Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

http://utruuh.globe-finder.cc/goaway.html [CLOSED]


  • This topic is locked This topic is locked

#1
bartholemeus

bartholemeus

    New Member

  • Member
  • Pip
  • 3 posts
Hi all,
after a long night running Ad-aware, hijackthis, Spybot, cleanup, ... I'm still having this hijacker. I also followed the sugestions in this forum but the result is still the same : my startpage is still : http://utruuh.globe-....cc/goaway.html.
Below is my hijackthis log :
Logfile of HijackThis v1.99.1
Scan saved at 18:50:16, on 05/17/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\WINLOGON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\PROGRAM FILES\REALTEK\RTL8180\RTLWAKE.EXE
C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZSTC05.EXE
C:\WINDOWS\SYSTEM\HPZENG05.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?pcscm (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rl.webtracer.cc/---/?pcscm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?pcscm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?pcscm (obfuscated)
O4 - HKLM\..\Run: [winlogon.exe] C:\WINDOWS\winlogon.exe
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Startup: RtlWake.lnk = C:\Program Files\Realtek\Rtl8180\RtlWake.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://justload.com/...load/server.exe
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://asp01.photopr...vex/XUpload.ocx
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.213...hm::/update.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://cellaphone.ne...0.chm::/win.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O19 - User stylesheet: C:\WINDOWS\inf\info.dat

Can somebody help me to get rid of this hijack ?

Bartholemeus
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

In Internet Explorer click Tools - Internet Options - Accessibility - and uncheck "Format documents using my style sheet"

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also
  • Download the Registry Search Tool.
  • Unzip the contents of RegSrch.zip to a convenient location.
  • Double-click on RegSrch.vbs.
  • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
  • In the "Enter search string (case insensitive) and click OK..." box paste this string:
    • info.dat
  • Click "OK" to search the registry for that string.
  • Wait for a few minutes while it completes the search.
  • Click "OK" to open the results in WordPad.
  • Copy and paste the entire results into your next post.
Regards,
  • 0

#3
bartholemeus

bartholemeus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi Metallica,

thanks for helping !!!
This is the result of my search for info.dat
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "info.dat" 05/28/2005 20:41:28

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSInfo]
"cabdefaultopen"="*.nfo|hwinfo.dat"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSInfo\File Filters\DAT]
@="HWInfo Files (HWINFO.DAT)|*.DAT|"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Advanced INF Setup\IE.HKLMZoneInfo]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE.HKLMZoneInfo\\IE.HKLMZoneInfo.DAT"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IE.HKCUZoneInfo\\IE.HKCUZoneInfo.DAT"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Advanced INF Setup\IEHomePageInfo]
"BackupFileName"="C:\\Program Files\\Uninstall Information\\IEHomePageInfo\\IEHomePageInfo.DAT"

[HKEY_LOCAL_MACHINE\Software\MusicMatch\MusicMatch Jukebox\4.0\MMDiag]
"User info file name"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\userinfo.dat"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\inf\\info.dat"

Bartholemeus
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Copy the part in bold below into notepad and save it as ninfo.reg

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"=-


Doubleclick that file and confirm you want to merge it with the registry.

Check the following items in HijackThis. (some may already be gone)
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?pcscm (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rl.webtracer.cc/---/?pcscm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?pcscm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?pcscm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?pcscm (obfuscated)
O4 - HKLM\..\Run: [winlogon.exe] C:\WINDOWS\winlogon.exe

O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://justload.com/...load/server.exe

O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.213...hm::/update.exe

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://cellaphone.ne...0.chm::/win.exe

O19 - User stylesheet: C:\WINDOWS\inf\info.dat

Reboot into safe mode and delete:
C:\WINDOWS\inf\info.dat
C:\WINDOWS\winlogon.exe

Be sure you know how to VIEW HIDDEN FILES because the Windows\inf folder is hidden by default.

Regards,
  • 0

#5
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP