts: 88.88.88.88 elite O1 - Hosts: 207.44.220.30 www.google.akadns.net O1 - Hosts: 207.44.220.30 www.google.com O1 - Hosts: 207.44.220.30 google.com O1 - Hosts: 207.44.220.30 www.altavista.com O1 - Hosts: 207.44.220.30 altavista.com O1 - Hosts: 207.44.220.30 search.yahoo.com O1 - Hosts: 207.44.220.30 uk.search.yahoo.com O1 - Hosts: 207.44.220.30 ca.search.yahoo.com O1 - Hosts: 207.44.220.30 jp.search.yahoo.com O1 - Hosts: 207.44.220.30 au.search.yahoo.com O1 - Hosts: 207.44.220.30 de.search.yahoo.com O1 - Hosts: 207.44.220.30 search.yahoo.co.jp O1 - Hosts: 207.44.220.30 www.lycos.de O1 - Hosts: 207.44.220.30 www.lycos.ca O1 - Hosts: 207.44.220.30 www.lycos.jp O1 - Hosts: 207.44.220.30 www.lycos.co.jp O1 - Hosts: 207.44.220.30 alltheweb.com O1 - Hosts: 207.44.220.30 web.ask.com O1 - Hosts: 207.44.220.30 ask.com O1 - Hosts: 207.44.220.30 www.ask.com O1 - Hosts: 207.44.220.30 www.teoma.com O1 - Hosts: 207.44.220.30 search.aol.com O1 - Hosts: 207.44.220.30 www.looksmart.com O1 - Hosts: 207.44.220.30 auto.search.msn.com O1 - Hosts: 207.44.220.30 search.msn.com O1 - Hosts: 207.44.220.30 ca.search.msn.com O1 - Hosts: 207.44.220.30 fr.ca.search.msn.com O1 - Hosts: 207.44.220.30 search.fr.msn.be O1 - Hosts: 207.44.220.30 search.fr.msn.ch O1 - Hosts: 207.44.220.30 search.latam.yupimsn.com O1 - Hosts: 207.44.220.30 search.msn.at O1 - Hosts: 207.44.220.30 search.msn.be O1 - Hosts: 207.44.220.30 search.msn.ch O1 - Hosts: 207.44.220.30 search.msn.co.in O1 - Hosts: 207.44.220.30 search.msn.co.jp O1 - Hosts: 207.44.220.30 search.msn.co.kr O1 - Hosts: 207.44.220.30 search.msn.com.br O1 - Hosts: 207.44.220.30 search.msn.com.hk O1 - Hosts: 207.44.220.30 search.msn.com.my O1 - Hosts: 207.44.220.30 search.msn.com.sg O1 - Hosts: 207.44.220.30 search.msn.com.tw O1 - Hosts: 207.44.220.30 search.msn.co.za O1 - Hosts: 207.44.220.30 search.msn.de O1 - Hosts: 207.44.220.30 search.msn.dk O1 - Hosts: 207.44.220.30 search.msn.es O1 - Hosts: 207.44.220.30 search.msn.fi O1 - Hosts: 207.44.220.30 search.msn.fr O1 - Hosts: 207.44.220.30 search.msn.it O1 - Hosts: 207.44.220.30 search.msn.nl O1 - Hosts: 207.44.220.30 search.msn.no O1 - Hosts: 207.44.220.30 search.msn.se O1 - Hosts: 207.44.220.30 search.ninemsn.com.au O1 - Hosts: 207.44.220.30 search.t1msn.com.mx O1 - Hosts: 207.44.220.30 search.xtramsn.co.nz O1 - Hosts: 207.44.220.30 search.yupimsn.com O1 - Hosts: 207.44.220.30 uk.search.msn.com O1 - Hosts: 207.44.220.30 search.lycos.com O1 - Hosts: 207.44.220.30 www.lycos.com O1 - Hosts: 207.44.220.30 www.google.ca O1 - Hosts: 207.44.220.30 google.ca O1 - Hosts: 207.44.220.30 www.google.uk O1 - Hosts: 207.44.220.30 www.google.co.uk O1 - Hosts: 207.44.220.30 www.google.com.au O1 - Hosts: 207.44.220.30 www.google.co.jp O1 - Hosts: 207.44.220.30 www.google.jp O1 - Hosts: 207.44.220.30 www.google.at O1 - Hosts: 207.44.220.30 www.google.be O1 - Hosts: 207.44.220.30 www.google.ch O1 - Hosts: 207.44.220.30 www.google.de O1 - Hosts: 207.44.220.30 www.google.se O1 - Hosts: 207.44.220.30 www.google.dk O1 - Hosts: 207.44.220.30 www.google.fi O1 - Hosts: 207.44.220.30 www.google.fr O1 - Hosts: 207.44.220.30 www.google.com.gr O1 - Hosts: 207.44.220.30 www.google.com.hk O1 - Hosts: 207.44.220.30 www.google.ie O1 - Hosts: 207.44.220.30 www.google.co.il O1 - Hosts: 207.44.220.30 www.google.it O1 - Hosts: 207.44.220.30 www.google.co.kr O1 - Hosts: 207.44.220.30 www.google.com.mx O1 - Hosts: 207.44.220.30 www.google.nl O1 - Hosts: 207.44.220.30 www.google.co.nz O1 - Hosts: 207.44.220.30 www.google.pl O1 - Hosts: 207.44.220.30 www.google.pt O1 - Hosts: 207.44.220.30 www.google.com.ru O1 - Hosts: 207.44.220.30 www.google.com.sg O1 - Hosts: 207.44.220.30 www.google.co.th O1 - Hosts: 207.44.220.30 www.google.com.tr O1 - Hosts: 207.44.220.30 www.google.com.tw O1 - Hosts: 207.44.220.30 go.google.com O1 - Hosts: 207.44.220.30 google.at O1 - Hosts: 207.44.220.30 google.be O1 - Hosts: 207.44.220.30 google.de O1 - Hosts: 207.44.220.30 google.dk O1 - Hosts: 207.44.220.30 google.fi O1 - Hosts: 207.44.220.30 google.fr O1 - Hosts: 207.44.220.30 google.com.hk O1 - Hosts: 207.44.220.30 google.ie O1 - Hosts: 207.44.220.30 google.co.il O1 - Hosts: 207.44.220.30 google.it O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - »cs6b.instantservice.com/jars/cus···ed35.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CCS\Services\Tcpip\..\{33480BEB-FB8D-465D-AE4A-6BB4469C927C}: NameServer = 216.127.92.38 O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB061A3-A055-43A0-9B3B-2003FA486F41}: NameServer = 216.127.92.38 O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38 O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38 O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp You've got a whole bunch of spyware here, including Coolwebsearch, the QHosts trojan, and a newer one called seek-seek. This will take a few steps to get rid of: 1) Download and run CWShredder from here: »www.spywareinfo.com/~merijn/cwsc···les.html (Direct Download: »www.spywareinfo.com/~merijn/file···dder.zip ) 2) Download and run the QHosts removal tool from Symantec here: »securityresponse.symantec.com/av···ool.html (Direct Download: »www.symantec.com/avcenter/FixQhost.exe ) 3) Go to the C:\Windows\Help directory and delete the file called "Hosts" there, then, as pieter arntz suggested above, copy and paste this into notepad, save as restorehostspath.reg, doubleclick it and confirm that you want to merge it with the registry: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00 4) Hit Ctrl-Alt-Del, highlight slmss.exe and hit "end Process". Do the same for mwsvm.exe 5) With all browswer windows closed, re-scan with Hijack This and put a check next to any of the items I listed above that still remain, then click "Fix Checked", Reboot and rescan with Hijack This and post your log again 6) Wait for someone to look over your log. Assuming it's clean, you can then delete the following: C:\WINDOWS\mwsvm.exe C:\Program Files\Common Files\slmss\slmss.exe (possibly the whole slmss directory) C:\WINDOWS\ieasst.dll -- Brain: Pinky, are you pondering what I'm pondering? Pinky: I think so, Brain, but "Snowball for Windows"? [text was edited by author 2003-11-03 14:21:41]
	to forum · permalink · · 2003-11-03 14:05:57 ·
Paul928 join:2000-05-06 Haverhill, MA ·Comcast	reply to Paul928 Logfile of HijackThis v1.97.3 Scan saved at 3:32:55 PM, on 11/3/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\tbctray.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\AOL Companion\companion.exe C:\Program Files\America Online 9.0\aoltray.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\My Music\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »rd.yahoo.com/customize/ymsgr/def···ahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »rd.yahoo.com/customize/ymsgr/def···rch.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »www.seekseek.com/quicksearch.asp···on_id=18 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O9 - Extra button: AIM (HKLM) O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM) O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM) O16 - DPF: Win32 Classes - O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···tc_x.cab O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - »office.microsoft.com/templates/ieawsdc.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - »www.ipix.com/viewers/ipixx.cab O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - »thesims.ea.com/teleport/hotdate/···eleX.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - »aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/254e0d9dc812f8d037···E601.cab O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - »thesims.ea.com/teleport/supersta···eleX.cab O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - »cs6b.instantservice.com/jars/cus···ed35.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - »us.dl1.yimg.com/download.yahoo.c···mapi.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - »download.abacast.com/download/fi···etup.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - »fdl.msn.com/public/chat/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{33480BEB-FB8D-465D-AE4A-6BB4469C927C}: NameServer = 216.127.92.38 O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB061A3-A055-43A0-9B3B-2003FA486F41}: NameServer = 216.127.92.38 O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38 This is my latest scan after doing what I was advised...does it look okay now?....thanks
	to forum · permalink · · 2003-11-03 15:35:39 ·
erictadeja @cw.net	try downloading adaware6 it really helps for getting rid of browser hijacks
	to forum · permalink · 2003-11-03 15:42:29 ·
Zupe Premium,MVM join:2001-11-29 New York, NY clubs:	reply to Paul928 said by Paul928 : O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - »www.ipix.com/viewers/ipixx.cab O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - »cs6b.instantservice.com/jars/cus···ed35.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{33480BEB-FB8D-465D-AE4A-6BB4469C927C}: NameServer = 216.127.92.38 O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB061A3-A055-43A0-9B3B-2003FA486F41}: NameServer = 216.127.92.38 O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38 All of these should still be removed. First, please re-rerun the Symantec QHosts removal tool, as to my knowledge it should get rid of those 017 entries. Next, go to start->run and type regsvr32 /u C:\WINDOWS\ieasst.dll Then, in Hijack This, check off all of the above, hit "Fix Checked" and reboot, then rescan and post another log. -- Brain: Pinky, are you pondering what I'm pondering? Pinky: I think so, Brain, but "Snowball for Windows"? [text was edited by author 2003-11-03 16:18:45]
	to forum · permalink · · 2003-11-03 16:15:47 ·
Paul928 join:2000-05-06 Haverhill, MA ·Comcast	Thanks for the help Zupe. I will run another scan on the system with the Symantec QHosts removal tool. When i did it the first time, it said that "there was no instance found of the Qhosts Trojan" Or something to that effect. I'll try running it again tonight and see what happens. You said to delete the files in that list with Hijack This tool, but one in particular that I know I need is O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx This is for a radio plug-in that I listen to, but the other entries that you recommended deleting seem okay I guess.....Thanks for the help, and I'll post again later when I get home......Thank You!! [text was edited by author 2003-11-04 12:52:00]
	to forum · permalink · · 2003-11-04 12:51:08 ·


Sunday, 05-Jul 10:01:40	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9.5 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF