Boopig
asked on
PEDO sites browser hijack
IE has been hijacked with a yellow page with words "You are visiting PEDO sites." When you close that, another window opens blocking out task bar and without window controls and it contains the word "ADELPHIA"
Following has been done but without positive results:
- manually changed home page to www.amazon.com
- ran Webroot's SpySweeper
- ran Spybot's Search and Destroy
- ran HijackThis with following results:
Logfile of HijackThis v1.97.7
Scan saved at 8:39:03 AM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\Program Files\Expertcity\GoToMyPC\ g2svc.exe
c:\PROGRA~1\mcafee.com\vso \mcvsrte.e xe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Expertcity\GoToMyPC\ g2comm.exe
C:\WINDOWS\System32\svchos t.exe
c:\PROGRA~1\mcafee.com\vso \mcshield. exe
C:\Program Files\Expertcity\GoToMyPC\ g2tray.exe
C:\Program Files\Expertcity\GoToMyPC\ g2mainh.ex e
C:\Program Files\Expertcity\GoToMyPC\ g2host.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_P x.exe
C:\WINDOWS\System32\WScrip t.exe
C:\PROGRA~1\mcafee.com\age nt\mcagent .exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\mcafee.com\vso \mcvsshld. exe
C:\WINDOWS\reg33.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\System32\cmd.ex e
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpotdd01.exe
C:\Program Files\Expertcity\GoToMyPC\ g2printh.e xe
C:\putty.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hposol08.exe
C:\Program Files\PowerPanel\Program\P cfMgr.exe
c:\progra~1\Support.com\cl ient\bin\t gcmd.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\ctfmon .exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\Bin\hpoSTS08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\taskmg r.exe
C:\Documents and Settings\Marcus Buckingham\Local Settings\Temporary Internet Files\Content.IE5\E7WVY1CP \HijackThi s[1].exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\WINDOWS\secure.html
N3 - Netscape 7: user_pref("browser.search. defaulteng ine", "engine://C%3A%5CProgram%2 0Files%5CN etscape%5C Netscape%5 Csearchplu gins%5CSBW eb_01.src" ); (C:\Documents and Settings\Marcus Buckingham\Application Data\Mozilla\Profiles\defa ult\k1oj30 47.slt\pre fs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0 B5F309A0E6 4} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-2 09B6AD74AC C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_P x.exe
O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\l server\ser ver.vbs
O4 - HKLM\..\Run: [McAgentexe] c:\PROGRA~1\mcafee.com\age nt\mcagent .exe
O4 - HKLM\..\Run: [McUpdateexe] C:\PROGRA~1\mcafee.com\age nt\mcupdat e.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso \mcvsshld. exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\ g2svc.exe -logon
O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon .exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Connect.lnk = C:\connect.bat
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1 \Office10\ EXCEL.EXE/ 3000
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {10000000-1000-0000-1000-0 0000000000 0} - file://C:\Program Files\Internet Explorer\tqixkktj.exe
O16 - DPF: {11111111-1111-1111-1111-1 1111111115 7} - ms-its:mhtml:file://c:\nos uch.mht!http://hard-virgins.com/dl/dmitriy/x.chm::/load.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38077.4836574074
O16 - DPF: {EB387D2F-E27B-4D36-979E-8 47D1036C65 D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?316
Thanks!
Following has been done but without positive results:
- manually changed home page to www.amazon.com
- ran Webroot's SpySweeper
- ran Spybot's Search and Destroy
- ran HijackThis with following results:
Logfile of HijackThis v1.97.7
Scan saved at 8:39:03 AM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\Ati2ev
C:\Program Files\Expertcity\GoToMyPC\
c:\PROGRA~1\mcafee.com\vso
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Expertcity\GoToMyPC\
C:\WINDOWS\System32\svchos
c:\PROGRA~1\mcafee.com\vso
C:\Program Files\Expertcity\GoToMyPC\
C:\Program Files\Expertcity\GoToMyPC\
C:\Program Files\Expertcity\GoToMyPC\
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_P
C:\WINDOWS\System32\WScrip
C:\PROGRA~1\mcafee.com\age
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\mcafee.com\vso
C:\WINDOWS\reg33.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\System32\cmd.ex
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Expertcity\GoToMyPC\
C:\putty.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\PowerPanel\Program\P
c:\progra~1\Support.com\cl
C:\Program Files\Hewlett-Packard\Digi
C:\WINDOWS\System32\ctfmon
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\taskmg
C:\Documents and Settings\Marcus Buckingham\Local Settings\Temporary Internet Files\Content.IE5\E7WVY1CP
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
N3 - Netscape 7: user_pref("browser.search.
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-2
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_P
O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\l
O4 - HKLM\..\Run: [McAgentexe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [McUpdateexe] C:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\
O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Connect.lnk = C:\connect.bat
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {10000000-1000-0000-1000-0
O16 - DPF: {11111111-1111-1111-1111-1
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {EB387D2F-E27B-4D36-979E-8
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Sunray.
Turns out that I installed and ran Ad Aware and that one found and removed the hijacker. I guess there's not one all-in-one solution...yet.
Turns out that I installed and ran Ad Aware and that one found and removed the hijacker. I guess there's not one all-in-one solution...yet.
Glad that you fixed this issue.. I am not sure why you had given "b" grade ?
Ad-aware : http://www.webattack.com/download/dladaware.shtml
CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
SpywareBlaster :http://www.webattack.com/download/dlspywareblaster.shtml
SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml
SpySites :http://www.webattack.com/download/dlspysites.shtml
Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml
BHODemon : http://www.spywareinfo.com/downloads/bhod/
Browser Hijack Blaster : http://www.wilderssecurity.net/bhblaster.html
**************************
Make backup of your registry and
Check these registry entries
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKEY_LOCAL_MACHINE\Softwar
and remove any unusual url
**************************
Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there.Reboot the machine and check if the problem persists.
If not , enable each of the applications one by one and see if that would help in figuring out the culprit
**************************
Install one of these pop-up blockers and check if that would help
Pop-up blocker:
---------------
http://home.rochester.rr.com/artcfox/Pop-Down/
http://www.panicware.com/product_psfree.html
http://zdnet.search.com/search?channel=56&cat=279tag=st.zd.sr.srch.zdnet&q=popup+killer
http://12ghosts.com/ghosts/popup.htm
http://www.webwasher.com/client/home/index.html?lang=de_EN
http://www.adsgone.com/download.asp
http://www.synergeticsoft.com/products/
Google toolbar: http://toolbar.google.com
**************************
Will check your hijackthis