Jump to content


Photo

search-town.net fixed as my homepage tried everyth


  • Please log in to reply
1 reply to this topic

#1 2x%dfid

2x%dfid

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 26 May 2004 - 12:47 PM

Tried the suggestions in faq. This appears in IE address box: %72%69%76%69%65%72%61%2E%63%63 every time I reboot. When surfing net often get redirected to gambling and porn sites. Can you help?

Logfile of HijackThis v1.97.7
Scan saved at 18:24:38, on 26/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\System32\WMRUNDLL.EXE
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\winnt\winlogon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
\tiree\sys\public\PPOPUP.EXE
\tiree\sys\public\WBALANCE.EXE
C:\WINNT\system32\NALDESK.EXE
C:\WINNT\system32\msses.exe
C:\WINNT\system32\svvhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\amh300\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://opti.riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://opti.riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://opti.riviera.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://opti.riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://opti.riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.socscinet.soton.ac.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://opti.riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www-cache.soton.ac.uk/proxy.pac
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINNT\system32\msmk.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSZTCE] C:\WINNT\system32\MSZTCE.EXE
O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [winlogon] c:\winnt\winlogon.exe
O4 - Global Startup: InterCheck Monitor.LNK = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.socscinet.soton.ac.uk
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33A08503-2CBA-4B51-8ED5-C994902131F9}: NameServer = 152.78.128.78,152.78.128.79
O17 - HKLM\System\CS1\Services\Tcpip\..\{33A08503-2CBA-4B51-8ED5-C994902131F9}: NameServer = 152.78.128.78,152.78.128.79
O17 - HKLM\System\CS2\Services\Tcpip\..\{33A08503-2CBA-4B51-8ED5-C994902131F9}: NameServer = 152.78.128.78,152.78.128.79

Edited by 2x%dfid, 26 May 2004 - 12:55 PM.


#2 2x%dfid

2x%dfid

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 27 May 2004 - 09:07 AM

CW Shredder has fixed this problem - thanks to dave38 for putting me onto it!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button