1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HiJackThis - It's happened again!

Discussion in 'Virus & Other Malware Removal' started by jahmom2, Oct 10, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. jahmom2

    jahmom2 Thread Starter

    Joined:
    Jun 26, 2003
    Messages:
    45
    HELP! I've been hijacked! I think it's Xupiter again, here is my log:

    Logfile of HijackThis v1.97.3
    Scan saved at 6:33:58 PM, on 10/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\lxamsp32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\program files\qttask.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    D:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    D:\Program Files\LexmarkX63\ACMonitor_X63.exe
    C:\Program Files\America Online 9.0a\aoltray.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Jackie\Local Settings\Temporary Internet Files\Content.IE5\SV6N21U5\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youravon.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: # Mozilla User Preferences
    // This is a generated file!

    user_pref("aim.internal.buddy.MaxBuddies", 200);
    user_pref("aim.internal.intproxyprotocol", 1);
    user_pref("aim.session.finishedwizard", true);
    user_pref("aim.session.firsttime", false);
    user_pref("aim.session.latestaimscreenname", "jahealy12");
    user_pref("aim.session.migrateBuddyList", "nobody");
    user_pref("aim.session.screenname", "jahealy12");
    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.history.last_page_visited", "http://ar.atwola.com/html/93061020/937415284/aol?SNM=HIDBFV&width=120&height=60&target=_top&TZ=360&CT=I");
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
    user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
    user_pref("intl.charsetmenu.browser.cache", "UTF-8
    N3 - Netscape 7: # Mozilla User Preferences
    // This is a generated file!

    user_pref("aim.internal.buddy.MaxBuddies", 200);
    user_pref("aim.internal.intproxyprotocol", 1);
    user_pref("aim.session.finishedwizard", true);
    user_pref("aim.session.firsttime", false);
    user_pref("aim.session.latestaimscreenname", "jahealy12");
    user_pref("aim.session.migrateBuddyList", "nobody");
    user_pref("aim.session.screenname", "jahealy12");
    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.history.last_page_visited", "http://ar.atwola.com/html/93061020/937415284/aol?SNM=HIDBFV&width=120&height=60&target=_top&TZ=360&CT=I");
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
    user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
    user_pref("intl.charsetmenu.browser.cache", "UTF-8
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {6F8ADBE2-8C92-4362-B0E6-7321AA49EE46} - (no file)
    O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [STWZADGK] C:\WINDOWS\STWZADGK.exe
    O4 - HKLM\..\Run: [BEILO] C:\WINDOWS\BEILO.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
    O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: AcBtnMgr_X63.exe.lnk = D:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
    O4 - Global Startup: ACMonitor_X63.exe.lnk = D:\Program Files\LexmarkX63\ACMonitor_X63.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: RemindU (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FIX19105/flash.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/sbcy/yinst.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {637BB540-6ABA-11D4-901D-00D0090CB3BC} (FMClass Class) - http://www.flashants.com/codebase/fmplayer.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc.webresponse.microsoft.com/media/XP/TLIEFlash.CAB
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37628.4609259259
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
    O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
    O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
    O16 - DPF: {BE19A2A5-ABDD-4E3E-9230-0A414EB1E9FD} (PictureItLauncher Class) - http://photos8.msn.com/resources/neutral/controls/DigWebX.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E55219FE-FD56-4F34-86BC-A173977D7CF2}: NameServer = 206.141.192.60 206.141.193.55
     
  2. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
  3. jahmom2

    jahmom2 Thread Starter

    Joined:
    Jun 26, 2003
    Messages:
    45
    Thanks, but I already ran Spybot before printing out this log.

    Jackie
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    in that case run download AdAware 6 181
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it.
     
  5. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Hi Jackie, between Spybot and AdAware the worst of Xupiter should be taken care of. Do run AdAware per Derek's suggestion.

    Based on your current log, these are the items that can be removed with Hijack This:


    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)


    O3 - Toolbar: (no name) - {6F8ADBE2-8C92-4362-B0E6-7321AA49EE46} - (no file)


    O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe

    O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe


    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...19105/flash.cab


    .....if you don't recognize the following as your ISP's IP address, you can have HJT fix this too:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E55219FE-FD56-4F34-86BC-A173977D7CF2}: NameServer = 206.141.192.60 206.141.193.55


    To have HJT fix those itmes, close your browser, check the items in HJT, click Fix.

    Reboot.

    Then delete this file:

    C:\Program Files\Orbit\view.exe


    Also, there's two entries here that I'm not sure about:

    O4 - HKLM\..\Run: [STWZADGK] C:\WINDOWS\STWZADGK.exe
    O4 - HKLM\..\Run: [BEILO] C:\WINDOWS\BEILO.exe

    They look suspicious but I'm not sure. Maybe Derek would know.

    :)
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    I can't fdind anything about
    O4 - HKLM\..\Run: [STWZADGK] C:\WINDOWS\STWZADGK.exe
    But it looks viral so


    upload the file to
    http://www.kaspersky.com/remoteviruschk.html to check what it says,

    if it says it's a virus
    then
    Run an online antivirus check from at least one of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/

    I can find only one site that alledges that this is spyware so it's your choice to fix it, You might have downloaded it yourself and know what it is, if not then fix it as well with HJT
    O4 - HKLM\..\Run: [BEILO] C:\WINDOWS\BEILO.exe
     
  7. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Derek....thanks. (y)
     
  8. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Evening all,

    Jahmom2, who's your internet service provider? You seem to have a few AIM entries which would suggest AOL, and indeed from your last thread here it looks correct, but the 017 entry points to Yahoo's DSL (SBCGlobal.net) which also gets a fair mention here.

    You don't say what problems you are having, but perhaps they are being caused by the two ISPs running simulaneously.

    Let's see what Derek or Buckaroo have to say first though, 'cos I'm only having a stab at it.. :)

    Cheers

    Liam
     
  9. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Hi Liam

    I'm not sure what the 017 entry is. I put the IP address here:

    http://ws.arin.net/cgi-bin/whois.pl

    ...and came up with "Ameritech Electronic Commerce". How'd you get Yahoo DSL? Am I doing something wrong here?

    Thanks

    :)
     
  10. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Buckaroo,

    I use Sam Spade to resolve DNSs in 017 entries...

    http://www.samspade.org/t/dns?

    Just C/P the DNS into the space provided and click. This brings up the resolved DNS, in this case SBCGlobal.net. Click that for a host:D of choices on where to go with the info, or as I do just Google for the site or pages that contain references to that site and see what you come up with.

    In this case, you can see the entries that pertain to SBC and Yahoo DSL here...

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl


    and

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl


    Hope that helps..

    I'm going out in a minute but I'll be back later (or my body will be anyway, my mind could be curled up asleep in a pint glass) :D:D

    Cheers

    Liam
     
  11. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Thanks Liam.....I'll have to check that out. If I have any problems or questions, I'll PM you, okay?

    :)
     
  12. jahmom2

    jahmom2 Thread Starter

    Joined:
    Jun 26, 2003
    Messages:
    45
    Thanks for your suggestions...I am going to try all that you have suggested. I use SBC Yahoo DSL (through Ameritech) but I also have AOL, which I am going to cancel, and I use AIM as well. I don't think the two of them running together is the problem though, I've had both for a while. I am getting a lot of unwanted pop-ups and when I run Spybot, this Xupiter keeps showing up so I have a feeling I got that again. I will let you all know what happens after following the suggestions you've given me so far.

    Thanks for all your help, Jackie
     
  13. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Good luck Jackie....thanks for getting back and explaining the SBC and Ameritech connection.

    (y)
     
  14. jahmom2

    jahmom2 Thread Starter

    Joined:
    Jun 26, 2003
    Messages:
    45
    The AdAware came up with quite a few files to delete - mainly Orbit files! I did the scan, did the fix and then did HiJack This again and all but two files were already removed (the Orbit files). So I ran Spybot again as well and got rid of those, rebooted and checked and they are gone. Between Spybot and AdAware, it removed STWZADGK.exe and BIELO. Thank you for all of your help, I really appreciate it. I will be back to let you know if I have the same problems again. I love this site, I can always count on you guys for the proper fixes, and I've recommended this site to our Head of Tech at school. THANKS SO MUCH!! Jackie
     
  15. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Good deal, glad to see they're on top of their toes!

    (y)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - HiJackThis happened again
  1. hfrei
    Replies:
    1
    Views:
    372
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/171075

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice