Jump to content


Photo

mylegsfetish


  • This topic is locked This topic is locked
9 replies to this topic

#1 Raynman

Raynman

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 May 2004 - 05:36 PM

I've run HijackThis to remove this and it keeps popping up. It's one of the R0 items, second from the top. Any help is appreciated. Here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 3:26:30 PM, on 5/15/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\System32\elevate.exe
C:\Program Files\Connected\CBRegCap.EXE
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\PJS\pjssrvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
c:\winnt\system32\suss.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\carpserv.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\MMKeybd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\B0082196\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mylegsfetish.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.com/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [Host_on_Demand_603] C:\Pkgdata\Host_On_Demand_603_32\Host_On_Demand_603_32_CU.EXE
O4 - HKLM\..\Run: [Defrag] c:\winnt\system32\defrag.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DellTouch] C:\WINNT\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: pjs_startup.lnk = C:\Program Files\PJS\bin\pjs_startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8122.6221759259

#2 therock247uk

therock247uk

    247fixes.com

  • Ambassador
  • PipPipPipPipPip
  • 870 posts

Posted 15 May 2004 - 05:47 PM

Ok tick and fix the following in hijackthis

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mylegsfetish.com/index.html

You could also fix these if you did not put them restrictions there

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then post a new fresh log here in a reply for me to make sure its gone.

Edited by therock247uk, 15 May 2004 - 05:51 PM.


#3 Raynman

Raynman

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 May 2004 - 06:05 PM

That's the problem, I check that box, it says it's removed, I close and reopen hijackthis, and when I scan again, it's back. I remove all references to this web site in the registry, and they pop back in. I've been trying to remove this for a week now.

#4 therock247uk

therock247uk

    247fixes.com

  • Ambassador
  • PipPipPipPipPip
  • 870 posts

Posted 15 May 2004 - 07:14 PM

Can you find this c:\winnt\system32\defrag.exe right click on it then selete propertise and tell me what it says. That might just be what is hijacking you.

#5 Raynman

Raynman

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 May 2004 - 07:25 PM

It says the C:\\winnt\system32\defrag.exe is a regular defrag file. The VBScript file with it says to check disk space, and if low to run defrag. The defrag file was created August 27, 2003.

It doesn't look suspicious.

I'm also running Browser Hijack Blaster, and it detects my home page being reset to mylegsfetish every time I run any application. When I close an application it tries to change it too. I've checked task manager to see if I can tell what application is running while that home page is being changed, but nothing shows up, at least not obviously.

It's a tricky one. I appreciate the assistance though. Hope someone can find it. It really bothers me that HijackThis removes it, but it pops right back up in the next scan, providing I close HijackThis and rescan.

#6 therock247uk

therock247uk

    247fixes.com

  • Ambassador
  • PipPipPipPipPip
  • 870 posts

Posted 15 May 2004 - 08:01 PM

Ok can you uninstall spykiller from start, control panel, add/remove and then post a new Hijackthis log here in are reply.

#7 Raynman

Raynman

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 May 2004 - 09:49 PM

Uninstalled spykiller and rebooted. I get two of the bad home page settings now. Again, clicking the box and cleaning with HijackThis removes the item, but it appears again when I open HijackThis again. Here's what I get now with HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 7:43:35 PM, on 5/15/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\System32\elevate.exe
C:\Program Files\Connected\CBRegCap.EXE
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\PJS\pjssrvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
c:\winnt\system32\suss.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\System32\MsiExec.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\carpserv.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\MMKeybd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\B0082196\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mylegsfetish.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mylegsfetish.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.com/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [Host_on_Demand_603] C:\Pkgdata\Host_On_Demand_603_32\Host_On_Demand_603_32_CU.EXE
O4 - HKLM\..\Run: [Defrag] c:\winnt\system32\defrag.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DellTouch] C:\WINNT\MMKeybd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: pjs_startup.lnk = C:\Program Files\PJS\bin\pjs_startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8122.6221759259

#8 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 16 May 2004 - 09:21 AM

Raynman,
1) Restart in Safe Mode (see "How To:" below)
2) Enable Hidden Files (see "How To:" below)

Locate and delete the following:

C:\Program Files\PJS <--this folder

Note: if "access denied" message, right-click the folder
Select: Properties, uncheck: "Read only" and "Hidden" (if exists)
Click Apply, and then delete it.

While still in Safe Mode:
Close all open windows, rescan with HijackThis and "Fix checked" the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mylegsfetish.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mylegsfetish.com/index.html
O4 - HKLM\..\Run: [Defrag] c:\winnt\system32\defrag.exe
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: pjs_startup.lnk = C:\Program Files\PJS\bin\pjs_startup.exe


Restart normally and then ...

Download the latest version of Ad-Aware:
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program.

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#9 therock247uk

therock247uk

    247fixes.com

  • Ambassador
  • PipPipPipPipPip
  • 870 posts

Posted 16 May 2004 - 10:36 AM

Ok tick and fix the following in Hijackthis

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mylegsfetish.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mylegsfetish.com/index.html
O4 - HKLM\..\Run: [Defrag] c:\winnt\system32\defrag.exe

then post a new log here in a reply.

#10 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 30 September 2004 - 06:56 PM

Due to the time passed with no response to this thread, I am closing it.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button