• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
kozmoyouth

Hello, I'm in a little over my head

5 posts in this topic

Hi everybody. It seems like I only started having problems very recently, but I'm sure that it's because I'm normally oblivious to what's going on around me.

 

a friend sold me some used parts/new parts to get my computer freshened up for work. I was connected to the internet for less than an hour, when I found a browser hijacker. I've been at my wits end trying to get it removed. every time that I thought that it was licked, it peeked it's head out. this is the second scan that I've done with HT. Thanks for taking a look.

 

 

 

 

Logfile of HijackThis v1.98.0

Scan saved at 1:57:58 AM, on 7/17/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Ivglm.exe

C:\WINDOWS\System32\Ifi1OLf7.exe

C:\Documents and Settings\work\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigbr.cc?u=1526 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigbr.cc?u=1526 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [283DLG33QJMRT9] C:\WINDOWS\System32\GteikZ.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O13 - DefaultPrefix: http://%62%69%67%62%72%2E%63%63?u=1526&error=

O13 - WWW Prefix: http://%62%69%67%62%72%2E%63%63?u=1526&error=

O13 - Home Prefix: http://%62%69%67%62%72%2E%63%63?u=1526&error=

O13 - Mosaic Prefix: http://%62%69%67%62%72%2E%63%63?u=1526&error=

Share this post


Link to post
Share on other sites

Hello kozmoyouth ,Welcome to SWI.

Print out these instructions so you can read them while you clean your system.

Move Hijack This to its own folder out of the temp directory.Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Move hijack this there. Hijack this makes backups of everything you fix, these backups are saved in the same folder the program is.

 

Download CWShredder install, run and click fix.

 

2.You also have the Peper Trojan ,so download PeperFix:

Save it to your Desktop.

Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.

Ensure that you are online before starting the fix. Make sure to run the fix twice.

 

Now close all open windows AND browsers and check these items for HJT to fix(a fair amount of these are likely to be gone because of CWShredder and Peper Fix):

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigbr.cc?u=1526 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigbr.cc?u=1526 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)

O4 - HKLM\..\Run: [283DLG33QJMRT9] C:\WINDOWS\System32\GteikZ.exe

O13 - DefaultPrefix: http://%62%69%67%62%72%2E%63%63?u=1526&error=

O13 - WWW Prefix: http://%62%69%67%62%72%2E%63%63?u=1526&error=

O13 - Home Prefix: http://%62%69%67%62%72%2E%63%63?u=1526&error=

O13 - Mosaic Prefix: http://%62%69%67%62%72%2E%63%63?u=1526&error=

 

 

Please reboot into safe mode - How do I boot into "Safe" mode?

 

Delete these files if present:

C:\WINDOWS\System32\Ivglm.exe

C:\WINDOWS\System32\Ifi1OLf7.exe

 

You may need to show hidden files to delete them.How to show all hidden and system files

 

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.

* C:\Windows\Temp\

* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet

content including cookies. This is recommended and strongly suggested.

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

* Empty your "Recycle Bin".

 

Then disable your system restore

 

1 Right-click My Computer, and then click Properties.

2 Click the System Restore tab.

3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.

4 Click Apply

5 this will delete all existing restore points. Click Yes to do this.

6 Click OK.

 

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.

Share this post


Link to post
Share on other sites

Here is the latest scan. thank you very much for your help.

 

Logfile of HijackThis v1.98.0

Scan saved at 10:14:17 AM, on 7/17/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\hijack\HijackThis.exe

 

 

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

Edited by kozmoyouth

Share this post


Link to post
Share on other sites

Good job!

your log is clean.

Good luck :D:D

Share this post


Link to post
Share on other sites

Glad we could help!

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0