Jump to content


Photo

Hijacking by http//ads.softwareoutfit.com/


  • This topic is locked This topic is locked
1 reply to this topic

#1 Befuddled

Befuddled

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 July 2004 - 11:55 AM

Help! :rofl:

I use yahoo mail for my email. At least once a day for the past 4 months, when I log into my email, my page is hijacked by:

http//ads.softwareoutfit.com/adsm.php?keyword=virus\&lid=www.yahoo.com=email

Clearly, the hijack is linked to my email -- that much I figured out!

I have run Ad-aware 6.0 and Norton Corporate (updates through 7/7 v.8). The scans have not caught the problem. I have also installed Spyware Blaster (probably a little too late).

In addition, I tried to apply a troubleshooting response to another user with the same problem and the problem was not fixed. I did the following:
1. Using hijackthis, I "fixed" 04 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe.
2. I deleted "C:\WINDOWS\sysupd.exe" file in the safe mode.
3. I deleted all temp files in regular mode (would not work in safe mode).
4. I flushed my restore points.
While the syspupd.exe is not longer on my computer, I still get the pop-up.

I ran a new hijackthis log this morning. It is as follows:

Logfile of HijackThis v1.98.0
Scan saved at 8:34:01 AM, on 7/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\msagent\intl\sysodbc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Apoint\Apntex.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [sysodbc] C:\WINDOWS\msagent\intl\sysodbc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab


I'd appreciate any help you can give me.

Thanks! :wave:

#2 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 22 November 2005 - 10:15 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button