Can't...... eliminate redirect, nor sleep.
Hello everyone!!
I've been up for xxhours. Now it's time for the pros.
Here is a brief description of my problem, +stats:
XP pro SP2
Kasp personal 5.0.527, (current) 4/29
AdAware free (current)
SpyBot S&D (current)
My boss's computer that I f**k'd up??
office type router unknown protection/firewall?
Anministrative rights=YES
==============
Last night I was bombarded with many uninvited webpages, and then IE locked up. Turned off 'puter. Re-booted and ran Kaspersky Personal, and it found many things it did not like:
sysmon.exe
Ijmckb32.exe
VerifierBug.class
peoa.exe
oppb.exe
more??
"could not delete" most of those except at startup..
AA and SBSD come up clean after running them twice.
Checked for Windows updates, one available. (BITS) installed it.
I thought this might be the end but........
...I still have a problem...REDIRECTS:
...the first Google listing when searching for "windows update" came up: windowsupdate.microsoft. com (no space)....and om my system, this was actually thesushibar. com ....not Microsoft, and asked me if I wanted to "change my homepage to...."Sometimes that (googled) microsoft link will take me to mircosoft, but sometimes somewhere else, and just a few minutes ago, to "mac-..... com"...
Ran all anti programs again with Restore "off", and in Safe-Mode.
Came up clean.
(Restore is still off now)
Downloaded HostsMan.
Turned off DNS client.
At this point HostsMan was showing two entries:
102.54.94.97__________rhino.acme.com__________source server
38.25.63.10___________x.acme.com_____________x client host:
.....both without checkmarks (bottom right of window says "modified").
(at this point, my expertise is running on fumes.)
I didn't know what to do with these entries...instructions are vague at best.
..imported 2 Hosts database files into HostMan.
Tried the internet....still getting REDIRECTS...
the above entries are nowhere to be found, so I re-entered them into the Hosts list (except those numbers above).
I'm just guessing on how this HostsMan works.....
..still getting REDIRECTS....(about every fourth click.)
Now I'm stuck. Don't know what to do.
...And I'm screwed becaused this happened on my boss's 'puter, while I was surfing, "off-the-clock"..
HELP!!
-=RR=-
btw, redirects usually happen when I try to open a Microsoft or anti virus type page. I'm on a different 'puter here.
I've been up for xxhours. Now it's time for the pros.
Here is a brief description of my problem, +stats:
XP pro SP2
Kasp personal 5.0.527, (current) 4/29
AdAware free (current)
SpyBot S&D (current)
My boss's computer that I f**k'd up??
office type router unknown protection/firewall?
Anministrative rights=YES
==============
Last night I was bombarded with many uninvited webpages, and then IE locked up. Turned off 'puter. Re-booted and ran Kaspersky Personal, and it found many things it did not like:
sysmon.exe
Ijmckb32.exe
VerifierBug.class
peoa.exe
oppb.exe
more??
"could not delete" most of those except at startup..
AA and SBSD come up clean after running them twice.
Checked for Windows updates, one available. (BITS) installed it.
I thought this might be the end but........
...I still have a problem...REDIRECTS:
...the first Google listing when searching for "windows update" came up: windowsupdate.microsoft. com (no space)....and om my system, this was actually thesushibar. com ....not Microsoft, and asked me if I wanted to "change my homepage to...."Sometimes that (googled) microsoft link will take me to mircosoft, but sometimes somewhere else, and just a few minutes ago, to "mac-..... com"...
Ran all anti programs again with Restore "off", and in Safe-Mode.
Came up clean.
(Restore is still off now)
Downloaded HostsMan.
Turned off DNS client.
At this point HostsMan was showing two entries:
102.54.94.97__________rhino.acme.com__________source server
38.25.63.10___________x.acme.com_____________x client host:
.....both without checkmarks (bottom right of window says "modified").
(at this point, my expertise is running on fumes.)
I didn't know what to do with these entries...instructions are vague at best.
..imported 2 Hosts database files into HostMan.
Tried the internet....still getting REDIRECTS...
the above entries are nowhere to be found, so I re-entered them into the Hosts list (except those numbers above).
I'm just guessing on how this HostsMan works.....
..still getting REDIRECTS....(about every fourth click.)
Now I'm stuck. Don't know what to do.
...And I'm screwed becaused this happened on my boss's 'puter, while I was surfing, "off-the-clock"..
HELP!!-=RR=-
btw, redirects usually happen when I try to open a Microsoft or anti virus type page. I'm on a different 'puter here.
0
Comments
=============
Logfile of HijackThis v1.99.1
Scan saved at 12:31:50 AM, on 5/1/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\abelhadigital.com\HostsMan\hm.exe
C:\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [HostsMan] C:\Program Files\abelhadigital.com\HostsMan\hm.exe -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146003005891
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146002992361
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Haeono32.dll (file missing)
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
I installed a new/empty Hosts file to (C:\Windows\System32\Drivers\etc).
Now HostMan only lists these two entries:
102.54.94.97__________rhino.acme.com__________sour ce server
38.25.63.10___________x.acme.com_____________x client host:
Now what do I do with them?
If I put a checkmark next to them, thats all, IExplorer still redirects me away from certian sites for example "Kaspersky" and "Microsoft Update"...etc.
Do I delete them?
-=RR=-
=RR=
not helping.
and asks me to install any removal programs, how do I install them if my problem will not let me get to those sites? I am on a different computer, but frankly, I've used up my last 10 cd's so far to transfer stuff.
latest log:
===========
Logfile of HijackThis v1.99.1
Scan saved at 3:17:16 AM, on 5/1/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\abelhadigital.com\HostsMan\hm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [HostsMan] C:\Program Files\abelhadigital.com\HostsMan\hm.exe -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146003005891
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146002992361
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Haeono32.dll (file missing)
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
What's this?
(I ask myself)
============
Ok, so .........oh, there it is...
===
ewido anti-malware - Scan report
+ Created on: 5:58:26 AM, 5/1/2006
+ Report-Checksum: FFC5686A
+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Program Files\Internet Explorer\update.exe -> Adware.BHO : Cleaned with backup
C:\WINDOWS\system32\winbrume.dll -> Adware.BHO : Cleaned with backup
:mozilla.8:D:\CAD HD CDRIVE\Documents and Settings\DS\Application Data\Mozilla\Profiles\Maya\cookies.txt -> TrackingCookie.Ivwbox : Cleaned with backup
:mozilla.11:D:\CAD HD CDRIVE\Documents and Settings\DS\Application Data\Mozilla\Profiles\Maya\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:D:\CAD HD CDRIVE\Documents and Settings\DS\Application Data\Mozilla\Profiles\Maya\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.13:D:\CAD HD CDRIVE\Documents and Settings\DS\Application Data\Mozilla\Profiles\Maya\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.14:D:\CAD HD CDRIVE\Documents and Settings\DS\Application Data\Mozilla\Profiles\Maya\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.9:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.12:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.13:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.14:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.16:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.17:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.18:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.19:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.24:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.25:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.26:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.28:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.32:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.33:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.35:D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Application Data\Mozilla\Profiles\default\p4qx9mlv.slt\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Cookies\guest@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Cookies\guest@www.dates.com.18345.fb.dbbsrv[1].txt -> TrackingCookie.Dbbsrv : Cleaned with backup
D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Cookies\guest@www.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Cookies\guest@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4apc5aaqaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Cookies\guest@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4cjd5cgoqidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Cookies\guest@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkownd5wkogqdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Cookies\guest@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4ggazedoq2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Cookies\guest@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlochdzwlpa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Cookies\guest@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygjc5eaqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Cookies\guest@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyqpdpcloqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\CAD HD CDRIVE\Documents and Settings\Guest.DS-2XX0QO2PQN55\Local Settings\Temporary Internet Files\Content.IE5\CR336KDL\TBPS[1].cab/TBPS.exe -> Adware.WebSearch : Error during cleaning
D:\CAD HD CDRIVE\Program Files\ClockSync\Uninst.exe -> Adware.SaveNow : Cleaned with backup
D:\CAD HD CDRIVE\Program Files\Comet Systems\DM\bin\dmserver.exe -> Adware.Comet : Cleaned with backup
D:\CAD HD CDRIVE\Program Files\Comet Systems\Platform\Bin\comutil.dll -> Adware.Comet : Cleaned with backup
D:\CAD HD CDRIVE\Program Files\Comet Systems\Platform\Bin\csband.dll -> Adware.Comet : Cleaned with backup
D:\CAD HD CDRIVE\Program Files\Comet Systems\Platform\Bin\csbho.dll -> Adware.Comet : Cleaned with backup
D:\CAD HD CDRIVE\Program Files\Comet Systems\Platform\Bin\cscore.dll -> Adware.Comet : Cleaned with backup
D:\CAD HD CDRIVE\Program Files\Comet Systems\Platform\Bin\csutil.dll -> Adware.Comet : Cleaned with backup
D:\CAD HD CDRIVE\Program Files\Comet Systems\Platform\Bin\fileutil.dll -> Adware.Comet : Cleaned with backup
D:\CAD HD CDRIVE\Program Files\KoolBar\koolbar.dll -> Adware.Shopper : Cleaned with backup
D:\CAD HD CDRIVE\Program Files\LimeShop\LimeShop.exe -> Adware.TopMoxie : Cleaned with backup
::Report End
I am grateful for this forum though, it was of help. I just pretended I was someone else, and followed those instructions.
I hope these items are gone for good.