Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91865 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Internet Connection Hijack


  • Please log in to reply
8 replies to this topic

#1 tstory

tstory

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 19 July 2004 - 01:18 PM

My internet connection is changed when I open internet explorer. My IE connection is lost and another one is substituted without my requesting it. I have to go in and delete the bogus connection, and disconnect and then shut down my computer and restart all over again.

    Advertisements

Register to Remove


#2 dgosling

dgosling

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 2,499 posts

Posted 19 July 2004 - 03:16 PM

We need a Hijack This log file to be able to analyze what is happening on your computer. If you do not have a copy of Hijack This please follow the instructions in order: (there is a new version of HJT 1.98 please download and install it)

1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' and name the folder 'Hijack This'.

2. Download Hijackthis to the new folder from this website: http://www.tomcoyote.org/hjt/

3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

4. Close ALL windows except HJT

5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

6. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER
Posted Image

#3 tstory

tstory

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 20 July 2004 - 05:25 PM

here is my copy of the scan

#4 dgosling

dgosling

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 2,499 posts

Posted 22 July 2004 - 08:51 AM

Where is the log file? did you have difficulty posting it?
Posted Image

#5 tstory

tstory

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 23 July 2004 - 07:48 AM

When I initially connect to IE, another connection is made overriding my
connection. It is called "jigallo". I have to disconnect from that and go in and
delete the shortcut is has made also. Then I start all over again, reconnect and
wait for my regular connection to take place. Any help out there?

Logfile of HijackThis v1.97.7
Scan saved at 7:14:56 AM, on 6/28/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SK9910DM.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\EXPLORE.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchxp.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchxp.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchxp.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gateway.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchxp....earch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://approvedlinks.com/
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME2.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\SYSTEM\MSMK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~2\INKWATCH.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~5.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [explore] c:\windows\explore.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: SCREEN SAVER CONTROL.LNK = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: GATEWAY.NET 5.0 TRAY ICON.LNK = C:\Gateway.net 5.0\gwtray.exe
O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
O15 - Trusted Zone: http://*.63.219.181.7
O15 - Trusted Zone: http://*.spywarenuker.com
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamg.redho...cabs/videox.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.citrix.co...n/cab/wfica.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://www.ancestry....h/io/mrsidi.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.greatplug...iles/007099.exe
O16 - DPF: {00CB77FC-0F09-458A-8BE8-9176423305EB} (Loader Control) - https://riverbelle.m...elle/loader.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.20...ion/NSupd9x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai...meInstaller.exe
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.102...etzip/RdxIE.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://riverbelle.m...lle/FlashAX.cab
O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://www.0190-dial...om/VLoading.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7994.3276041667
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldw...apit/swapit.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldw...ll/freecell.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.co.../x.chm::/ad.exe

edited to remove duplicate logs

Edited by dgosling, 23 July 2004 - 03:55 PM.


#6 tstory

tstory

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 23 July 2004 - 08:56 AM

I did have problems posting my scan to my message. I have posted a new message with scan also. Thanks t

#7 dgosling

dgosling

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 2,499 posts

Posted 23 July 2004 - 12:57 PM

Thread merged. Please post in this thread only until this specific problem with your computer has been fixed
Posted Image

#8 dgosling

dgosling

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 2,499 posts

Posted 23 July 2004 - 03:49 PM

I am checking your log now but had a power outage so have to rewrite everything - will get back to you soon
Posted Image

#9 dgosling

dgosling

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 2,499 posts

Posted 23 July 2004 - 06:29 PM

Hello tstory,
you have a large amount of malware on your computer and it will probably take a few passes before you get a clean log. I will ask you to download a few programs which will clean the different bugs on your system.

First of all we need to make sure that all hidden files are showing so please:
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
* Click Start, Programs and Accessories and open Windows Explorer.
* Select a hard drive from the left hand side of the Windows Explorer window.
* Select View the Entire contents of this drive.


You are running a program called SpyKiller which is not recommended for security reasons. I suggest that you uninstall it as it is probably producing some of your problems. The other spyware problem that you have is NewDotNet which also needs to be uninstalled.

Please go to Start> Settings> Control Panel> Add Remove Programs> uninstall the following two entries:

NewDotNet which also could appear as New.Net, or New
SpyKiller


Now to start fixing more of your spyware.

1)Please download a small program which will get rid of the worst one, CoolWebSearch. Please Click
here and download and open the file : CWShredder.

2)PLEASE CLOSE ALL WINDOWS EXCEPT CWSHREDDER

3)click on 'fix' in the CWShredder window

4)Let it scan and fix all that it finds



You still will have a fair amount of Malware/Spyware on your computer.

1.Download the new version of 'Spybot: Search And Destroy' Version 1.3 from the link at the bottom of this post.

2. Install it according to the instructions in 'How To Setup Spybot SD and Ad-Aware' from the link below.

3. Next, 'Search for Updates' as the definitions will not be up-to-date.

4. Close ALL windows except Spybot SD

5. Click the "Check for Problems" button

6. Click 'Fix Selected Problems' and fix only the RED items.

7. REBOOT to finish removing what it found and clear memory


Now for Ad-Aware:

1. Download 'Ad-Aware' from the link at the bottom of this post.

2. Install according to the instructions at this link "How To Setup Spybot SD and Ad-Aware"

3. Next, 'Check for Updates' by clicking on the 'world globe' second from the right at the top of your Ad-Aware window.

4. Install the updates.

5. Close ALL windows except Ad-Aware

6. Click on 'Start' and choose 'custom scan' for a full scan.

7. Quarantine anything that it finds and SAVE the log file.

8. REBOOT to finish removing what it has found and clear memory.



You have HijackThis in a TEMP folder where it won't save the backups it makes, properly. The version you have is also the old version so please download the current version 1.98 and install it. But first:

1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' and name the folder 'Hijack This'.

2. Download Hijackthis to the new folder from this website: http://mjc1.com/mirror/hjt/

3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

4. Close ALL windows except HJT

5. Scan with Hijack This and put a check mark beside the following entries in Hijack This if they are still there. Then 'fix checked':

O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E}
- C:\PROGRAM FILES\MEDIALOADS ENHANCED\ ME2.DLL

O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} -
C:\WINDOWS\SYSTEM\ MSMK.DLL


O4 - HKLM\..\Run: [System Tray] SysTray.Exe

O4 - HKLM\..\Run: [Promul Gate] "C:\Program
Files\Del Fin\Promul Gate\PgMonitr.exe"

O4 - HKCU\..\Run: [explore] c:\windows\explore.exe

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup


O15 - Trusted Zone: http://*.63. 219. 181.7

O15 - Trusted Zone: http://*.spyware nuker.com


O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) -
hxxp://streamg.redhotnetworks.com/cabs/videox.cab

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} -
hxxp://www.greatplugin.com/diallerfiles/007099.exe

O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl
Class) - hxxp://204.177.92.201/quickdl/action/NSupd9x.cab

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) -
hxxp://207.188.7.102/07d557f5cd85de5f0900/netzip/RdxIE.cab

O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) -
hxxp://www.0190-dialer.com/VLoading.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
hxxp://207.188.7.150/224648 fbe5d 8e1387106/...ip/RdxIE601.cab

O16 - DPF: { x1x 1 x1 x1 1 1 1 1- 1 1 1 1- 1 1 1 1- 1 1 1 1 - 1 1 1 1 1 1 1 1 1 xxxx1 5 7 } - m s-its m h t m l * file : // x * \n o s u c h. m h * t ! **h x x p * // su per - ga ls. c o m / s c j /rotation / templates/ s/ x. chm * * / a d. e x e
<--- changes made to make this not clickable

The following is optional to remove Office from starting with windows, it can still be started from your start menu or desktop:

O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program
Files\Microsoft Office\Office\OSA9.EXE



6. Please REBOOT into SAFE MODE by tapping F8 as you are booting up and delete the following files and folders if they are still there

C:\??\ SysTray.Exe <-- Start>Find to locate it

C:\ProgramFiles\Del Fin\Promul Gate\PgMonitr.exe

c:\windows\explore.exe <-- make sure it is this file NOT 'explorer.exe' that you delete

C:\Program Files\SpyKiller\spykiller.exe



7. REBOOT into Normal mode.


8. Please go to Start> Settings> Control Panel> Internet Options and on the general tab Click on 'Delete Files' putting a check mark in 'delete all offline content'. Then Clear History. Then on the Security Tab highlight Trusted Zone and click on the button that says 'Sites below and erase any sites that are listed there. Any sites listed in the Trusted Zone have full access to your computer.

9. Scan with the new version of HijackThis and save log

9. POST a New HijackThis log here in this thread using 'Add Reply' to see what is left to fix.



You now need to reset your System Restore to remove the backed up virus/trojan files. You will lose all of your restore points doing this, but it is the only way to prevent the virus/trojan from being restored back onto your system.
To disable System Restore:

1. Right-click My Computer, and then click Properties.
2. On the Performance tab, click File System, or press ALT+F.
3. On the Troubleshooting tab, click to select the Disable System Restore check box.
4. Click OK twice, and then click Yes when you are prompted to restart the computer.
5. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

I also see no sign of a firewall on your computer There are good free programs available:
Zone ALarm Free Firewall
Kerio Free Firewall


Good Luck!
Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users