Hijacking - Tech Support

Hijacking: Posted by Bob Brister on May 22nd, 2004; Somehow I have gotten a program that hijacks my home address and adds an
icon on my desktop. The icon says "sexdial" and when I click on it I go to
www.casinopalazzo.com. I have used Adaware and Spybot but still have the
same problem. Oh yes, the thing automatically pops up every 20 minutes or so
and opens a new browser window to the casinopalazzo. I have found the
address, but I don't know how to delete it. The address is "C:\Program
files\Internet Explorer\Iexplore.exe"http://www.casinopalazzo.com. I have
Windows 98 SE. Any help will be greatly appreciated.

Bob; Posted by Scott Freeman on May 22nd, 2004; Bob Brister wrote:
Are you running adwatch? That should prevent browser hijacks. Go to
settings, and make sure 'block hijack attemmpts' is checked.; Posted by zaax on May 23rd, 2004; In article <c8os7d02del@news1.newsguy.com>, Richard <Anonymous@127.001>
writes
send it to them, take them to court if they don't pay
--
Zaax
http://www.ukgatsos.com; Posted by Bob Brister on May 23rd, 2004; I have done everything Richard said, but the problem is still there. The
home page it goes to is www.easy-search.biz. When I try to delete or modify
the registry to get rid of this address, it comes right back. I deleted
every reference to easy-search but when I reran regedit and searched for it,
there it was! I can find no reference to casino, sexdial or easy-search in
the startup. I could remove IE6 and reinstall if that would help. Oh yes, I
tried SpyBouncer, and it didn't find the problem either.

Bob; Posted by Boomer on May 23rd, 2004; "Bob Brister" <brist1942@highstream.net> wrote:

Hi

Download and install HijackThis
http://tomcoyote.com/hjt/

Then post your log over here:
HijackThis forum/HijackThis Logs
http://www.lavasoftsupport.com/index.php?act=idx

Also could you please include some of the message you are responding
to,
in your reply?
(Tools> Options> Send tab, tick the "Include message in Reply" box.)

Thanks.; Posted by zaax on May 23rd, 2004; In article <c8qdut01ci3@news1.newsguy.com>, Richard <Anonymous@127.001>
writes
--
Zaax
http://www.ukgatsos.com; Posted by °Mike° on May 23rd, 2004; Then you're either a fool, or very naive about usenet.
Never, repeat never, take any notice of "advice" given
by Richard (RtS) Bullis.

On Sun, 23 May 2004 10:18:52 -0500, in
<10b1gb0b6nk0m4c@corp.supernews.com>
Bob Brister scrawled:

<snip>

--
Basic computer maintenance
http://uk.geocities.com/personel44/maintenance.html; Posted by °Mike° on May 23rd, 2004; First of all, try CWShredder:

CWShredder (CoolWebSearch remover)
http://www.spywareinfo.com/~merijn/cwschronicles.html
http://www.spywareinfo.com/~merijn/files/cwshredder.zip

If that doesn't help, install HijackThis and post the contents
of your log here.

HijackThis
http://www.tomcoyote.org/hjt/
http://mjc1.com/mirror/hjt/
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

On Sun, 23 May 2004 10:18:52 -0500, in
<10b1gb0b6nk0m4c@corp.supernews.com>
Bob Brister scrawled:

--
Basic computer maintenance
http://uk.geocities.com/personel44/maintenance.html; Posted by Bob Brister on May 24th, 2004; Logfile of HijackThis v1.97.7
Scan saved at 12:34:09 PM, on 5/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\STICKUPS\STICKUPS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HIGHSTREAM TURBO\HSTURBO.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\WININET32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = local
F1 - win.ini: run=c:\stickups\stickups.exe
O1 - Hosts: 69.50.170.20 www.google.com
O1 - Hosts: 69.50.170.21 search.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM
FILES\MYWEBSEARCH\BAR\2.BIN\MWSBAR.DLL__SpybotSDDi sabled (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO -
{00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM
FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL__Spy botSDDisabled (file
missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} -
C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\MWSBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch
Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
/P23 "EPSON Stylus C84 Series" /O7 "EPUSB1:" /M "Stylus C84"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Cosmi\HelpExpress\Robert
Brister\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Cosmi\HelpExpress\Robert
Brister\Client\HelpExp.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: HighStream Turbo.lnk = C:\Program Files\HighStream
Turbo\HSTurbo.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZNxdm800
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM
FILES\HIGHSTREAM TURBO\HSTURBO.EXE/227
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM
FILES\HIGHSTREAM TURBO\HSTURBO.EXE/250
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.co...976.3532407407
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/18f0566e...p/RdxIE601.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
http://www.mt-download.com/MediaTicketsInstaller.cab

These are the files found by Hijackthis. I still have the problem, of
course.

Bob; Posted by docmill on May 24th, 2004; "Bob Brister" <brist1942@highstream.net> wrote in
news:10b2kl4j3k83473@corp.supernews.com:

But you are hosed.

--
+++++++++++ SEND ME A LINK +++++++++++
docmill's Home Of HotLinks In The Frying SPAM; Posted by Bob Brister on May 24th, 2004; So how do I get unhosed? Reformat the hard drive and reinstall all my
software? I was hoping for an easier solution!

Bob; Posted by °Mike° on May 25th, 2004; On Sun, 23 May 2004 20:38:47 -0500, in
<10b2kl4j3k83473@corp.supernews.com>
Bob Brister scrawled:

I'm not sure what the above is; if you don't know,
terminate it and see my comments below [*****].

The above program is spyware.

The above is a password stealing trojan (PWSteal.AlLight)
http://www.symantec.com/avcenter/ven...l.allight.html

Have HijackThis fix ALL of the above. See comments below [+++++]

[*****] See my comments about stickups above.
Fix this if you don't know what it is, or didn't install it.

Have HijackThis fix the above.

Have HijackThis fix the above.

Have HijackThis fix the above.

Have HijackThis fix the above.

Spyware.

Password trojan; see comments above and have HijackThis fix
the above.

Hijack Trojan. See comments above [+++++]
http://fr.trendmicro-europe.com/ente...ENT.AD&VSect=T

Shorter link for above:
http://makeashorterlink.com/?F2BD12368

Have HijackThis fix the above.

Spyware.

Have HijackThis fix the above.

Have HijackThis fix the above.

Run a complete system antivirus scan with *at least* two
online scanners, and update your normal scanner.

Online Antivirus scanners:
================
http://housecall.trendmicro.com/hous...start_corp.asp
http://www3.ca.com/virusinfo/virusscan.aspx
http://security.symantec.com/sscv6/default.asp
http://www.pandasoftware.com/activescan/activescan.asp

Download, update and use *all* of the following:

Spybot Search & Destroy
http://spybot.eon.net.au/
http://www.safer-networking.org/
http://spybot.safer-networking.de/
SpyBot S&D guide
http://www.chem.wisc.edu/~network/spybot/

Ad-Aware
http://www.lavasoftusa.com/
http://www.lavasoft.nu/

Spyware Blaster
http://www.wilderssecurity.net/spywareblaster.html
http://www.javacoolsoftware.com/spywareblaster.html
http://www.net-integration.net/tools...reblaster.html

CWShredder (CoolWebSearch remover)
http://www.spywareinfo.com/~merijn/cwschronicles.html
http://www.spywareinfo.com/~merijn/files/cwshredder.zip

--
Basic computer maintenance
http://uk.geocities.com/personel44/maintenance.html; Posted by Bob Brister on May 25th, 2004; Again, I did everything you said, then went to the web sites you recommended
and finally, at last, my computer is cured. I'm not exactly sure which fix
or deletion did the trick, but I am very grateful for your help. I
appreciate all of you who took the time and trouble to give me advice. I
have learned a lot form this newsgroup.

Thanks!

--
Bob; Posted by °Mike° on May 25th, 2004; All of them, and you're welcome.

On Tue, 25 May 2004 16:01:07 -0500, in
<10b7d48dej56981@corp.supernews.com>
Bob Brister scrawled:

--
Basic computer maintenance
http://uk.geocities.com/personel44/maintenance.html; Posted by St?phane on June 9th, 2004; "Bob Brister" <brist1942@highstream.net> wrote in message news:<10b1gb0b6nk0m4c@corp.supernews.com>...
Hi,

.... sorry for my english! I'm a french canadian from Montreal in
Quebec.

I Have the same problem! I tryed -Spy Ferret- and -NoAdware-. The
scans saw some things, but they ask to registrate... 30$ US and more!

If somebody find the solution, contact me please.

Thank you!

Stéphane

Similar Posts

Re: A new hijacking (Security & Administration) by quding
Re: A new hijacking (Security & Administration) by John
Re: A new hijacking - includes an example of hijacking (just read) (Microsoft Windows) by 420microsofttime
Re: A new hijacking - includes an example of hijacking (just read) (Help and Support) by 420microsofttime
Re: A new hijacking (Performance/Maintainence) by Management