Jump to content


Photo

Help


  • Please log in to reply
3 replies to this topic

#1 ronsconi32

ronsconi32

    Member

  • New Member
  • Pip
  • 2 posts

Posted 10 July 2004 - 01:32 PM

I would like to thank you in advance for assisting me in my current problem. I have a parasite that chenges my home web page each time to a nasty porn site. I have young children and it is terrible. I have tried shredder and hijacker to know avail. I am not a professional user. I would consider myself a novice. Any help to get this off of my machine would be helpful.

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 10 July 2004 - 04:13 PM

We need a closer look at what's happening.
Please download Hijack this
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 ronsconi32

ronsconi32

    Member

  • New Member
  • Pip
  • 2 posts

Posted 10 July 2004 - 04:29 PM

Thanks for your help

Logfile of HijackThis v1.98.0
Scan saved at 4:28:39 PM, on 7/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
e:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\system32\ZoneLabs\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\Program Files\Common files\WinTools\WToolsS.exe
E:\WINNT\Explorer.EXE
E:\WINNT\System32\MsPMSPSv.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
e:\PROGRA~1\mcafee.com\vso\mcshield.exe
E:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
e:\progra~1\mcafee.com\vso\mcvsescn.exe
E:\Program Files\Common files\WinTools\WToolsA.exe
C:\windows\system32\winexplor.exe
E:\Program Files\Enigma Software Group\EnigmaFireWall\EnigmaFirewall.exe
E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
E:\Program Files\Nikon\NkView4\NkVwMon.exe
E:\Program Files\Microsoft Encarta\Encarta World English Dictionary 2001\QSHLFED.EXE
E:\Program Files\WinZip\WZQKPICK.EXE
E:\WINNT\system32\ntvdm.exe
E:\Palm\HOTSYNC.EXE
E:\Program Files\Common Files\WinTools\WSup.exe
E:\NavPress\ZIPscrpt.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Ron Wright\My Documents\Hi jack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50026
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - E:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - E:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [CreateCD50] "E:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RegisterDropHandler] E:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [MMTray] E:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [VSOCheckTask] "e:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "e:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] E:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [WinTools] E:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [mysoft] C:\windows\system32\winexplor.exe
O4 - HKLM\..\Run: [Enigma Firewall] E:\Program Files\Enigma Software Group\EnigmaFireWall\EnigmaFirewall.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [XFILTER] E:\Program Files\Enigma Software Group\EnigmaFireWall\ESPfSdk.dll
O4 - HKLM\..\RunServices: [RegisterDropHandler] E:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: HotSync Manager.lnk = E:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: ZIPscript.lnk = E:\NavPress\ZIPscrpt.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkVwMon.exe.lnk = E:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: Quick Shelf.lnk = E:\Program Files\Microsoft Encarta\Encarta World English Dictionary 2001\QSHLFED.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O10 - Unknown file in Winsock LSP: e:\winnt\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\espfspi.dll
O13 - DefaultPrefix: http://www.microsoit...direct.php?url=
O13 - WWW Prefix: http://www.microsoit...direct.php?url=
O18 - Protocol: msencarta - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - E:\Program Files\Common Files\Microsoft Shared\Reference 2001\MSREF.DLL
O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - E:\Program Files\Common Files\Microsoft Shared\Reference 2001\msero.dll
O18 - Protocol: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - E:\Program Files\Common Files\Microsoft Shared\Reference 2001\MSREF.DLL
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - (no file)

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 10 July 2004 - 05:02 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50026

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - E:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - E:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [WinTools] E:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [mysoft] C:\windows\system32\winexplor.exe

O13 - DefaultPrefix: http://www.microsoit...direct.php?url=
O13 - WWW Prefix: http://www.microsoit...direct.php?url=

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - (no file)

Reboot and delete

files
C:\windows\system32\winexplor.exe

folders
E:\Program Files\Common files\WinTools

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button