• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
protoss

Please help! Nothing works

6 posts in this topic

I desperately need help.

 

Problem:

 

Links to pornographic pages keep appearing in my favourites folder, despite the fact that I keep deleting them.

 

Also, my homepage has been hijacked.

 

I have tried

 

CWShredder

AdAware

Spybot

Hijackthis

 

Nothing works.

 

I previously posted my logfile, but I see that I accidentally did it with Hijackthis version 1.97

 

I have redone it, with the latest version of Hijackthis, version 1.98.

 

Here is the logfile:

 

 

Logfile of HijackThis v1.98.0

Scan saved at 2:07:06 AM, on 1/4/90

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v5.00 (5.00.2314.1000)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE

C:\PROGRAM FILES\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\WINDOWS\SYSTEM32\WINMM64.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\MY DOCUMENTS\REMOVING SPYWARE\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countere.com/?b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKCU\..\Run: [spywareGuard] C:\WINDOWS\SYSTEM32\WINMM64.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - (no file)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

 

I appreciate your efforts.

Share this post


Link to post
Share on other sites

Hi,protoss

 

Here is what i see in this Logfile but please do not.

fix a thing tell the Pros have a look at it for you

 

Now these here if you did not add them fix it

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countere.com/?b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc

 

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install<--Maybe a Virus

 

This one is up to you Real Player update

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

 

you should do this let them know if you find anything

 

Symantec

TrendMicro

A2 Trojan Scan

 

Gday :bounce:

Share this post


Link to post
Share on other sites

Hi Rootkit.

 

I did as you advised, and fixed all of the listed items.

 

However, whithin about 10 minutes they reappeared, along with the unwanted links in my favourtes folder, and the unwanted home page.

 

It looks like I have big problems.

 

How do I get rid of these damn intruders!

 

I appreciate your help.

Share this post


Link to post
Share on other sites

The Spyware keeps regenerating the following items into my log file.

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countere.com/?b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc

 

I delete them, but after about 10 minutes they just reappear. And so do the porn links in my favourites folder.

 

What doI do?

Share this post


Link to post
Share on other sites

Here is my latest log.

 

Could you please have a look at it and let me know what to remove.

 

I have tried to remove the R1 and R0 entries, but they just keep reappearing again.

 

Logfile of HijackThis v1.98.0

Scan saved at 5:16:44 AM, on 1/5/90

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v5.00 (5.00.2314.1000)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE

C:\PROGRAM FILES\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\WINDOWS\SYSTEM32\WINMM64.EXE

C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE

C:\MY DOCUMENTS\REMOVING SPYWARE\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countere.com/?b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKCU\..\Run: [spywareGuard] C:\WINDOWS\SYSTEM32\WINMM64.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - (no file)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C2FCEF4E-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI File information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0