Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

http://utruuh.globe-finder.cc/goaway.html [CLOSED]

Started by bartholemeus , May 17 2005 10:52 AM

  • This topic is locked This topic is locked

#1
bartholemeus
Posted 17 May 2005 - 10:52 AM

bartholemeus

    New Member

  • Member
  • Pip
  • 3 posts
Hi all,
after a long night running Ad-aware, hijackthis, Spybot, cleanup, ... I'm still having this hijacker. I also followed the sugestions in this forum but the result is still the same : my startpage is still : http://utruuh.globe-....cc/goaway.html.
Below is my hijackthis log :
Logfile of HijackThis v1.99.1
Scan saved at 18:50:16, on 05/17/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\WINLOGON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\PROGRAM FILES\REALTEK\RTL8180\RTLWAKE.EXE
C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZSTC05.EXE
C:\WINDOWS\SYSTEM\HPZENG05.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?pcscm (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rl.webtracer.cc/---/?pcscm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?pcscm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?pcscm (obfuscated)
O4 - HKLM\..\Run: [winlogon.exe] C:\WINDOWS\winlogon.exe
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Startup: RtlWake.lnk = C:\Program Files\Realtek\Rtl8180\RtlWake.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://justload.com/...load/server.exe
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://asp01.photopr...vex/XUpload.ocx
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.213...hm::/update.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://cellaphone.ne...0.chm::/win.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O19 - User stylesheet: C:\WINDOWS\inf\info.dat

Can somebody help me to get rid of this hijack ?

Bartholemeus
  • 0

Advertisements

#2
Metallica
Posted 27 May 2005 - 04:28 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

In Internet Explorer click Tools - Internet Options - Accessibility - and uncheck "Format documents using my style sheet"

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also
  • Download the Registry Search Tool.
  • Unzip the contents of RegSrch.zip to a convenient location.
  • Double-click on RegSrch.vbs.
  • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
  • In the "Enter search string (case insensitive) and click OK..." box paste this string:
    • info.dat
  • Click "OK" to search the registry for that string.
  • Wait for a few minutes while it completes the search.
  • Click "OK" to open the results in WordPad.
  • Copy and paste the entire results into your next post.
Regards,
  • 0

#3
bartholemeus
Posted 28 May 2005 - 12:50 PM

bartholemeus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi Metallica,

thanks for helping !!!
This is the result of my search for info.dat
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "info.dat" 05/28/2005 20:41:28

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSInfo]
"cabdefaultopen"="*.nfo|hwinfo.dat"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSInfo\File Filters\DAT]
@="HWInfo Files (HWINFO.DAT)|*.DAT|"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Advanced INF Setup\IE.HKLMZoneInfo]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE.HKLMZoneInfo\\IE.HKLMZoneInfo.DAT"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE.HKCUZoneInfo\\IE.HKCUZoneInfo.DAT"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Advanced INF Setup\IEHomePageInfo]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IEHomePageInfo\\IEHomePageInfo.DAT"

[HKEY_LOCAL_MACHINE\Software\MusicMatch\MusicMatch Jukebox\4.0\MMDiag]
"User info file name"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\userinfo.dat"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\inf\\info.dat"

Bartholemeus
  • 0

#4
Metallica
Posted 28 May 2005 - 01:13 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Copy the part in bold below into notepad and save it as ninfo.reg

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"=-

Doubleclick that file and confirm you want to merge it with the registry.

Check the following items in HijackThis. (some may already be gone)
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?pcscm (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rl.webtracer.cc/---/?pcscm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?pcscm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?pcscm (obfuscated)
O4 - HKLM\..\Run: [winlogon.exe] C:\WINDOWS\winlogon.exe

O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://justload.com/...load/server.exe

O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.213...hm::/update.exe

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://cellaphone.ne...0.chm::/win.exe

O19 - User stylesheet: C:\WINDOWS\inf\info.dat

Reboot into safe mode and delete:
C:\WINDOWS\inf\info.dat
C:\WINDOWS\winlogon.exe

Be sure you know how to VIEW HIDDEN FILES because the Windows\inf folder is hidden by default.

Regards,
  • 0

#5
Kat
Posted 26 August 2005 - 12:49 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP