IE6 has been constantly hijacked by ....
 

IE6 has been constantly hijacked ;
this damn site :
http://www.lookfor.cc/index.php?p=37049 , replaces the start page , obliging me to edit the register HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\start page ;

It has happened almost every night since the 1st time a week ago ;

An updated Spybot search and destroy has scanned the system and some cookies have been cleared up but it has not solved the annoying problem ;

Is there something else I can do to eliminate whatever is in the system ?

I am very very fed up with that bastard www.lookfor...

Thank you so much

RW

Re: IE6 has been constantly hijacked by ....
 

Check this site ,download hijackthis,follw along the left you will find all the help you need,and other programs to help stop spyware
http://mjc1.com/mirror/hjt/

Re: IE6 has been constantly hijacked by ....
 

Hi Ron Wolpa

caperjack if I may butt in and expand on your post....

Please Download hijackthis from

http://www.merijn.org/files/hijackthis.zip

Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam

Re: IE6 has been constantly hijacked by ....
 

no problem butt in any time.I was just getting them started till you came along ,I read and read about hijackthis logs and how to decifer them but can't remember what i read ,I think it's that over 50 thing .LOL

Re: IE6 has been constantly hijacked by ....
 

Hi Guys !
Following your advice I downloaded hijackthis , runned and found
a very large list of .exe files and register entries ; basic what this program does is to seek for suspicious entries that autoload when
the op. system starts up ; alright so Hijackthis supposedly found some entries on my register :

1- H_key_currentuser/software/Microsoft/internet/SearchUrl/http...
the url of a porno site ;

2-H_key_currentuser/software/Microsoft/internet/Main/ .....
search and start page , both www.lookfor....

Before to click hijackthis to do anything I opened the register and
have not found such entries in the way it stated it was ;
I had edited minutes before the start page (because it had happened again , start page was changed ) and deleted the entry H_key_currentuser/software/Microsoft/internet/Main/ search
which was pointing to the lookfor , once again ;
This hold me back in relation to hijackthis , I am not confident it´s
realiable , as it found items it was no longer there ;
I thank you anyway for your attetion ;
Ron Wolpa

Re: IE6 has been constantly hijacked by ....
 

Oh, they are still there, all right. They lurk anywhere they can -- the registry, of course, but also in the IE temp-file cache. For severe infestations, read this and follow the instructions: Microsoft's Really Hidden Files. The hijackers know this stuff, you should too.

Re: IE6 has been constantly hijacked by ....
 

Hi Ron Wolpa

If I may point out my earlier post......

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

We can then tell you what to fix

steam

Re: IE6 has been constantly hijacked by ....
 

Not only have I had problems with changing start page but with weird pop up screens coming up with ads of skunk marijuana,
bogus universities degrees , pornography , mp3 songs for free , etc , etc ...
I think for some people it would be funny to open the page of a serious company like Boeing and get a pop up ad of marijuana ;
disgusting ;
Below I paste the log of hijackthis:



Logfile of HijackThis v1.97.7
Scan saved at 02:24:56, on 30/12/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSINFO.EXE
C:\ARQUIVOS DE PROGRAMAS\MYVITALAGENT8\VITALAGENT\PROGRAM\VTLAGENT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARQUIVOS DE PROGRAMAS\ICQ\ICQ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
D:\!DOWNLOAD\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.theadultgate.com/find/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.........../
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookfor.cc/index.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Ron Wolpa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://........../
F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\IEFEATSL.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\MSIESH.DLL
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [sysinfo] C:\WINDOWS\sysinfo.exe
O4 - HKCU\..\RunServices: [sysinfo] C:\WINDOWS\sysinfo.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\ARQUIVOS DE PROGRAMAS\ICQ\ICQ.EXE -trayboot
O4 - Startup: MyVitalAgent.lnk = C:\Arquivos de programas\myvitalagent8\VitalAgent\Program\VtlAgent.exe
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - D:\Arquivos de programas\getright502\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Arquivos de programas\getright502\GRbrowse.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ComVC (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab




I have gotten tired of removing this from register :
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.theadultgate.com/find/

and this one .....
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookfor.cc/index.php?p=37049

and that one as well....
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049

The most interesting one is :


F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\IEFEATSL.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\MSIESH.DLL


I´ve gotten at every boot an error message "svcinit.exe not found on your system" ;

IEFEATSL.DLL is on the program unistall list , it simply appeared from nowhere ;

I am feeling tempted to start the cleaning up but will wait for your advice , ;

How can IE 6 security be so frail ??? (stupid microsoft , so mighty so deceivable )

Cheers
RW

ps: I´ve read Microsoft's Really Hidden Files and found it very interesting despite could not duplicate some on the tutorial ;
I think some paths have changed in the IE6 and Outlook express 6 , perhaps just question to insist a bit more and find the new
paths ;
I tried to send a message to the author suggesting an updated , but received back a daemon failure of an invalid e-mail ;

Re: IE6 has been constantly hijacked by ....
 

Hi Ron

It's no use taking out the obvious without taking out the actual hijacker that is putting it there.....this should sort you out.

Close all browser windows - run hijackthisand tick to fix :-

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.theadultgate.com/find/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.........../
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookfor.cc/index.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=37049

F1 - win.ini: run=C:\WINDOWS\svcinit.exe

O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\IEFEATSL.DLL

O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\MSIESH.DLL

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKCU\..\Run: [sysinfo] C:\WINDOWS\sysinfo.exe
O4 - HKCU\..\RunServices: [sysinfo] C:\WINDOWS\sysinfo.exe

O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


REboot then find and delete :-

C:\WINDOWS\svcinit.exe - file
C:\WINDOWS\sysinfo.exe - file

steam

Re: IE6 has been constantly hijacked by ....