Local Host still goes to vv6.s13.topx.cc

mtroxmtrox Minnesota
edited October 2004 in Spyware & Virus Removal
Guys, newbie here. Great site. Sorry if you all know this one....I did do a search. I'm on a client's computer that used to have Kazaa. I'd rebuild the thing but it's an HP with the hidden partition and no XP disks unless you wrestle it out of them (that alone is reason to tell people to avoid HP's in my book).

I downloaded AboutBuster and went through all the steps. Not sure if I've got it licked. Time will tell.

However, when I plug the local host into the address bar of I Expl (127.0.0.1) I still go to Search For.... crap. The hosts file is fine. Anyone know how to get the loopback fixed so that I don't keep going to vv6.s13.topx.cc? Please don't tell me to use Mozilla. This guy is intimidated enough without that wrinkle.

Thanks for your help.

Comments

  • SpywareShooterSpywareShooter 127.0.0.1
    edited October 2004
    Please download HijackThis and post a log.
  • mtroxmtrox Minnesota
    edited October 2004
    SpywareShooter wrote:
    Please download HijackThis and post a log.

    Pretty uneventful log I'm afraid.

    Logfile of HijackThis v1.97.7
    Scan saved at 3:18:27 PM, on 10/14/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HiJackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.5010300926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab



    I've killed everything in HiJack log, run CWShredder (3 times), AboutBuster (6 times now), and am clean of the coolsearch crap. But my loopback address still got me to some dumb "Searching for..." page. 127.0.0.1 got me there every time.

    Finally went into the registry, exported a few Microsoft URL Hook type keys and now when I plug in the loopback address, I get this in the address bar:

    [url]http:///? 127.0.0.1[/url]

    And nothing in the IExplorer window.
  • SpywareShooterSpywareShooter 127.0.0.1
    edited October 2004
    Please upgrade to HijackThis version 1.98.2 and post a new log.
  • mtroxmtrox Minnesota
    edited October 2004
    Shooter, appreciate the attention, did all that and it was abso-frigg'n-lutely identical except for the version number and time of day.

    It has never shown up as a BHO or in any other way in Highjackthis. The home page isn't highjacked. I got that solved. Just the loopback address is highjacked. Hosts file is clean.
  • mtroxmtrox Minnesota
    edited October 2004
    Call off the dogs Shooter. Here's the fix. I downloaded Adware Away from http://www.adwareaway.com/aboutblank.htm. Just for grins, I imported the registry keys I had exported (after setting a restore point) and my loopback was screwed again. Then I ran the new Adware Away. Worked great. Now I have a normal loopback. Plug in 127.0.0.1 and you get a search page that tries to help you find it....just the way God intended.

    This is the third time I've worked on this guy's computer, and although I knew I had the highjacker out of there, I wasn't going to give it back to him on the off chance he'd get led back to the seach page that started it all.

    Thanks for your time. That Adware Away worked great!!
This discussion has been closed.