Registry Altered By Hijacker, Can't Search Google [HJT Log]

Several months ago my browser (IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519) was hijacked by 180Search and lord knows what else. I was able to remove most of it (at least the obvious stuff) but I can no longer search using Google or access my gmail. Actually, I can't even access anything Google. When I type "http://www.google.com ", I get a "This page cannot be displayed" page. Can anyone please help?

Thanks,
Angie

 

Pete, Thank you for responding and for the info. Sorry I didnt post my OS. I am using XP. There are some other sites I cannot access using my IE yet I can access them if I go through my Favorites. At the risk of sounding like an idiot, I need to post what happened in my registry. I accidentally clicked "Yes" when a pop-up said I "must" install this certain thing. Turns out it was that 180Search thing that takes over your browser. I immediately started getting pop-ups everywhere; my internet connection (dsl pro) died; my desktop was now a black screen with some kind of virus warning and there were all sorts of unknown processess running. (I took screenshots of some of this and also saved my registry with all the changes the hijacker had made before I tried to get it out.) After frantically going to a website about the 180Search problem, I followed the directions there on how to remove it from my registry. It told me to remove many things called "search ", and I think I removed one "search" too many. After rebooting, things seemed back to normal, no more black virus warning desktop, no more pop-ups, but my Google toolbar was gone in my browser, even though the add-ons menu said it was still there. I tried enabling it with no luck. I even tried to uninstall it, no luck again. I then reinstalled it, hoping it would set things back to how it was suppose to be, but no. Then I noticed in my "add/remove windows components" that my IE showed it was using 0.0mb of space. I had never really paid much attention to it before so I didnt know if it was suppose to say that or not, but I didnt think so. I even tried reinstalling IE, but when I do, it says that it detects I have a newer version and it wont finish installing. I cant seem to find one to install that has the same upgrades that mine has.

I went to the site you suggested. When I did a search for "hosts" like it says to do, I do not find any results.

Am I beyond help?

Angie

 

First thing to try:

Do you have Systen Restore enabled?

If you do, restore back to just before you got the 180Search thing. One caveat with SR is that any MS updates or software installs since that time of that restore point would have to be done again.

Your hosts file is located here: c:\windows\system32\drivers\etc\hosts and should look like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

It opens with Notepad.

If you can't so the System Restore:

Download HijackThis from here http://radiosplace.com/ latest version 1.99.1

Download it to it's own folder, for example C:\HijackThis - unzip (double click on zipped folder) - click on the execute - click scan button - click save log and save to the folder you just created *DO NOT FIX ANYTHING* - copy resultant .txt file and paste into your next post.

Regards - Charles

Edit: I see Pete and I were posting at the same time, so follow his instructions first.

 

Thank you Pete & Charles,

Pete: I'll paste here what is in my Hosts file:

213.219.251.78 www.google.com
213.219.251.78 google.com
213.219.251.78 www.google.co.uk
213.219.251.78 google.co.uk
213.219.251.78 www.google.ca
213.219.251.78 google.ca
213.219.251.78 www.google.es
213.219.251.78 google.es
213.219.251.78 www.google.de
213.219.251.78 google.de
213.219.251.78 www.google.fr
213.219.251.78 google.fr
213.219.251.78 www.google.com.au
213.219.251.78 google.com.au
213.219.251.79 www.yahoo.com
213.219.251.79 yahoo.com
66.218.75.184 mail.yahoo.com
213.219.251.80 www.msn.com
213.219.251.80 msn.com
213.219.251.80 search.msn.com
213.219.251.80 www.search.msn.com
213.219.251.80 go.com

Looking now for my XP cd. My computer is only about 9 months old and I've never used the XP cd. Once I find it, shouldnt take long, I will try the next step(s) you suggested and post back what the result is.

Angie

 

I think I have found the cd(s). My computer is an emachine and there is a set of 3 cds that say "Restore CD ". Could this be what I'm looking for?

Angie

 

Hi Angie,

No, those are restore "back to factory settings ", not an XP cd. I don't know if you can do the procedure that Pete outlined without it.

Do you have a file called HOSTS.BAK and does it look the same?

Regards - Charles

 

Charles: Those are the only cds I found. My pc came installed with XP, so I'm not sure I have an XP cd.

Angie

 

Charles: I dont see a hosts.bak file. The only other "hosts" file in the same folder is called "lmhosts" (an 8-bit signed file).

Pete: See my previous post. What can I do if I dont have the XP cd?

Angie

 

Pete: I will try to do the step described below that is on the site you posted for me above. If that isnt successful, I will try to reinstall using the inf file as you suggested.

"Windows XP and Windows XP SP1: Edit the registry and install Internet Explorer 6
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
When you try to reinstall the same version of Internet Explorer, you may receive the following error message:
Setup has detected a newer version of Internet Explorer already installed on this system.
Setup cannot continue.
To avoid this error message and reinstall the same version of Internet Explorer and Outlook Express, follow these steps: 1. While you are logged on as an administrator, click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate the appropriate registry subkey, right-click the IsInstalled (REG_DWORD) value, and then click Modify.

To reinstall only the Internet Explorer 6 browser component on Windows XP, use the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
To reinstall only Outlook Express 6 on Windows XP, use the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
4. Change the value data from 1 to 0, and then click OK.
5. Quit Registry Editor, and then install Internet Explorer 6.
6. To reinstall Windows XP updates, visit the following Microsoft Windows Update Web site:
http://windowsupdate.microsoft.com/ (http://windowsupdate.microsoft.com/)
By default, Internet Explorer 6 is preinstalled in all versions of Windows XP and cannot be removed. To provide computer manufacturers more flexibility in configuring desktop versions of Windows XP, Microsoft has made it possible for OEMs, administrators, and users to remove user access to Internet Explorer while leaving the Internet Explorer code intact and fully functional to make sure the functionality of programs and operating system functions that rely on it. For example, Windows XP supports an "IEAccess=off" switch in the Unattend.txt file, and Internet Explorer has been added to the Add/Remove Windows Components section of the Add/Remove Programs tool in Control Panel. This does not reinstall Internet Explorer. "
_____________________________________________________
Charles:

I will go ahead and run my hijack this program and post the log to you.

Thanks!
Angie

 

Okay, just ran hijackthis; here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 3:47:31 PM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Norton SystemWorks 2004\Norton GoBack\GBTray.exe
C:\Program Files\NavNT\defwatch.exe
C:\Norton SystemWorks 2004\Norton GoBack\GBPoll.exe
C:\NORTON~1\NORTON~3\GHOSTS~2.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Angie\My Documents\!Program Setups\HijackThis 1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
N2 - Netscape 6: user_pref( "browser.startup.homepage ", "hotmail.com "); (C:\Documents and Settings\Angie\Application Data\Mozilla\Profiles\default\ce93vw4l.slt\prefs.js)
N2 - Netscape 6: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Angie\Application Data\Mozilla\Profiles\default\ce93vw4l.slt\prefs.js)
O1 - Hosts: 213.219.251.78 www.google.com
O1 - Hosts: 213.219.251.78 google.com
O1 - Hosts: 213.219.251.78 www.google.co.uk
O1 - Hosts: 213.219.251.78 google.co.uk
O1 - Hosts: 213.219.251.78 www.google.ca
O1 - Hosts: 213.219.251.78 google.ca
O1 - Hosts: 213.219.251.78 www.google.es
O1 - Hosts: 213.219.251.78 google.es
O1 - Hosts: 213.219.251.78 www.google.de
O1 - Hosts: 213.219.251.78 google.de
O1 - Hosts: 213.219.251.78 www.google.fr
O1 - Hosts: 213.219.251.78 google.fr
O1 - Hosts: 213.219.251.78 www.google.com.au
O1 - Hosts: 213.219.251.78 google.com.au
O1 - Hosts: 213.219.251.79 www.yahoo.com
O1 - Hosts: 213.219.251.79 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 213.219.251.80 www.msn.com
O1 - Hosts: 213.219.251.80 msn.com
O1 - Hosts: 213.219.251.80 search.msn.com
O1 - Hosts: 213.219.251.80 www.search.msn.com
O1 - Hosts: 213.219.251.80 go.com
O2 - BHO: (no name) - {00000000-0000-40EC-8FEC-94F4F97D4B43} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Sunkisk2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe "
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Norton SystemWorks 2004\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe "
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\Free Ram XP Pro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Norton SystemWorks 2004\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Answers... - file:C:\Program Files\1-Click Answers\Html\atiemenu.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: All Media Extractor - {262A4540-A02E-48dc-BA9B-3BDD76A90219} - C:\Program Files\SingularitySoft\All Media Extractor Trial\MediaExtractIE.exe
O9 - Extra 'Tools' menuitem: All Media Extractor... - {262A4540-A02E-48dc-BA9B-3BDD76A90219} - C:\Program Files\SingularitySoft\All Media Extractor Trial\MediaExtractIE.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106634547640
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123447328671
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/isan/default/popcaploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by106fd.bay106.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: GBPoll - Symantec Corporation - C:\Norton SystemWorks 2004\Norton GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\NORTON~1\NORTON~3\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)

___________________________________________________-

Hope something here helps.

Angie

 

Pete:

Sorry, I will look at that URL now.

Angie

 

Download Hoster . Press "Restore Original Hosts" and press "OK ". Exit Program. This will restore the original deleted Hosts file.

Reboot to safe mode and run hijackthis with all other windows closed and choose scan only.

Put a check by these (if they remain) and choose fix

R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 213.219.251.78 www.google.com
O1 - Hosts: 213.219.251.78 google.com
O1 - Hosts: 213.219.251.78 www.google.co.uk
O1 - Hosts: 213.219.251.78 google.co.uk
O1 - Hosts: 213.219.251.78 www.google.ca
O1 - Hosts: 213.219.251.78 google.ca
O1 - Hosts: 213.219.251.78 www.google.es
O1 - Hosts: 213.219.251.78 google.es
O1 - Hosts: 213.219.251.78 www.google.de
O1 - Hosts: 213.219.251.78 google.de
O1 - Hosts: 213.219.251.78 www.google.fr
O1 - Hosts: 213.219.251.78 google.fr
O1 - Hosts: 213.219.251.78 www.google.com.au
O1 - Hosts: 213.219.251.78 google.com.au
O1 - Hosts: 213.219.251.79 www.yahoo.com
O1 - Hosts: 213.219.251.79 yahoo.com

O1 - Hosts: 213.219.251.80 www.msn.com
O1 - Hosts: 213.219.251.80 msn.com
O1 - Hosts: 213.219.251.80 search.msn.com
O1 - Hosts: 213.219.251.80 www.search.msn.com
O1 - Hosts: 213.219.251.80 go.com


(Note: O1 - Hosts: 66.218.75.184 mail.yahoo.com is okay , you may need to put this back in your hosts file for your yahoo pop mail to work if hoster removes it. Locate the hosts file - with no extension not hosts.sam and select open with notepad , edit it and add 66.218.75.184 mail.yahoo.com then save as "hosts" with the quotes and all files as file type))

O2 - BHO: (no name) - {00000000-0000-40EC-8FEC-94F4F97D4B43} - (no file)
O2 - BHO: (no name) - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - (no file)
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -


Reboot and clear system restore points and goback points since they are almost certainly infected.


You do have several unnecessary and redundant and conflicting things running do you want advice on turning them off?

 

Thank you Pete #2

Pete #1: I tried what they suggested at the URL you gave me here , but I cant do it because I dont have my XP cd. Even using the "workaround" I still have to have the cd.

Pete #2: I have downloaded "hoster" and will try it now. Yes, I would like advice on turning off those processes that are running that dont need to be.

Thanks again to everyone!
Angie

 

Pete #2: After running "hoster" and doing as you said, I rebooted my computer and tried to load up in safe mode, but I do not know how. I've always used "escape" to boot into safe mode but this didnt work. (Maybe it's different with XP?) Nevertheless, out of curiosity I opened my browser and typed "google.com" and viola! it went there! And I was able to search! And I was able to access my gmail! WHATTA DEAL! If I still need to run hijackthis in safe mode and do the rest of what you suggested, I will, but you'll have to tell me how to get into safe mode.

Thank you! Thank you! Thank you ALL!

Angie

 

No, after double checking I think Hijackthis should have no problem fixing those remaining entries in normal mode with all other windows closed since hoster did its job.


But yes, you should still finish the cleanup.

For future reference

How did I get infected in the first place


How to boot to safe mode.
Alternative method.

How to disable system restore