TechSpot

Problem with adult pages hijacking wepages

By swam
Jul 17, 2005
  1. hi,

    I have a problem when loading a few different websites. The page loads about 60% then either an adult or gambling site takes over. I have followed the routine listed on this site, which was posted here : http://www.techspot.com/vb/topic17297.html but I am still having the problem.
    I have attached my Hijackthis log so hopefully someone can spot whats causing the problem, please either post a reply here or e-mail me : sam@tesselate.me.uk

    I am running windows xp and service pack 1

    thanks

    Sam
     

    Attached Files:

  2. zephead

    zephead TechSpot Paladin Posts: 2,483

    you've got malicious software on your computer, thus causing your problems. i reccomend you use ad-aware SE personal edition (it's free from www.lavasoft.com) to clean it up. this isn't your only option of course, but it's a valid course of action.
     
  3. swam

    swam TS Rookie Topic Starter

    hi


    I have ran all the software recommended on this site which are all upto date and the problem is still there.

    Here is the latest Hijackthis :

    cheers

    Sam
     

    Attached Files:

  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    winampa.exe
    MsgPlus.exe

    Next, try to UNinstall anything to do with (not delete yet!):
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    C:\Program Files\Winamp\winampa.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121631443625
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: Gear Security Service (GEARSecurity) - Unknown owner - C:\WINDOWS\System32\gearsec.exe (file missing)
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
     
  5. swam

    swam TS Rookie Topic Starter

    thanks

    hi,

    thanks for that, Ill give that a go when I get back from work. Just another thing along the same line.

    I have the same problem with that browser hijack on 2 pcs and a laptop (which is connected wirelessly), so yesterday when I was running through all the information on this site, and something I did half killed it and now it just loads a blank page (previously it loaded either an adult gallery or a casino site), but I had only made changes on my pc.

    I started up the laptop last night and connected to the same page which has the hijack problem and it also loaded a blank page, which is odd as I hadn’t made any changes on the laptop at all. Is it somehow spreading across the network?

    cheers

    Sam
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Could well be if you also go on the other PCs in the network. Outlook ( and/or O Express) could also have emailed the others.
    disable the network on each PC until you sorted the problems, then turn back on when all are clean.

    And some of those porno-sites could also disappear overnight, but 'about: blank' normally points to a hijack of sorts.
     
  7. swam

    swam TS Rookie Topic Starter

    hi,

    the page it loads isnt about:blank its an ip address for a webpage.

    cheers

    Sam
     
  8. swam

    swam TS Rookie Topic Starter

    hi


    hi,

    I went through the instructions you posted previously, and its back again but this time it loads the page completely, its not blank anymore, its always some kind of porn gallery. Attached is the latest HJT log.

    cheers

    Sam
     
  9. Press2Esc

    Press2Esc TS Rookie

    Your logfile looks ok... goto http://housecall.trendmicro.com and run the virus and spyware check. Many people I have sent the has had success. Let us know.

    P2E

     
  10. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    You missed this one, (not important though):
    O23 - Service: Gear Security ..... (file missing)

    The only other one I can think of is this:
    C:\Program Files\iTunes\iTunesHelper.exe
    Someone else reported it as infected on his PC.

    Boot in Safe Mode.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    iTunesHelper.exe

    Next, RENAME:
    C:\Program Files\iTunes\iTunesHelper.exe
    into
    C:\Program Files\iTunes\iTunesHelper.old

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O23 - Service: Gear Security Service (GEARSecurity) - Unknown owner - C:\WINDOWS\System32\gearsec.exe (file missing)
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    Reboot and see if it's gone. If OK, put System Restore back on if you like.
    You can delete the bold C:\Program Files\iTunes\iTunesHelper.old
    Fingers crossed!
     
  11. Abraxas

    Abraxas TS Rookie Posts: 205

    Does Hijackthis fix such entries as ituneshelper in the way that it deinstalls the software? Or just throwing out the process?
    It came with Quicktime, very bad design to just put it there in front of Quicktime and you won't even know it's a separate download...
     
     
  12. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Good reminder, I nearly installed it when I got my Quicktime from Apple. They DO tell you though on their website, if I remember correctly.

    HJT does not UNinstall anything, just removes the registry entries for a process.
    Don't know if ItuneHelper has its own uninstaller routine.
     
  13. Abraxas

    Abraxas TS Rookie Posts: 205

    Yes, it has.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.