Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I seem to have been hijacked by bluezipper.com. For the past week I have been battling many different spyware/adware challenges. Thanks to your 'Forum', I think I have managed to get myself ALMOST back to square one! Whew!!! Now I think the only thing I am fighting is 'bluezipper' homepage stealer. Everything seems to be working OK, but when I log on to the web, before it ends up on my pre-set homepage, it goes through: http://www.bluezipper.com/hphelper.php . . . How do I stop this? I have gone to ‘Hijack This’ and done a scan. Here is a copy of the ‘Hijack This’ Log file:
Logfile of HijackThis v1.97.7
Scan saved at 9:32:20 PM, on 2/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\windows\system32\wdwctrl.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\Program Files\Precpop2\precpop2.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Documents and Settings\Amy\Application Data\pehu.exe
C:\WINDOWS\System32\wnsinttr.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Amy\Local Settings\Temporary Internet Files\Content.IE5\RVLFZ94W\HijackThis[1].exe
C:\Program Files\Messenger\msmsgs.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bluezipper.com/hphelper.php?home=http://www.msn.com/&marker=3094884412&install_date=unknown&country=United_States&siteid=247_AX1&ip=67.166.34.176&z%20unknown&month=unknown&date=unknown&year=unknown&income=unknown&city=unknown&state=unknown&firstname=unknown&lastname=unknown
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://approvedlinks.com/hp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,%SystemRoot%\System32\userinit.exe
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5974035-F2A5-4675-AF7F-6F7C9B64AAB1} - C:\WINDOWS\System32\dplaey.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: SuperBar - {356C6D3B-95BC-4D7D-852D-4EC28A07B0C6} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [wdwctrl] c:\windows\system32\wdwctrl.exe /nocomm
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [precpop2] "C:\Program Files\Precpop2\starter.exe"
O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /scheduler /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [iedll] C:\Program Files\Windows Media Player\iedll.exe
O4 - HKCU\..\Run: [loader] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKCU\..\Run: [Seas] C:\Documents and Settings\Amy\Application Data\pehu.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsinttr.exe
O4 - Startup: Norton Disk Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: PUFLITE - http://ihelpyou.point2homes.biz/Photo/Control/PUFLITE.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37888.6527777778
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
What do I do now?Amily
Sorry.. This R0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bluezipper.com/hphelper.php?home=http://www.msn.com/&marker=3094884412&install_date=unknown&country=United_States&siteid=247_AX1&ip=67.166.34.176&z%20unknown&month=unknown&date=unknown&year=unknown&income=unknown&city=unknown&state=unknown&firstname=unknown&lastname=unknown
Tank863
What the heck is: Tankweb.net
0 
Thank you Tank863,
I thought that was probably what I should do, but I needed to hear it from someone else. I am 'new' to Hijack This, and the tutorial specifically said I should check with someone more knowledgable. I certainley don't need to mess up my registry.Amily
0
I seem to have been hijacked a couple of nights ago myself. I now have something called searchBAR in my bottom taskbar. I think it came through clicking away a ClockSynch popunder because that was the only new program that showed. I can't get rid of the searchbar nor find the program anywhere to uninstall/remove it.
Just now, when I went on line, I saw Bluezipper.com briefly apperar in the address window before it redirected to Yahoo which I have setup as my start page.
Were are they located, it might just be worth a trip to kick some ass?I installed Ad Aware and did a scan last night and managed to finally rid myself of the Fing Orbit explorer that was launiching itself whenever I got a "page not found".
I addition, I can't access the Internets with Mailwasher or Internet Explorer and have to open Outlook Express to acces the Dial Up Connection box.
0
I found a solution. I was recently hit with this one as well. You will find it in the following location. In the folder will be an uninstall but don't bother with it as it doesn't work. Just delete the folder. And restart. And no more blue zipper!
C:\Program Files\Precpop2\precpop2.exe
0
dtm of Response Number 6 ---
Awesome!! Thank you!!! I saw the "uninstall" but was afraid it could be a trick and launch something even worse. I searched all over the other day for precpop2 and bluezipper and got nowhere!
Did you run into "DnldStub", too? After i read your post about precpop2, i deleted it, also.
"DnldStub" showed up shortly after precpop2. Norton Intenet security alerted me to it and advised "blocking" access, which i did. (same thing had happened with precpop2 but I sill got hijacked by bluezipper.)Thanks again for solving bluezipper!
0
I tried deleting the file
C:\Program Files\Precpop2\precpop2.exe
but it told me the file was still in use or disk was full. I restarted the comp and even disconnected the internet and it will not delete the file. Any suggestions?
0
I did the same thing... I tried delete the folder, but it said the precpop2.exe was unable to be deleted. It was one of those "Access Denied" pop up messages.
0
I also have tried to delete the folder precpop2 but received an access denied write protected error? Any advice?
0
All you have to do to solve the "precpop2.exe was unable to be deleted" problem is hit <ctrl>=alt-del and click on the processes tab. Find precpop2.exe and end process. then IMMEDIATELY delete the precpop folder.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
