Solved: Have a spyware problem, I think.....

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Czub

Thread Starter
Joined
Feb 22, 2005
Messages
85
O.k here is the problem.
I go to this website (about river tubing). I click on the link to open. Correct page starts to open, then a porn page kicks in and opens, replacing the correct page. I tried it numerous times with the same results. So I went up to my wifes computer and tried. The correct page loaded without the porn page opening. So there must be some spyware/virus on my computer. Ran Spybot, Ad-aware se, and cws shredder and my AV program. CWS Shredder found cws msconfig and removed it, the other programs found nothing. I'm still having the same problem.
But only with that one site. Any ideas? Here is my Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 11:29:23 PM, on 6/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Buzzy\Desktop\this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.rr.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Also I removed this entry hoping that it was the problem but it wasn't. How do I go about restoring it. I'ts in a back up file.....Take it easy.

O17 - HKLM\System\CCS\Services\Tcpip\..\{BF591554-59D4-48B5-A6C7-FE83F833B5FD}: NameServer = 69.50.176.196,195.225.176.37
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Actually removing the 017 was correct.

I don't see anything in the log but let's try this tool:

Download the trial version of Ewido Security Suite: http://www.ewido.net/en/download/

· Install Ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch Ewido.
· It will prompt you to update click the OK button and it will go to the main screen.
· On the left side of the main screen click Update.
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in Safe Mode.

Restart your computer into Safe Mode now.
(start tapping the F8 key at Startup, before the Windows logo screen)
Perform the following steps in Safe Mode:

Run Ewido:

· Click on scanner.
· Put a check by the following before you scan:

o Binder
o Crypter
o Archives

· Click the Start Scan button to start the scan.
· During the scan it will prompt you to clean files, click OK.
· When the scan is finished, look at the bottom of the screen and click the Save Report button.
· Save the report to your desktop.
· Post that log and a fresh log from Hijack This.
 

Czub

Thread Starter
Joined
Feb 22, 2005
Messages
85
Cheeseball....I deleted the back up of the 0-17 and that seemed to do the trick. The page is loading correctly now. I didn't know that the 017 could still be accessed. I thought once you checked it and clicked fix, that it was no longer "active" (for lack of a better word, I don't know all the correct lingo,lol). Thanks for the help. Wouldn't have deleted the back up if you didn't say it was correct to remove it.......
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
I had a feeling once the 017 was gone, you'd be okay.

Glad it got resolved :)

You can mark your thread "Solved" from the Thread Tools drop down menu.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top