Page 3 of 6 FirstFirst 123456 LastLast
Results 21 to 30 of 55

Thread: Being Redirected at Hotmail

  1. #21
    Guys I can't get into hotmail at all. Anyone have any idea whats happening and what I can do about it?

  2. Software & Hardware   -   #22
    Poster
    Join Date
    Mar 2003
    Posts
    365
    You have a hijacker that uses a hidden file which does not show up in hijackthis.
    Symantec has a tool to remove it.

    Download and run the Backkdoor.Agent.B Removal Tool
    Notice that the instructions say to disconnect from the internet when running the tool.
    Also shut down your anti-virus program as it may interfere with the fix.



    After the removal tool is done, get rid of the line: O9 - Extra button: Your PC is infected with Spyware.

    copy the contents of the quote box to notepad.

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB74C951-ACA1-4e33-A94C-A9261EB2CCB7}]
    "Exec"="https://www.spydeleter.com/order2.php?KBID=1004"

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB74C951-ACA1-4e33-A94C-A9261EB2CCB7}]
    Save it to the desktop as regpatch.reg ( save as all file types)

    Double click the icon, and answer yes when asked if you want to merge this registry file.

    Reboot, rescan with Hijack this, and post a fresh log.

  3. Software & Hardware   -   #23
    I did everything you suggested Jg427. Still can't get into hotmail. I log in and it immediatly goes to the page not found or rather I should say goes to the "The page cannot be displayed" page. Here is the new hijackthis log. Any ideas? Thanks everyone.

    Logfile of HijackThis v1.98.2
    Scan saved at 8:42:22 PM, on 10/19/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\MightyFax\MFNTCTL.EXE
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\SD\Desktop\Programs\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpages.com/svc/index.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [knxnsl] C:\WINDOWS\whamhks.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\MightyFax\MFNTCTL.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
    O18 - Filter: text/html - {46CE9356-7075-4D9E-855C-2AA2F1DB0429} - C:\WINDOWS\System32\bogc.dll
    O18 - Filter: text/plain - {46CE9356-7075-4D9E-855C-2AA2F1DB0429} - C:\WINDOWS\System32\bogc.dll
    Last edited by coldnorth; 10-20-2004 at 01:36 AM.

  4. Software & Hardware   -   #24
    Something I forgot to mention the backdoor agent B removal tool did not find anything.

  5. Software & Hardware   -   #25
    Poster
    Join Date
    Mar 2003
    Posts
    365
    We still have some clean up to do.

    Some files and folders may be hidden , change these settings to show them:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files" and uncheck "hide extensions for known file types" , click "Apply to all folders"
    Click "Apply" then "OK"

    Copy the contents of the Quote Box to Notepad.

    Name the file as fix.reg
    Save as Type: All Files
    Save on the desktop

    Wait until after hijackthis fix to merge


    REGEDIT4

    [-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

    [-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

    [-HKEY_CLASSES_ROOT\CLSID\{46CE9356-7075-4D9E-855C-2AA2F1DB0429}]

    Scan with hijackthis and place a checkmark at the following:

    O4 - HKLM\..\Run: [knxnsl] C:\WINDOWS\whamhks.exe

    O18 - Filter: text/html - {46CE9356-7075-4D9E-855C-2AA2F1DB0429} - C:\WINDOWS\System32\bogc.dll
    O18 - Filter: text/plain - {46CE9356-7075-4D9E-855C-2AA2F1DB0429} - C:\WINDOWS\System32\bogc.dll

    Close all browsers and open windows, click "fix checked".


    Reboot to safemode
    Restart the computer,as soon as the BIOS has finished loading, begin tapping the F8 key .
    Continue to do so until the Windows Advanced Options menu appears.
    Using the arrow keys, scroll to and select Safemode, then press Enter.

    Delete the following files marked in bold
    Note that they may be missing, already removed by a previous scan.

    C:\WINDOWS\whamhks.exe
    C:\WINDOWS\System32\bogc.dll

    Double click the fix.reg file you saved to the desktop.
    Allow it to merge to the registry.

    Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr.
    Let it scan your system for files to remove.
    Make sure these 3 are checked and then press *ok* to remove:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    Reboot to normal mode

    Scan with hijackthis and post a fresh log.

  6. Software & Hardware   -   #26
    ok, give me a few mnutes and I'll try it.

  7. Software & Hardware   -   #27
    Think I'm gonna have to wait till tomorrow to try it. It's late and I'm just too tired. Thanks for everyone's help. I'll be sure to let you know how it turned out tomorrow.

  8. Software & Hardware   -   #28
    Well I made the latest corrections that were suggested and still cannot get on hotmail. Anyone have any ideas about what might have happened? Here's the hijackthis log since I made last corrections.

    Logfile of HijackThis v1.98.2
    Scan saved at 4:48:18 PM, on 10/20/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\MightyFax\MFNTCTL.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\123 Free Solitaire\123FreeSolitaire.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\SD\Desktop\Programs\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpages.com/svc/index.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\MightyFax\MFNTCTL.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5547D333-7EDB-44EF-B3F4-A1748348505A}: NameServer = 207.40.103.4 207.40.103.5

  9. Software & Hardware   -   #29
    Poster
    Join Date
    Mar 2003
    Posts
    365
    Hi coldnorth, I do not see any remaining malware on your system.
    Sorry this has not helped your hotmail problem, but at this time it does not appear to be spyware related.

    Still, you might try a scan with Adaware SE.
    Download the latest version of Ad-Aware SE from here.
    Close all open browsers and windows.
    Open Ad-Aware and from the main screen Click on "Check for Updates Now".
    Click on the "Scan Now" button on the left.
    Under "Select Scan Mode,select "Perform full system scan".
    Click on "Next" in the bottom right corner to start the scan.
    Run the Ad-Aware scan and allow it to remove everything it finds.

    I did run a google search and page after page came back without a clear answer to your problem.

    I suggest trying a different browser to access hotmail.
    http://www.mozilla.org/products/firefox/

    I must add that until you install critical updates for xp and IE, you will continue to have problems with malware attacking your system.
    Updating may even help your hotmail problems.

    Consider installing the following free programs to help protect your system.


    SpywareBlaster - Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.

    SpywareGuard - An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!

    IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.

    Blocking Unwanted Parasites with a Hosts File
    http://www.mvps.org/winhelp2002/hosts.htm

  10. Software & Hardware   -   #30
    Thanks Jg427. I have tried both spybot and adaware. I suspect that I may be having a browser problem. I may try to re-install it a little later. One more question if I could. When I re-install this, since I am just re-writing the same browser over and not upgrading will I loose all my bookmarked sites? Thanks everyone who offered help. This really is the best place on the net when you have a computer problem.

Page 3 of 6 FirstFirst 123456 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •