[giantmouse]

I need help with a very bad porn problem. I keep getting these terrible pop ups when I open explorer. I have done all the troubleshooting I know how to do, but here is where I am stuck. In the system information section, under Explorer, these are the programs that are loading that I think are causing the problem. Outside of eliminating the registry which I know is touchy how ca n I get rid of the offensive ones?
Thanks



YInstStarter Class Installed 2001,7,11,1 http://download.yahoo.com/dl/installs/yinst.cab

AInst Class Installed 1,0,0,1 http://www.absoluteteensmut.com/activeinstaller.dll

Inst Class Installed 1,0,0,3 http://toolbar.i-lookup.com/ineb.cab

{26E8361F-BCE7-4F75-A347-98C88B418322} Installed 2,0,0,119 http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab

HTMLAccess Class Installed 1,0,4,3 http://usa-download.nocreditcard.com...Access1043.cab

{00000161-0000-0010-8000-00AA00389B71} Not Available 0,0,0,1 http://codecs.microsoft.com/codecs/i386/msaudio.cab

Shockwave Flash Object Installed 6,0,65,0 http://download.macromedia.com/pub/s...sh/swflash.cab

&Yahoo! Companion Damaged 2002,9,19,1 http://us.dl1.yimg.com/download.yaho...io4_0_2_10.cab

{9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} Not Available 0,0,0,1 http://download.weatherbug.com/minib...ginstaller.cab

{8522F9B3-38C5-4AA4-AE40-7401F1BBC851} Not Available 0,0,0,1 http://198.143.5.86/xxxpics.cab

{4CBBC676-507F-11D0-B98B-000000000000} Not Available 0,0,0,1 http://www.bc777.com/software/SiteHlpr.cab

{D9EC0A76-03BF-11D4-A509-0090270F86E3} Not Available 0,0,0,1 http://www.spywarelabs.com/111803032...rOuter1118.EXE
rams that are loading that I cannot seem to eliminate.

[Gordon7000]

Hi giantmouse,

If you have not already run Spybot, please do this: download and install Spybot Search and Destroy.

http://security.kolla.de/index.php?l...&page=download

Before using the programme, UPDATE it from the Internet. Then, disconnect from the Internet, close your browser and run Spybot (Check for Problems). Tick everything highlighted in red and DELETE these entries with Spybot. After this, REBOOT your PC.

Next, download, unzip and run Hijack This

http://www.tomcoyote.org/hjt/

Most of the entries in the log are harmless, so don't fix anything yet. Just SCAN your computer. When the scan is completed, press the SAVE LOG button, then copy and post the log to this forum. Someone will then let you know what to do next.

Regards, Gordon

[Metallica]

Hi giantmouse,

You can go to the Downloaded Program Files folder and simply delete them there.
Or you can use HijackThis to nuke them.

These are malicous:
AInst Class Installed 1,0,0,1 http://www.absoluteteensmut.com/activeinstaller.dll

HTMLAccess Class Installed 1,0,4,3 http://usa-download.nocreditcard.co...LAccess1043.cab

{8522F9B3-38C5-4AA4-AE40-7401F1BBC851} Not Available 0,0,0,1 http://198.143.5.86/xxxpics.cab

{D9EC0A76-03BF-11D4-A509-0090270F86E3} Not Available 0,0,0,1 http://www.spywarelabs.com/11180303...erOuter1118.EXE

that I know, but you can eliminate anything that is not from Microsoft, Macromedia, Macintosh or your provider or your bank without ill side effects. They will be reinstalled when you need them.

Regards,

Pieter

[giantmouse]

Okay I can run those programs etc however, I am also having a problem with scandisk...the scan will not run, just keeps checking the FAT tables and restarting. Can I run these programs to fix this problem first and tackle the Scan disk problem next? I am sure I can find a fix for the scan disk problem on the MS website.

[Metallica]

I don't think they are related, but solving them one by one would be best.

Regards,

Pieter

[Gordon7000]

Hi giantmouse,

Fix the problems first, before attempting to run Scandisk.

Regarding, Scandisk, this utility will very often not complete its scan if any other tasks are running in the background. For this reason, it would be better to run Scandisk (and Defrag) in Windows Safe Mode. If you've already tried this and are still having problems with Scandisk, just let us know.

Concentrate right now, however, on carrying out the fixes that Pieter mentioned. It may help if you could post your Hijack This log, so that someone can ensure that there are no other malicious entries in the log.

Regards, Gordon

Sorry, Pieter, I thought you were offline!

[Metallica]

No problem Gordon7000,
You were here first.

Regards,

Pieter

[giantmouse]

Thanks a bunch guys. I think that I can go from here. I will post the log when I am finished and let you know how this worked. This is really gross stuff that I do not want popping up when my 12 year old goes online.

[giantmouse]

Okay regarding the porn problem, I ran the spybot and the hijack this. Here is the log.....let me know how to proceed

Logfile of HijackThis v1.93.0
Scan saved at 8:07:43 PM, on 4/24/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://zoosecret.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by PeoplePC
O1 - Hosts: 66.38.188.103 auto.search.msn.com
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - (no file)
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SystemTasks] C:\filez.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Shell] C:\WINDOWS/DOWNLO~1/tray.exe
O4 - HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner1120.exe /S
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - Startup: POWERR~1.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Guide (HKLM)
O9 - Extra button: PeoplePC (HKLM)
O9 - Extra button: Wallet (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[Gordon7000]

Hi giantmouse,

Before doing anything else, could you check your Control Panel > Add/Remove Programs list for an entry relating to VirtualBouncer or VBouncer? If you find an entry, remove VBouncer from there.

Then, check the following items in Hijack This and allow HT to fix them:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://zoosecret.com ['Adult' site]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about :blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about :blank

O3 - Toolbar: (no name) - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - (no file)

O4 - HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner1120.exe /S


Also, remove AOL from your trusted zone in Internet Explorer.

O15 - Trusted Zone: http://free.aol.com

Check back here again in case other items need to be fixed.

Regards, Gordon

[IMM]

There's also this one
O4 - HKLM\..\Run: [SystemTasks] C:\filez.exe
It looks like it's the liveshow porn dialer
see http://www.cexx.org/liveshow.htm for a little more info

I thought SpybotSD should have got that one?

It might also be helpful if you post your startups as well as the HJT list so that we can see running processes. I can't really tell what POWERR~1.EXE is. You can find the StartupList log generator in HijackThis from the Config button > Misc. Tools button

[giantmouse]

Okay..ya'll are going to have to slow down....regarding MM's request that I post the HJT List (this is what is already out here right?) and the StartupList.Log...should I do that before I do what Gordon has suggested?

If not, then I will finish the Hijack this problem and then post the StartupList.Log..

Regarding the fact that Spybot did not detect that file..this stuff is absolutely vicious. I did the download for Spybot and then updated from the Internet before running it, so there must be some other reason that SB missed it?

I tried doing an updated virus scan before I started any of this and got a fatal error before Norton could finish..
How did this happen...how can they invade my computer...is it from the web pages my kids have set up?

This stuff is GRAPHIC..
Giantmouse

[IMM]

By all means do the HJT fix first. The only thing I wanted was the startuplist.

I just had another quick look through it and this item
O4 - HKLM\..\Run: [Shell] C:\WINDOWS/DOWNLO~1/tray.exe
is also very suspicious (in part for it's location and in part because there are both porn programs and trojans associated with that file name). I actually think this one is a homepage redirector for adult websites from what you've said. (uncheck it using msconfig at least) or it may just be webshots.

[giantmouse]

As long as it will not interfere with the regular use of my computer, I will get rid of it..It is probably porn...

Okay I will proceed with the fix and then post the SU log..

[giantmouse]

Okay I have run all the programs and I think we got rid of everything. I was able to run scandisk/and defrag in Safe mode.

here is the startuplist from HJT Let me know what I need to do next...

StartupList report, 4/26/03, 7:01:34 PM
StartupList version: 1.52
Started from : C:\MY DOCUMENTS\DUCKHUNT\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\PEOPLEPC\DIALER\DIALER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\DUCKHUNT\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
POWERR~1.EXE
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
vptray = C:\Program Files\Norton AntiVirus\vptray.exe
HPDJ Taskbar Utility = C:\WINDOWS\SYSTEM\hpztsb05.exe
MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
winmodem = WINMODEM.101\wmexe.exe
SchedulingAgent = mstask.exe
rtvscn95 = C:\Program Files\Norton AntiVirus\rtvscn95.exe

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 16/4/2003, 12:41:36)

[rename]
NULL=C:\WINDOWS\TEMP\TB_UPD~1.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

PATH C:\Windows;C:\Windows\Command;C:\DOS
rem - By Windows Setup - C:\WINDOWS\COMMAND\MSCDEX.EXE /D:CDROM001 /L > nul

--------------------------------------------------


Enumerating Browser Helper Objects:

Yahoo! Companion BHO - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL - {13F537F0-AF09-11d6-9029-0002B31F9E59}
(no name) - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 4,570 bytes
Report generated in 1.023 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only