hijacked and screwed!!!

Printable View

August 3rd, 2003, 09:19 AM
wojo629

hijacked and screwed!!!

o someone please help!! was hijacked by ewebsearch (very nasty, more on this later)and now my computer is very sick!
problems:
IE>tools>internet options: no access, the following message pop ups: "restriction: this operation has been cancelled due to restriction on this computer. contact system administrator."
start>settings>control panel>internet options: the ability to reset home page is grayed out.
my computer>system info>internet: my IP address is not there anymore.
try to download ANY software proggies for trojan/spyware/hijack detectors and i'm not allowed, error 403,
have run: NAV 2003,
Ad-Aware,
SpyBot, nothing found.
all are updated and current.
ZA Pro found nothing,
Did remove 3 offending lines in reg, HKLU.
Reset IE via Add/Remove.
Tried to sign up @ SpyWareInfo forum and cannot get a response, they say within ten minutes, has been 45 minutes.
something weird going on here, and i'm at my wits end!!
August 3rd, 2003, 10:33 AM
discogail

You cannot d/l Hijack this? http://www.tomcoyote.org/hjt/
Not aware of any signup problems......you can post at SWI as a guest...without signing up..if you're unable....http://www.spywareinfo.com/forums/index.php?s=
------>Spyware and Hijackware Removal Support
August 3rd, 2003, 10:50 AM
wojo629

negative, cannot dl, error 403.
August 3rd, 2003, 10:59 AM
discogail

How bout this? Didn't work:mad:
August 3rd, 2003, 11:07 AM
wojo629

once again, nope, error 403.....what the !@#@$ is going on here? seem to be locked out of dl'ing.....no validation from SpyWareInfo yet....so very strange!!
August 3rd, 2003, 11:13 AM
discogail

i just saw you over there .....you were listed on the bottom of the page as being there...as a member../being validated. No email yet? Post as a guest.....
If your email is working...& want to/PM me here at VDR..& let me know where to send it..I will send you Hijack This.
August 3rd, 2003, 12:27 PM
discogail

just in case you need any instructions.....To start the scan, Click the Scan button on the left. after the scan the Scan Button has a new Caption. Save Log. Click the Save Log button to create a file named Hijackthis.log. A dialog box will pop up. Use it to select the location where you will save the log. Close the program. Open the Log in Notepad. Highlight the entire contents. Copy and paste the contents of the HijackThis log into your post.
August 3rd, 2003, 12:59 PM
discogail

have you used the immunize functions in Spybot? go to the "Immunize" section. Is "Lock IE Start Page Settings" ticked?
If so, uncheck it. clear the "Lock .." boxes
August 3rd, 2003, 01:03 PM
wojo629

Logfile of HijackThis v1.96.0
Scan saved at 13:03:08, on 8/3/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\EVIDENCE ELIMINATOR\EE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Evidence Eliminator] C:\PROGRAM FILES\EVIDENCE ELIMINATOR\ee.exe /m
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...593.7216666667

there, that worked....i think i see the probs...06...???..yes ? no?
August 3rd, 2003, 01:10 PM
discogail

Close all other browser windows.....put a check in the box next to:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click "Fix Checked"
Smile....& dance the funky chicken on your front porch (optional)
..reboot

Is this by choice: ? C:\PROGRAM FILES\EVIDENCE ELIMINATOR
August 3rd, 2003, 06:12 PM
Fuelm@n

http://evidence-eliminator-sucks.com
August 3rd, 2003, 06:36 PM
General Winters

Evidence Eliminator ? :eek:

Wouldn't give that piece of s**t to my worst enemy .

I'd visit a Chinese warez site with no firewall, no antivirus, low security settings and all active x settings set to ok before I would load that ... program...
:D