embryonic geek can't download 'hijack this' software

Hi , I'm trying to get rid of a highjacked homepage and 'highjack this' software was recommended. But my computer will not download the free download. It just sits on 'downloading' for hours (I've tried leaving it for 6) I have tried several different times.
If you can help please do !
Guy

 

And if ad-aware doesn't get it, Spybot S&D will definitely zap it. Sometimes i like to run both of these programs - as someone on this board pointed out a while back that one zaps the spyware the other doesn't find.

 

Hijackthis just recently changed it's site. Is that an issue??

Current Hijackthis Homepage:

http://www.merijn.org/

 

Good catch, Marjorie! I hadn't noticed that. It only happened a few days ago.

This one is still live and good for HJT and info, though:
HJThis!

 

reply to my heroic friends

thanks for your advice. I'm still working through all your suggestions. I now have Ad-aware and spybot loaded . So far they both find two 'somethings' and I delete them but on restarting my
computer, my internet explorer page is still hijacked - I'm embarrased to say - with a pornography website.
I am using windows '98.
I'll keep working through and keep you posted thanks for your help.
The bright side is my geek-ability is improving.
Guy.

 

Hey guytrepka, you really have to get HiJack This, Get it off a friend or something. and run it. Some programs are neutering the standard adawares,S&D , Norton etc

 

You may also want to download and install CWShredder.It can clean and repair some things that Spybot and Ad-aware don't get. CWShredder can be downloaded from the same site I posted earlier for Hijackthis.

 

Guy,

This won't help your problem of downloading Hijackthis but could stop you getting the pornography site coming up when you restart your computer.

It sounds like the spyware that got loaded into your computer that takes you to a pornography site has got into your Startup. If you know how to check which programs are in your Startup list, check them over for any programs that shouldn't be there.

If you don't know how to find which programs are in your Startup list do the following: click on Start button, then click on Run and when the box comes up type in msconfig. After typing in msconfig, click OK. After the OK has been clicked, a screen will come up that's called System Configuration Utility. Across the top of the System Configuration Utility screen, you will see a number of tabs. Click on Startup. After you have clicked on Startup, a screen will come up showing you all the programs that are starting up when you restart your computer. Beside each program you will see a box with a check mark in it.

I suspect the spyware that is causing the pornography site to load on your computer is in that list. Go over the list in the Startup and if you can identify the spyware program which is causing the pornography problem, uncheck the box beside that program. After unchecking the box, click Apply, then click OK. Your computer will need to be restarted for the changes to take effect. After you have restarted your computer a box will probably come up saying something like "you are starting up in selective start up mode". Just click the OK button.

If you are unsure which program in the Startup list should be unchecked, post the programs that are in your startup list, here., and I'm sure somebody will help you.

This isn't a solution to the problem but only a suggested fix until you get Hijackthis downloaded and installed and a proper repair can be made.

 

my ongoing headache

thanks to all for your help. I still cannot load hijack - have tried from all suggested avenues.
Marjorie, I could not see how to save and post my start up list other than writing it all down. I also could not see any obvious 'virus' . I've got to go to work now - teaching oral English to aspiring teachers.
GUY

 

Yo, Guy,

Use the PM button to give me your e-mail address by Private Message, and I'll send you Hijack This! as a zipped attachment.

(I'll have to zip it. I can't send an exe file as an attachment.)

Where are you in China? I have lived and taught in both Lanzhou (at Lanzhou U) and Beijing (at Beijing U and the Beijing Linguistics Institute).

 

OK, here's Guy's HJT log, just in from China. I haven't actually had time to examine it yet. I'm sure he'll be monitoring the forum, so replies can be posted here, not sent to me. Now that he HAS HJT, if we need to get an update, we can ask him to post it directly to the forum.
***********
Logfile of HijackThis v1.97.7
Scan saved at 4:07:34 PM, on 12/18/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\PROGRAM FILES\IVASION\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
A:\HIJACKTHIS.EXE
A:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://au.rd.yahoo.com/slv/ycheck/as/*http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YCOMP.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YCOMP.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [WinPoET] C:\Program Files\iVasion\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadFont2] C:\WINDOWS\FONTS\Verdana.vbs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Chat 1.3 - http://cs5.chat.sc5.yahoo.com/c174/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

Only things that hit me in that are the

SISTRAY.EXE and KHOOKER.EXE entries,

and I don't think I've seen the 014 entry before, but it looks harmless, and I'd slap the hell out of that all that REAL player garbage and tell it to sit down and shaddup, but that can't be the problem of course, and otherwise, ...

Somebody wanta get in here, please? The man's been hijacked, and we want to help him out.

 

Ummm, Guy's having trouble with the PM System (PMS, yeah!) just now. I have asked AbbySue to check into it. Meanwhile, he has my e-mail addy, so I'll forward the copy to you when I get it.

Guy, send me a copy of that file as an attachment, pls. It'll stick out in the Fonts folder, cuz it Should be the only VBS file in there.

Anybody else in here on this HJT file? Please? Some fresh eyes might see sthg robo and I have missed.

 

No problem. I'm in touch with him by e-mail, anyway.

Now all I need to do is get somebody else to help robo and me with the checking of Guy's HJT log.

Heeeeelp, people.

 

OK, then, with thanks to robo and Halo, I guess we'll put this one to bed for now.

I've sent Guy a tiny startup manager that'll let him temporarily kill the sistray, khooker, and verdana.vbs operators, and if that helps with his problem, we'll get him to use HJT to kill those things one by one.

Thanks to all who read this all and DIDN'T have any ideas. When a lot of people have come up blank, you can feel good about making a decision on the basis of just a few eddikated gesses.

 

He said it was a porn site ... somewhere up there. I didn't find anything that was OBVIOUSLY a porn site in the HJT data, so I went hunting for other stuff.

 

EMBRONIC GEEK - but moving on from larvae stage

Thanks for all your help. By unchecking the suggested start-ups I no longer have hijacked homepage ...whoopeeee
I will now try to find them and delete them using hjk.
Thank you all for your time.
GUY

 

Well....... I'm a bit late on this, but your problem was the hijacker freexxplace.

Regards,
Jade.

 

It's a done deed

Nice catch and nice link, Jab. Wish you'd been here earlier, but robo spotted the culprit anyway, and I gave the lad the tools he needed to get rid of the curse.

Kinda fun working with the crew here to solve a problem halfway 'round the world, in Northwest China.

Merry whatever you celebrate! Christmas doesn't actually HAPPEN in China. The Chinese sure know about the Western celebration, though, and darn near EVERY Chinese knows one English-language song by heart (even if he/she doesn't know another WORD of English):

JINGLE BELLS

 

Merry x-mas to you too Wise-a-wokky .

Best regards,
Jade.