|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
Feeling sick and needing help
I'm wondering if anyone has had this problem and can help me to sort it out. Intermittantly, when i select "back" in my internet browser, i am taken to a really nasty porn site involving incest and rape. I really want to get this sorted, especially as my teenage daughter uses this pc. Please help!
|
#2
|
|||
|
|||
Hi!
--------1 Download "Ad-Aware SE" from: http://www.lavasoft.de/support/download/ Install, update and run a full system scan. Check and delete everything it finds. Reboot. ---------2 Download HijackThis from: http://www.cybertechhelp.com/downlo...ackthis1977.zip Create a new folder only for HijackThis (Example : C:\HijackThis). Unzip it to this folder. Click "Scan", after click "Save Log". Save the log, and copy/paste it into your response to this thread. Dont check or fix anything yet. |
#3
|
|||
|
|||
Hey Acrobaze!
Thanks for the help, here is the log... Logfile of HijackThis v1.98.2 Scan saved at 20:37:44, on 13/10/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\gsicon.exe C:\WINDOWS\System32\dslagent.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Windows SyncroAd\SyncroAd.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Windows SyncroAd\WinSync.exe C:\Program Files\Web_Rebates\WebRebates1.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Web_Rebates\WebRebates0.exe C:\hijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://66.250.171.137 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://omega-search.com/find/panel_search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://devils****.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\sys_ext.dll (file missing) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_2_3_0.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {82AEFC24-6704-4FBA-8DE6-0A277AD7C037} - C:\WINDOWS\System32\mfplay.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_2_3_0.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [next+dialer] C:\WINDOWS\EDialers\10-1-12-3-next+dialer-.exe !m O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe O4 - Global Startup: UK Style Window Box.lnk = C:\Program Files\UK Style\Window Box\windowbox.exe O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6.cab O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...c8e23e872259cf O16 - DPF: {200B9822-FDDD-4635-A8A4-066AC69ECF8A} ({200B9822-FDDD-4635-A8A4-066AC69ECF8A}) - http://gateway.ptssa.net/ws/ws.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadfreenow.com/sites/signed.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/189b1c37...p/RdxIE601.cab O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/support/chipdetec...todetect98.cab O16 - DPF: {CCA6CE4C-2199-4A4F-9542-12E0163D6841} (Dialer Class) - http://sessa.isprime.com:8080/tel2net/CABEDialer.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...bio5_2_3_0.cab O19 - User stylesheet: (file missing) O20 - AppInit_DLLs: C:\WINDOWS\System32\msfj.dll O21 - SSODL: System - {A4112CA7-ED3B-4D41-8BF9-0C8E28C4F59D} - C:\WINDOWS\system32\system32.dll What's next? |
#4
|
|||
|
|||
Hello! A lot of malwares!
Keep Ad-Aware, update and run it regularly. -----------1 Control Panel -> add/remove programs Uninstall if present: Windows SyncroAd Web_Rebates Reboot. ------------2 Print this or copy it in the notepad, because internet explorer must be closed. Close all browser windows, run only HijackThis and check these lines: R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://66.250.171.137 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://omega-search.com/find/panel_search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://devils****.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\sys_ext.dll (file missing) O2 - BHO: (no name) - {82AEFC24-6704-4FBA-8DE6-0A277AD7C037} - C:\WINDOWS\System32\mfplay.dll (file missing) O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll O4 - HKLM\..\Run: [next+dialer] C:\WINDOWS\EDialers\10-1-12-3-next+dialer-.exe !m O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6.cab O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...dc8e23e872259cf O16 - DPF: {200B9822-FDDD-4635-A8A4-066AC69ECF8A} ({200B9822-FDDD-4635-A8A4-066AC69ECF8A}) - http://gateway.ptssa.net/ws/ws.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/189b1c3...ip/RdxIE601.cab O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/support/chipdete...utodetect98.cab O16 - DPF: {CCA6CE4C-2199-4A4F-9542-12E0163D6841} (Dialer Class) - http://sessa.isprime.com:8080/tel2net/CABEDialer.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\msfj.dll O21 - SSODL: System - {A4112CA7-ED3B-4D41-8BF9-0C8E28C4F59D} - C:\WINDOWS\system32\system32.dll And click "Fix checked". -----------3 Reboot in safe mode, make sure you can see the hidden files and folders and delete: C:\Program Files\Windows SyncroAd\<- the folder C:\Program Files\Web_Rebates\ <-the folder Empty the recycle bin. -----------4 Reboot in normal mode and post a new HijackThis log, please. Let me know if the problem is solved. |
#5
|
|||
|
|||
Hi,
All instructions followed, and the latest log is posted below, since the problem is intermittent i won't know for a couple of days whether it is solved, but i will post again to let you know... thanks again, it was really starting to get me down. Logfile of HijackThis v1.98.2 Scan saved at 22:27:49, on 13/10/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\gsicon.exe C:\WINDOWS\System32\dslagent.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\BT Broadband\Help\bin\mpbtn.exe C:\WINDOWS\System32\wuauclt.exe C:\hijackThis\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_2_3_0.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_2_3_0.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe O4 - Global Startup: UK Style Window Box.lnk = C:\Program Files\UK Style\Window Box\windowbox.exe O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadfreenow.com/sites/signed.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...bio5_2_3_0.cab O19 - User stylesheet: (file missing) |
#6
|
|||
|
|||
Acrobaze,
I still have the problem, still intermittent. Any more advise? |
#7
|
|||
|
|||
Ho! It comes back! We'll search it and find it.
---------------1 Remove all the files and sub-folders from the below TEMP folders : (DO NOT DELETE THE FOLDERS ONLY THE CONTENTS.) -C:\documents and settings\<your name>\local settings\temp -C:\temp (if present) -C:\windows\temp -Empty the"Temporary Internet Files" : Internet Explorer -> tools -> internet options -> General-> "Delete Files", Check the "delete all offline content" box . Empty the recycle bin. ---------------2 We'll see in the services. Download this little script: http://d21c.com/Tom41/get_active_services_179_161.zip Let it on your desktop. Run it. When the txt file appears, please copy/paste it here with a fresh HijackThis log. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
not feeling well | renegade600 | Jokes Forum | 3 | May 2nd, 2022 12:37 AM |
Karen is feeling sick | Ned Seagoon | Jokes Forum | 5 | April 6th, 2022 03:50 AM |
I get the feeling.... | rynprov | Open Discussion | 1 | January 9th, 2009 09:52 PM |
Feeling fat? | Vercades | Open Discussion | 15 | August 4th, 2005 10:56 AM |
All times are GMT +1. The time now is 12:55 AM.