Blocking an IP

Heya,

I seem to have a browser hijack problem. Whenever I go to certain sites, if I don't press "stop" before it finishes loading, it redirects me to some porn site. Annoying, inconvenient...and I really don't want something like that to happen while my dad's using the internet

I notice from the status bar that, after the page has loaded, my PC is contacted by (or my PC contacts) an IP address, which I assume is how the redirect takes place. Is there any way I can block this IP from being contacted through Firefox, or some firewall software?

 

Sorry, never mind. I used the "help" function in Sygate Personal Firewall to find out how to do it

 

or you could do a spyware sweep, and actually fix the problem...

google for Spybot

 

I have Spybot, and Ad-Aware. I also do regular scans with Avast! Antivirus. None of these have helped, so at least this is a temporary solution while I find the cause of the problem.

 

is it the newest version of spybot (1.4) and the newest of adaware? (1.06se)?

you could try posting a hijack this log, or what sites you're trying to get to

 

Yeah, I have the most recent versions of both. I try to update them every time I scan, so it should find whatever's there.

I'm kind of wary about modifying the registry...it'll be fine, it only happens on one site I visit (okCupid, for my sins ). Thanks for the help though

 

gotta love the okcupid.

it doesn't redirect me to any boobies though.

still, you could post a hijack this log, and we could take a look.

 

Maybe I shouldn't be complaining about it redirecting me to boobs...

Anyway, here's a HijackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 11:02:02, on 12/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\gsicon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Michael\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll
R3 - URLSearchHook: (no name) - {ADE7520B-DE02-8C37-8AF8-221810129024} - cnftips.dll (file missing)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSTCPDLL] progmen.exe
O4 - HKLM\..\Run: [PrcIdle] trycrt.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [TemplateDongle] ftbar.exe
O4 - HKCU\..\Run: [forces_elite] SetupExeDll.exe
O4 - HKCU\..\Run: [SpyElim] media64.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O15 - Trusted Zone: http://*.63.219.181.7
O15 - Trusted Zone: http://*.search-soft.net
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\lgtpvtxv.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FB4A83C-492E-4EBB-9099-2F3DAF9B3A0E}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C651649-1B2A-4F2A-AEE0-843622EBB6BB}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{383C8163-3A0B-4ABE-AD99-AD2CD3993B15}: NameServer = 69.50.188.180 195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E246BDD-9990-4387-8BDE-3B958D8DD97A}: NameServer = 69.50.188.180,195.225.176.31
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: replr - {F7D472F5-FE42-4FDF-BE54-F595E6B868DC} - C:\WINDOWS\System32\inetapi.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks

 

lgtpvtxv.exe is not good, your comp looks bloated but kinda clean.

 

first, i think you have this:
http://www.doxdesk.com/parasite/WareOut.html

and the following entries, come off as shifty.

R3 - URLSearchHook: (no name) - {ADE7520B-DE02-8C37-8AF8-221810129024} - cnftips.dll (file missing

R3 - URLSearchHook: (no name) - {ADE7520B-DE02-8C37-8AF8-221810129024} - cnftips.dll (file missing)

O4 - HKLM\..\Run: [MSTCPDLL] progmen.exe

O4 - HKLM\..\Run: [PrcIdle] trycrt.exe

O4 - HKCU\..\Run: [TemplateDongle] ftbar.exe

O4 - HKCU\..\Run: [forces_elite] SetupExeDll.exe

O4 - HKCU\..\Run: [SpyElim] media64.exe

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -

O17 - HKLM\System\CCS\Services\Tcpip\..\{1FB4A83C-492E-4EBB-9099-2F3DAF9B3A0E}: NameServer = 69.50.188.180,195.225.176.31

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C651649-1B2A-4F2A-AEE0-843622EBB6BB}: NameServer = 69.50.188.180,195.225.176.31

O17 - HKLM\System\CCS\Services\Tcpip\..\{383C8163-3A0B-4ABE-AD99-AD2CD3993B15}: NameServer = 69.50.188.180 195.225.176.31

O17 - HKLM\System\CCS\Services\Tcpip\..\{5E246BDD-9990-4387-8BDE-3B958D8DD97A}: NameServer = 69.50.188.180,195.225.176.31

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dl

O21 - SSODL: replr - {F7D472F5-FE42-4FDF-BE54-F595E6B868DC} - C:\WINDOWS\System32\inetapi.dll

REMOVE FOR SURE:
O15 - Trusted Zone: http://*.search-soft.ne

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\lgtpvtxv.exe

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab

O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab

O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/...all/xscan53.ca

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...stx/install.cab



but, i think the primary problem is described in that first link i gave

 

hi.... with <Sygate> the data stored in the attack log e.g logs ---> security log---> host XXX.XXX.XXX.XXX has been blocked from accessing network in this case you should make a rule in advanced rules that blocks XXX.XXX.XXX.XXX.
You could also dissect XXX.XXX.XXX.XXX or the website you are being redirected to by using karen's url discombobulator---> http://www.karenware.com/progs/ptlookup-setup.exe

comes in handy for making rules you can then try to block the source....
hijack this is also a nice prog for taking care of hijackers
http://www.majorgeeks.com/download3155.html

you can also block pop ups and stuff

 

Thanks I'll clean those things out of the registry once I do my next backup