Computing.Net > Forums > Security and Virus > Browser redirect

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

The Lounge

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

Browser redirect

Reply to Message Icon
Original Message
Name: dbl
Date: September 1, 2004 at 09:52:44 Pacific
Subject: Browser redirect
OS: Win98
CPU/Ram: PIII 256 Ram Laptop
Comment:

I am having a horrible time getting rid of a browser redirect. I have run Spybot, Adware, Spysweeper, and Trojan Remover. Here is the Hijack log.

Logfile of HijackThis v1.97.7
Scan saved at 3:46:09 PM, on 8/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\FREE SURFER\FS20.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\LINKSYS\WIRELESS-G NOTEBOOK ADAPTER\WPC54CFG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\ACCESSORIES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wunderground.com/cgi-bin/findweather/getForecast?query=msp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [freesurfer] C:\FREE SURFER\fs20.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [vptray] C:\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\America Online 9.0\aoltray.exe
O4 - Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38040.6476273148
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.8.3.20/worldclass/worldclass-ob-assets.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Any help would be appreciated.


Report Offensive Message For Removal


Response Number 1
Name: nylonelyguy
Date: September 1, 2004 at 14:05:34 Pacific
Reply: (edit)

you are running an old version of hijackthis.
try to install hijackthis 1.98 and post again.


Report Offensive Follow Up For Removal

Response Number 2
Name: JohnO
Date: September 1, 2004 at 17:04:39 Pacific
Reply: (edit)

Find CWShredder on Google and run it. It removes some browser hijackers, and may help you.


Report Offensive Follow Up For Removal

Response Number 3
Name: Abnormal
Date: September 1, 2004 at 17:27:36 Pacific
Reply: (edit)

A tip for your 010 entry:

Download Lspfix

Start the program and then check the I know what I'm doing box.

Move all instances of cdlsp.dll (and nothing else), to the Remove pane.
Click the Finish Button and reboot.

Find and delete the files c:\windows\system32\cdlsp.dll


Report Offensive Follow Up For Removal

Response Number 4
Name: dbl
Date: September 2, 2004 at 15:52:36 Pacific
Reply: (edit)

I did run CW Shredder. Here is the updated Hijack file. It did get rid of the 010 enteries.
Logfile of HijackThis v1.97.7
Scan saved at 12:38:21 PM, on 9/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\FREE SURFER\FS20.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\LINKSYS\WIRELESS-G NOTEBOOK ADAPTER\WPC54CFG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\ACCESSORIES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wunderground.com/cgi-bin/findweather/getForecast?query=msp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [freesurfer] C:\FREE SURFER\fs20.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [vptray] C:\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\America Online 9.0\aoltray.exe
O4 - Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38040.6476273148
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.8.3.20/worldclass/worldclass-ob-assets.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


Report Offensive Follow Up For Removal

Response Number 5
Name: dbl
Date: September 2, 2004 at 16:02:01 Pacific
Reply: (edit)

What about those 03 enteries, those look like the addresses that show up in the browser when it is redirected. This happens by the way about every 3 to 4 minutes even when the computer is not being used. I have a wireless network so my internet connection is always active. Walk away from the computer for 20 minutes and I have 5 or more new popups in their own browser window. Very annoying!


Report Offensive Follow Up For Removal


Response Number 6
Name: dbl
Date: September 2, 2004 at 16:07:46 Pacific
Reply: (edit)

Sorry, I meant to say the 01 not 03 enteries. Here is an example of what I see in the address window on the popups.


http://69.20.56.3/yyy10.html This seems to be in almost every window.


Report Offensive Follow Up For Removal

Response Number 7
Name: Abnormal
Date: September 2, 2004 at 18:25:23 Pacific
Reply: (edit)

The 01 lines you have are bad.
Fix and reboot.


Report Offensive Follow Up For Removal

Response Number 8
Name: dbl
Date: September 2, 2004 at 20:31:11 Pacific
Reply: (edit)

When I fix those lines and reboot they appear again. The same three 01 lines. It appears to be a the Search bar program, I have uninstalled it under add/remove and run Spybot, Adware, CW Shredder, Spy Sweep more times than I can count and it still appears. Any suggestions? Where is it residing where I can't seem to find it and uninstall?


Report Offensive Follow Up For Removal

Response Number 9
Name: Abnormal
Date: September 4, 2004 at 06:55:41 Pacific
Reply: (edit)

I did try searching for your problem, you
need better advice and tools than I can offer.

Someone else with your problem here;

http://forums.spywareinfo.com/index.php?showtopic=24303

Links to help sites that can offer help;

http://www.computing.net/security/wwwboard/forum/13519.html



Report Offensive Follow Up For Removal

Response Number 10
Name: nappa600
Date: September 17, 2004 at 12:20:43 Pacific
Reply: (edit)

i have the same problem as the other and took the advice given but i still recieve the redirected window. my hjt log doesnt seem to have the same bugs as the others. ay be someone can take a look at it for me.

Logfile of HijackThis v1.98.2
Scan saved at 12:11:22 PM, on 9/17/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\ONLINE SERVICES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0409&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&s=search&query=%s&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O3 - Toolbar: Search - {BFE49DB6-FF01-6D23-FD27-232EC33FE6B8} - C:\WINDOWS\Dawimuvv.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O9 - Extra button: (no name) - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: &AltaVista Home - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab



Report Offensive Follow Up For Removal

Response Number 11
Name: Rosemary
Date: September 18, 2004 at 14:18:32 Pacific
Reply: (edit)

I have the same problem. Seems we need a new virus named and a fix found. Let me know if anyone finds a definitive answer. I'm ready to erase and start over.


Report Offensive Follow Up For Removal

Response Number 12
Name: gsbtech
Date: September 24, 2004 at 07:01:15 Pacific
Reply: (edit)


I tracked the URL http://69.20.56.3/yyy10.html to a hosting company called rackspace.com. I sent them a message requesting help. Their response follows. Sometimes one can follow the money trail and start making some noise to get these issues resolved. I'm waiting on a response from look2me.com

--------

-----Original Message-----
From: abuse@rackspace.com [mailto:abuse@rackspace.com]
Sent: Friday, September 24, 2004 3:42 AM
To: steve
Subject: [Incident 040923-000056] http://69.20.56.3/yyy10.html

Recently you requested personal assistance from our on-line support center. Below is a summary of your request and our response.

If we do not hear from you within 48 hours we will assume your issue has been resolved.

Thank you for allowing us to be of service to you.


Subject
-----
http://69.20.56.3/yyy10.html

Suggested Answer
-----
At 09/24/2004 03:42 AM we wrote -

Hello,

Please send an email to info@look2me.com and ask for the uninstall script. If you would rather give them a phone call, they can be reached at 866-705-2728. Please update this ticket if you do not hear back from them within 48 hours and we will contact the customer.

Regards,
Sydney McHale
Rackspace Managed hosting (TM)

Question
-----

The registrant, associate, or reseller of 69.20.56.3 had created a rather nasty Trojan or Hijacker that is redirecting browsers and
creating pop-ups to the address http://69.20.56.3/yyy10.html. The
software is particularly nasty as the more common malware removal tools can't find it - this includes hijaakthis, adaware, cwshredder, LSPFix, and anti-virus software. The registrant or associate's software which directs us to 69.20.56.3 creates up to a dozen pop-ups in a half hour making any computer connected to the internet practically unusable. Since the exploit has not been identified, it is beginning to lead to more and more computers and companies that are forced to wipe the computers and start from scratched with a reinstall - potentially leading to a fortune in lost productivity which could lead to legal claims against the registrar rackspace.com as well as the products being sold. To understand that this is serious problem, simply do a google search for 69.29.56.3 and you will find a rare situation wherein an IP address has become an infamous keyword, e.g., http://www.computing.net/security/wwwboard/forum/13517.html.

The above URL redirects one to a number of resellers. I will list a
few here (many of which have had their user agreements violated by this malicious software).

http://www.pilljoy.com <http://www.pilljoy.com/>
http://www.ubid.com <http://www.ubid.com/>
http://www.buyalldrugs.com/ http://www.productresearchpanel.com/
http://www.cydoor.com/
http://www.metareward.com/
http://onlinedegrees.pheonix.edu/
http://tv.glophone.com/
... and others. I believe that many of them are processed by
cydoor.com.






Report Offensive Follow Up For Removal

Response Number 13
Name: H8tank
Date: September 28, 2004 at 14:43:51 Pacific
Reply: (edit)

Here is the proggy to remove this nasty beotch: http://simplythebest.net/info/spyware/look2me_spyware.html


Report Offensive Follow Up For Removal






Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: Browser redirect

Comments:
            
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



Have you ever used OpenOffice?

Yes, as my main suite.
Yes, occationally.
Yes, but only once.
No, never.


View Results

Poll Finishes In 5 Days.
Discuss in The Lounge


Nvidia Nforce networking controller

.dll files NOT found in Google ??

Old (~P1) Case LED Screen - setting

Better Motherboard

Please help, new build wont turn on

All Posts Awaiting Replies