0

I am new here, so forgive my mistakes.
I have a dialer or some type of program opening internet explorer which then opens various porn sites in my task manager. I also recently discovered that it is downloading pictures to my local settings, temporary internet folders. sometimes i will even see my windwows media player running in task manager.

I have installed and run spybot, adaware, norton, and AVG. it is still doing it. I have to disable my internet connection every night because i don't want to take any chances. I have an always on connection (dsl line).

Norton always finds trojanByte. viruses but it says it is deleting them. Anyway, this thing seems unstoppable to me. can anyone help? what is this thing?

4
Contributors
17
Replies
18
Views
13 Years
Discussion Span
Last Post by Hyps
0

you have been hijacked ,download the hijackthis program in my signature , put it in a folder in the root of C:\ and not a temp folder and run it and copy/paste a log back here don't fix anything yet ,lets have a look in the log first .

0

you have been hijacked ,download the hijackthis program in my signature , put it in a folder in the root of C:\ and not a temp folder and run it and copy/paste a log back here don't fix anything yet ,lets have a look in the log first .

0

Caperjack: Thanks for the tip. Here is the log you wanted.


Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Belkin Bulldog\upsd.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\dtmonx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\HPDESK\hppddir.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\scott\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.findlaw.com/?lid=MYFL_button
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://my.findlaw.com/?lid=MYFL_button
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.findlaw.com/?lid=MYFL_button
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.findlaw.com/?lid=MYFL_button
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.findlaw.com/?lid=MYFL_button
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.findlaw.com/?lid=MYFL_button
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://my.findlaw.com/?lid=MYFL_button
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.findlaw.com/?lid=MYFL_button
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://my.findlaw.com/?lid=MYFL_button
F1 - win.ini: load=,DTMONX.EXE
O1 - Hosts: 66.40.16.131 livesexlist.com
O1 - Hosts: 66.40.16.131 lanasbigboobs.com
O1 - Hosts: 66.40.16.131 thumbnailpost.com
O1 - Hosts: 66.40.16.131 adult-series.com
O1 - Hosts: 66.40.16.131 www.livesexlist.com
O1 - Hosts: 66.40.16.131 www.lanasbigboobs.com
O1 - Hosts: 66.40.16.131 www.thumbnailpost.com
O1 - Hosts: 66.40.16.131 www.adult-series.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\system32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [iedll] c:\WINNT\iedll.exe
O4 - HKCU\..\Run: [rundll32] C:\WINNT\rundll32.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37972.3886342593
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4317/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF9984AB-F387-4A81-913C-CE9B4B7A9483}: NameServer = 152.163.241.134

0

First thing you should run hijack from its own folder on the c:\ drive ,so when it creates backups they don't get lost in a temp folder .iwill analize the log and get back to you later .it takes a while

0

dont forget to put the hijack exe in its own folder on the c: drive ,for when it backs up what it fixes .

Edit : ok hope you didn't do what i had posted earlier ,
You have a coolwebSearch hijack ,
download and run CWShredder ,hit fix /not scan .
http://www.spywareinfo.com/~merijn/files/CWShredder.exe

Run hijackthis and
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked,Make sure all browser and all Windows Explorer windows are closed before fixing.


O1 - Hosts: 66.40.16.131 livesexlist.com

O1 - Hosts: 66.40.16.131 lanasbigboobs.com

O1 - Hosts: 66.40.16.131 thumbnailpost.com

O1 - Hosts: 66.40.16.131 adult-series.com

O1 - Hosts: 66.40.16.131 www.livesexlist.com

O1 - Hosts: 66.40.16.131 www.lanasbigboobs.com

O1 - Hosts: 66.40.16.131 www.thumbnailpost.com

O1 - Hosts: 66.40.16.131 www.adult-series.com

If these were not set on purpose you could also fix them , .

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


post a new log and i 'll check some more .

0

Here is the latest on my logs after following your tips. The problem seems to stop (or at least is not as frequent) after running all these spyware, virus, and shredder programs, security updates, etc. But, then I reboot and open my task manager to see what's going on and its just a matter of seconds usually until exlorer opens up (in task manager) and then a bunch of porn sites. I even see it go to download.com for a second. (This is all in task manager. otherwise none of it is visible). you can hear the defaults sounds though when its starts up. I Can't seem to shake this thing! any other tips? also, the shredder fixed everything you told me to fix except the host sites. It said "permission denied" error #70. I don't know what that means!?

COOLWEB SHREDDER STUFF - SCAN

AppData folder: C:\Documents and Settings\*****\Application Data

Username: ******

Found Hosts file: C:\WINNT\system32\drivers\etc\hosts (309412 bytes, -)

Hosts file: 66.40.16.131 livesexlist.com

Hosts file: 66.40.16.131 lanasbigboobs.com

Hosts file: 66.40.16.131 thumbnailpost.com

Hosts file: 66.40.16.131 adult-series.com

Hosts file: 66.40.16.131 www.livesexlist.com

Hosts file: 66.40.16.131 www.lanasbigboobs.com

Hosts file: 66.40.16.131 www.thumbnailpost.com

Hosts file: 66.40.16.131 www.adult-series.com

Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe

UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,

Found Win.ini file: C:\WINNT\win.ini (1658 bytes, A)

Found line in Win.ini: run=

Found System.ini file: C:\WINNT\system.ini (231 bytes, A)

- END OF REPORT

COOLWEB SHREDDER STUFF - FIX

Done!

Removed from your system:

- CWS affiliate: Tooncomics

- Hosts file redirections

Windows 2000 (5.00.2195 SP4)

CWShredder v1.47.1

Written by Merijn - merijn@spywareinfo.com

For any additional help with this program or removing CWS, visit http://forums.spywareinfo.com/

For information and documentation on the Coolwebsearch

trojan and its variants, visit


START UP STUFF--

StartupList version: 1.52

Started from : C:\antihijacker.software\HijackThis.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program Files\STOPzilla!\szntsvc.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINNT\System32\cisvc.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Belkin Bulldog\upsd.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\dtmonx.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINNT\rundll32.exe

C:\HPDESK\hppddir.exe

C:\WINNT\system32\taskmgr.exe

C:\WINNT\System32\cidaemon.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\antihijacker.software\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

America Online 8.0 Tray Icon.lnk.disabled

Document Assistant.lnk = C:\HPDESK\hppddir.exe

Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon

NeroCheck = C:\WINNT\System32\NeroCheck.exe

zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe

Logitech Utility = Logi_MwX.Exe

InCD = C:\Program Files\ahead\InCD\InCD.exe

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

STOPzilla = "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun

AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

AVG7_EMC = C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

MigrateMMDrivers = rundll32.exe mmsys.cpl,mmseRunOnce

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

rundll32 = C:\WINNT\rundll32.exe

LDM = \Program\BackWeb-8876480.exe

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=

run=

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=,DTMONX.EXE

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe

SCRNSAVE.EXE=(NONE)

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

(no name) - C:\WINNT\system32\StopzillaBHO.dll - {E3215F20-3212-11D6-9F8B-00D0B743919D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - Scott.job

Norton AntiVirus - Scan my computer.job

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[OPUCatalog Class]

InProcServer32 = C:\WINNT\System32\opuc.dll

CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[Update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37972.3886342593

[Downloader Class]

InProcServer32 = C:\WINNT\DOWNLO~1\dwnldr.dll

CODEBASE = https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

[{D27CDB6E-AE6D-11CF-96B8-444553540000}]

CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[McFreeScan Class]

InProcServer32 = C:\WINNT\McAfee.com\FreeScan\mcfscan.dll

CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4317/mcfscan.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

Windows NT checkdisk command:

BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':

PendingFileRenameOperations: c:\documents and settings\scott\cookies\scott@bluestreak[2].txt||c:\documents and settings\scott\cookies\scott@doubleclick[1].txt||c:\documents and settings\scott\cookies\scott@ehg-findlaw.hitbox[2].txt||c:\documents and settings\scott\cookies\scott@ehg.hitbox[2].txt||c:\documents and settings\scott\cookies\scott@hitbox[2].txt||c:\documents and settings\scott\cookies\scott@paycounter[1].txt||c:\documents and settings\scott\cookies\scott@valueclick[1].txt||c:\documents and settings\scott\cookies\scott@z1.adserver[1].txt||c:\documents and settings\scott\cookies\scott@zedo[2].txt

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: stobject.dll

--------------------------------------------------

End of report, 8,780 bytes

Report generated in 0.150 seconds

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

/end/

0

OK this is what we need to get hijack to fix ,
O4 - HKCU\..\Run: [rundll32] C:\WINNT\rundll32.exe


then reboot into safe mode /hitting f8 on bootup to get to safe mode .and delete this file --C:\WINNT\rundll32.exe--- make sure it not the one in the C:\WINNT\System folder

These may be hidden files. click link below for how to show hidden files.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html


also a good Idea to check for updates of spyware programs like hijack and CWShreadder before running them

0

Caperjack:

YOU ARE THE BOMB! I hope this is not premature (lol), but i have been dialer/hijacker free since following your advice, including deleting "C:\WINNT\rundll32.exe". This was a very annoying and time comsuming problem. I FEEL LIKE A MAN WHO JUST KICKED HIS LAZY BROTHER-IN-LAW OUT OF THE HOUSE FOR GOOD!!!

THANK YOU. THIS SITE IS GREAT. I HOPE I WILL BE ABLE TO CONTRIBUTE SOMETHING TO SOMEONE SOMETIME! (p.s.: just in case the intruder shows up again, I still thank you for your help, and hope I can pick your brain once more. I will keep you posted.)

Sincerely, GRATEFUL.:) :cheesy:

0

Hi caperjack,

i have same problem, it seems everytime I startup my computer.. after awhile a dialer would pop asking me to select a country. Since it could not be remove unless you chose one and if i do, creates a porn icon in my desktop and auto-open the browser to a porn site. Ive tried ad-aware and it detects the TIBs Browser and the WebSiteViewer or somthing.. and removes it.. but after a start-up. Its there again.

I run Hijackthis and this is the repor after a scan:

Logfile of HijackThis v1.97.7

Scan saved at 11:45:33 AM, on 2/21/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\UMSD TOOLS2.33\UMSD.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\SYSTEM\MSYSTEM.EXE

C:\WINDOWS\SYSTEM\CTFMON.EXE

C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\WORDWEB\WWEB32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE

C:\WINDOWS\SYSTEM\SYSQUERY1.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\HACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [System Backup] msystem.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38006.1174074074

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1878c4dcf31ce3234201/netzip/RdxIE601.cab

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

============================================

Thank you very much and hope to hear from you very soon......

Hyps

0

make sure all windows explore and IE explorer windows are close and have hijack fix these .

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about_:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about_:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about_:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank

[X] O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab
-FunWebProducts
[X] O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1878c4dcf31ce3...ip/RdxIE601.cab
-Netster
[X] O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
-Coulomb Dialer Variant .

Reboot computer and check if dialer is gone and then post a new log

0

I've done what you said.. then reboot... unfortunately the dialer is still there.. so i run Hackthis again.. and this is the newl logs...

Logfile of HijackThis v1.97.7

Scan saved at 4:19:12 PM, on 2/24/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SLAVE.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\UMSD TOOLS2.33\UMSD.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\SYSTEM\MSYSTEM.EXE

C:\WINDOWS\SYSTEM\CTFMON.EXE

C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\WORDWEB\WWEB32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\HACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [System Backup] msystem.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [RA Server] C:\WINDOWS\Slave.exe

O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38006.1174074074

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

================ end

Hyps

0

I've done what you said.. then reboot... unfortunately the dialer is still there.. so i run Hackthis again.. and this is the new logs...

Logfile of HijackThis v1.97.7...

Here's a link I found for an online test: DO YOU HAVE PARASITES?

I do not see any visible, direct threats -- but there are some startups that should be killed, and one that's suspect:

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

No longer needed by Windows (it's a "disk optimizer" that never worked right), it's a resource waste and a possible source of MyDoom/Novarg infection. Get rid of it.
--------------
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

A not-needed resource hog, but hard to kill. If you delete this key, it will come back unless you change the name realsched.exe to something like realsched.bak.
--------------
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

Not needed. Delete.
--------------
O4 - HKLM\..\Run: [System Backup] msystem.exe

Do you know what this is? I have not found anything on it with a thorough search, which makes it suspect. This could be the culprit.
--------------
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Another resource drain. Unless you use it, kill it.
--------------
Disclaimer: I have never had any problems doing the above dozens of times, but I can't be held responsible for problems.

0

C:\WINDOWS\SYSTEM\MSYSTEM.EXE
O4 - HKLM\..\Run: [System Backup] msystem.exe

Do you know what this is? I have not found anything on it with a thorough search, which makes it suspect. This could be the culprit.

On further searching, I'm 99.99% sure that msystem.exe is, in fact, the culprit -- a dialer executable. Temporarily change its name to something like msystem.bak and see what happens. You can always change it back if you need it.

0

On further searching, I'm 99.99% sure that msystem.exe is, in fact, the culprit -- a dialer executable. Temporarily change its name to something like msystem.bak and see what happens. You can always change it back if you need it.

Yup.. its 100.00% the culprit :evil:.. since deleting it, the dialer has not pop-up ever since... thanks TallCool1 and to caperjack as well...

Hyps

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.