63.219.181.7 help!

ive got problems with this, can anyone here give some help?

thanks
gandhi.

 

Hi Gandhi,

I assume you are referring to this baddie: O15 - Trusted Zone: http://*.63.219.181.7

Generally, it is a good idea to start with the Cleanup Tutorial HERE:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

This will remove a lot of stuff that would otherwise clog a HJT log and make things easier when we go after the Trusted Zone Hijacker.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it - you didn't give OS) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Somebody will take a look when they get a chance.

Best luck
PP

 

thanks for responding. im getting pop ups and whatever this thing is is hijacking my favorites. the popups are about playing poker with naked ladies and hhow i need spyware removal and such. in my favorites it is leaving things like, viagra, phentermine, work at home. ive been reading posts and it sounds like others are having similiar problems.

 

BEFORE you do anything else, you MUST Extract HijackThis from the ZIP File to its own safe folder ---> C:\Program Files\HijackThis

Then, please download this tool: REM.ZIP

Please do this and then attach a fresh HJT Log. It's 2:30AM my time, so I have to check back tomorrow.

PP

 

OK, Hijack this is extracted into its own folder. I have downloaded REM.ZIP. HEre is a new HJT log. Thnak you for taking the time to help with this amazingly annnoying problem!

gandhi

 

Thank you. Thank You. Thank You.

You Guys are rock-n-roll.

I did what you said, and my problems are gone. You are the force of light in this horribly cynical universe of high tech.

Thank You. PP and clang.

Im not posting the follow up logs because everything seems to work great. no more "favorite" hijacks, no more lame pop-ups ..etc..

i will post them if it will help you out, or if you think im too confident in the results of your fix.


but in any event....

thank you. thank you. thank you. im in eternal debt and look forward to learning more about PCs.

gandhi

 

Happy to help

I do agree with Clang, though. A new HJT log would be a good idea as REM.Zip flushes out some baddies along with the fix.

PP

 

sorry it took so long to get this to you. here is my log.txt

Microsoft Windows XP [Version 5.1.2600]
C:\WINDOWS\SYSTEM32
"Files found"
---------------------------------------------------------------------
clfmon.exe
dllhostxp.exe
winsrv32.dll
d3dxov.dll
msacmx.dll
hdr.dll

Zipping files............
---------------------------------------------------------

deleting files........
---------------------------------------------------------

"Files Not Deleted"
---------------------------------------------------------------------

Checking for version 2 files..........
Files Found
------------------------------------------------------------

Zipping files............
---------------------------------------------------------

deleting files........
---------------------------------------------------------

Files Not deleted
------------------------------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\Files]
"service.exe"=""
"msacmx.dll"=""
"d3dxov.dll"=""
"winsrv32.dll"=""
"ie4unit.exe"=""
"ipxroutex.exe"=""
"rdshost32.exe"=""
"rshe.exe"=""
"net2.exe"=""
"mqsvch.exe"=""
"dllhostxp.exe"=""
"extrac16.exe"=""
"mqbckup.exe"=""
"pxhping.exe"=""
"rdpnr.exe"=""
"slservc.exe"=""
"clfmon.exe"=""
"hdr.dll"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes]
"ie4unit.exe"=""
"ipxroutex.exe"=""
"service.exe"=""
"rdshost32.exe"=""
"rshe.exe"=""
"net2.exe"=""
"mqsvch.exe"=""
"dllhostxp.exe"=""
"extrac16.exe"=""
"mqbckup.exe"=""
"pxhping.exe"=""
"rdpnr.exe"=""
"slservc.exe"=""
"clfmon.exe"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys]
"{98DBBF16-CA43-4c33-BE80-99E6694468A4}"=""
"{A5366673-E8CA-11D3-9CD9-0090271D075B}"=""
"Files"=""
"Ms4Hd"=""
"Processes"=""
"RegKeys"=""
"RegValues"=""
"Vendor"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues]
"clfmon.exe"=""
"dllhostxp.exe"=""
"pxhping.exe"=""
"service.exe"=""

-----------------------------------------------------------------

Done

 

Hi Gandhixmas,

Please post a fresh HijackThis Log. Sometimes remnants are left from the REM.Zip process. Note that there is a new version of HijackThis and you should use it in the future, but also keep v1.98.0.2 on hand because this particular baddie that you removed crashes the new version.

PP

 

Ok here is an attachment of a new hijack this log in normal mode. I am having a hard time figuring out how to cut and paste the contents into this reply box. Again, im an amateur at this for sure.

Anyway, everything is working good as far as i know, except that my windows media viewer literally "flys off" the screen when it is maximized. I think i noticed this happeneing after i downloaded widows security pack 2, but i really do not know. IS this a spyware issue? what happens is i open windows media player and in opens itself in a domain beyong the reach of the monitor. as i click on the toll WMp icon as tool bar it shows the player fly off the screen toward the upper right hand corner, off into nowhere land.

 

Looks like you got everything associated with the Trusted Zone Hijacker. You could clean these remainders:

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) -
O16 - DPF: {D27CDB70-AE6D-11cf-96B8-444553540000} (Macromedia Flash Factory Object) -

Regarding WMP, I don't know off the top of my head. Perhaps post a thread in Software Forum?

Sorry rushed - Dinner is burning !

PP

 

Thanks again PP, you have been invaluable.

gandhi

 

You're welcome Hope the Software thread proves fruitful!

PP