Problem with adult pages hijacking wepages

[swam]

hi,

I have a problem when loading a few different websites. The page loads about 60% then either an adult or gambling site takes over. I have followed the routine listed on this site, which was posted here : https://www.techspot.com/vb/topic17297.html but I am still having the problem.
I have attached my Hijackthis log so hopefully someone can spot whats causing the problem, please either post a reply here or e-mail me : sam@tesselate.me.uk

I am running windows xp and service pack 1

thanks

Sam

 

[zephead]

you've got malicious software on your computer, thus causing your problems. i reccomend you use ad-aware SE personal edition (it's free from www.lavasoft.com) to clean it up. this isn't your only option of course, but it's a valid course of action.

 

[swam]

hi

you've got malicious software on your computer, thus causing your problems. I reccomend you use ad-aware SE personal edition (it's free from www.lavasoft.com) to clean it up. this isn't your only option of course, but it's a valid course of action.

I have ran all the software recommended on this site which are all upto date and the problem is still there.

Here is the latest Hijackthis :

cheers

Sam

 

[RealBlackStuff]

Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
winampa.exe
MsgPlus.exe

Next, try to UNinstall anything to do with (not delete yet!):
C:\Program Files\Messenger Plus! 2\MsgPlus.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\Program Files\Winamp\winampa.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121631443625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Gear Security Service (GEARSecurity) - Unknown owner - C:\WINDOWS\System32\gearsec.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

 

[swam]

thanks

hi,

thanks for that, Ill give that a go when I get back from work. Just another thing along the same line.

I have the same problem with that browser hijack on 2 pcs and a laptop (which is connected wirelessly), so yesterday when I was running through all the information on this site, and something I did half killed it and now it just loads a blank page (previously it loaded either an adult gallery or a casino site), but I had only made changes on my pc.

I started up the laptop last night and connected to the same page which has the hijack problem and it also loaded a blank page, which is odd as I hadn’t made any changes on the laptop at all. Is it somehow spreading across the network?

cheers

Sam

 

[RealBlackStuff]

Could well be if you also go on the other PCs in the network. Outlook ( and/or O Express) could also have emailed the others.
disable the network on each PC until you sorted the problems, then turn back on when all are clean.

And some of those porno-sites could also disappear overnight, but 'about: blank' normally points to a hijack of sorts.

 

[swam]

hi,

the page it loads isnt about:blank its an ip address for a webpage.

cheers

Sam

 

[swam]

hi

Could well be if you also go on the other PCs in the network. Outlook ( and/or O Express) could also have emailed the others.
disable the network on each PC until you sorted the problems, then turn back on when all are clean.

And some of those porno-sites could also disappear overnight, but 'about: blank' normally points to a hijack of sorts.

hi,

I went through the instructions you posted previously, and its back again but this time it loads the page completely, its not blank anymore, its always some kind of porn gallery. Attached is the latest HJT log.

cheers

Sam

 

[Press2Esc]

Your logfile looks ok... goto http://housecall.trendmicro.com and run the virus and spyware check. Many people I have sent the has had success. Let us know.

P2E

hi,

I have a problem when loading a few different websites. The page loads about 60% then either an adult or gambling site takes over. I have followed the routine listed on this site, which was posted here : https://www.techspot.com/vb/topic17297.html but I am still having the problem.
I have attached my Hijackthis log so hopefully someone can spot whats causing the problem, please either post a reply here or e-mail me : sam@tesselate.me.uk

I am running windows xp and service pack 1

thanks

Sam

 

[RealBlackStuff]

You missed this one, (not important though):
O23 - Service: Gear Security ..... (file missing)

The only other one I can think of is this:
C:\Program Files\iTunes\iTunesHelper.exe
Someone else reported it as infected on his PC.

Boot in Safe Mode.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
iTunesHelper.exe

Next, RENAME:
C:\Program Files\iTunes\iTunesHelper.exe
into
C:\Program Files\iTunes\iTunesHelper.old

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O23 - Service: Gear Security Service (GEARSecurity) - Unknown owner - C:\WINDOWS\System32\gearsec.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT.

Reboot and see if it's gone. If OK, put System Restore back on if you like.
You can delete the bold C:\Program Files\iTunes\iTunesHelper.old
Fingers crossed!

 

[Abraxas]

Does Hijackthis fix such entries as ituneshelper in the way that it deinstalls the software? Or just throwing out the process?
It came with Quicktime, very bad design to just put it there in front of Quicktime and you won't even know it's a separate download...

 

[RealBlackStuff]

Good reminder, I nearly installed it when I got my Quicktime from Apple. They DO tell you though on their website, if I remember correctly.

HJT does not UNinstall anything, just removes the registry entries for a process.
Don't know if ItuneHelper has its own uninstaller routine.

 

[Abraxas]

Yes, it has.