Still got problems!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

angry newby

Thread Starter
Joined
Jul 22, 2003
Messages
39
Logfile of HijackThis v1.95.1
Scan saved at 20:24:15, on 22/07/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRUN.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 7.0\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Nick\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.coolwwwsearch.com/z/c/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolwwwsearch.com/z/a/x1.cgi?656387 about:blank (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwsearch.com/z/a/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.coolwwwsearch.com/z/a/x1.cgi?656387 (obfuscated)
O1 - Hosts: 66.250.171.167 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Window Cleaner - {A5DB2BDA-418F-47E8-9718-2FA9089D4E7E} - C:\PROGRA~1\PLAINW~1\WINDOW~1\WINDOW~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [sysPnP] C:\WINDOWS\System32\bootconf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRUN.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'wps.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.coolwwwsearch.com
O15 - Trusted Zone: *.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDA0BFCE-4731-4A40-92A2-993EFB66BCDC}: NameServer = 195.93.50.134
O19 - User stylesheet: C:\WINDOWS\default.css
 

angry newby

Thread Starter
Joined
Jul 22, 2003
Messages
39
Hi i downloaded CW shreader and ran it as instructed. Unfortunately it has not got rid of 123FOUND>COM as my home page or AdultX dialer. Please help me rid my pc i hate seeing it on my desk top!
 
Joined
May 28, 2003
Messages
2,366
Here are a couple of other free programs that might do the trick for you. Download Spybot - Search & Destroy from http://security.kolla.de After installing, first press Online, and search for, put a check mark at, and install all updates.Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED. That ought to get rid of most of your spyware.

Next download & run Ad-Aware, from http://www.lavasoft.de open Ad-Aware & check for updates first then run it.

See if that helps.
 

angry newby

Thread Starter
Joined
Jul 22, 2003
Messages
39
Hi i downloaded hijack this Version 1.97 and this is the Scan Log
Thanks to all who replyed!

Logfile of HijackThis v1.97.2
Scan saved at 20:37:32, on 07/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\WINDOWS\AdultX.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\mxtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Tesconet\Tesconet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nick\Local Settings\Temp\Temporary Directory 1 for hijackthis1.97.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AdultX] C:\WINDOWS\AdultX.exe -n
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'wps.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {4E544C53-6967-6E02-BBAD-233AD71832A8} (NTLSignup1 Class) - https://tesco.autoregister.net/tesco/NTLSignup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{643E63FD-D178-49CA-8308-0C986268B7F9}: NameServer = 194.168.4.100 194.168.8.100
 

angry newby

Thread Starter
Joined
Jul 22, 2003
Messages
39
Hi down loaded & ran hijack this version 1.97 this is the scan log. Thanks a lot for your interest and help!


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\WINDOWS\AdultX.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\mxtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Tesconet\Tesconet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nick\Local Settings\Temp\Temporary Directory 1 for hijackthis1.97.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AdultX] C:\WINDOWS\AdultX.exe -n
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'wps.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {4E544C53-6967-6E02-BBAD-233AD71832A8} (NTLSignup1 Class) - https://tesco.autoregister.net/tesco/NTLSignup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{643E63FD-D178-49CA-8308-0C986268B7F9}: NameServer = 194.168.4.100 194.168.8.100
 
Joined
Mar 25, 2001
Messages
3,334
an,

You can have HJT remove the following items. Close your browser, check the entry in HJT, click Fix. Reboot.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com


O4 - HKLM\..\Run: [AdultX] C:\WINDOWS\AdultX.exe -n


...this following entry, if your recognize the IP address as that of your ISP or network or router than leave it, otherwise, have HJT fix it too:

O17 - HKLM\System\CCS\Services\Tcpip\..\{643E63FD-D178-49CA-8308-0C986268B7F9}: NameServer = 194.168.4.100 194.168.8.100



...after rebooting, delete this file if still on your system:

C:\WINDOWS\AdultX.exe -n


Now download Spybot:

http://www.safer-networking.org/index.php?lang=en&page=download

...after installing, have it go online and download all updates then have it check your system for any problems. Everything it finds in RED is safe to fix.

After running Spybot, check you HJT log again. If this entry is still on your log:

O10 - Broken Internet access because of LSP provider 'wps.dll' missing

...then go to this link for the fix:

http://www.cexx.org/lspfix.htm

:)
 
Joined
Aug 18, 2003
Messages
2,438
O17 Domain Hijacking

It's hard to explain this one. Windows uses several registry values to help resolve domain names to IP addresses. Hijacking these can result in redirects of a lot of pages for unknown reasons.

Look at the address first. If it's an odd name or you don't know what it is, put it in your browser.

Do a WhoIs search on it. WhoIs can be very useful indeed in this section.

If it comes to an ISP or a company network then leave it.

Unforunately, AOL changes these on every sign on to its rubbish service - if you use AOL you will have to live with that.

You could also download Ad-Aware 6 and have it do a thorough cleaning of your unwanted files.

Go here for the free Ad-Aware 6 Personal Build 181: http://www.lavasoft.de/support/download/

Launch the program ... on the start-up screen, you will need to first run the Webupdate Feature (globe at the top), or click "check for updates" to get the Reference File up to date.

Please use the Custom Scan with Memory and Both registry scans ON. Also.... make sure that you activate IN-DEPTH scanning before you proceed.

Then see that you have these options checked:
Under Ad-Aware 6 Settings, Tweaks, Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-Aware 6 Settings, Tweaks, Cleaning Engine:
"Let Windows remove files in use after reboot."

Next ...

Run Ad-Aware 6.
Mark the objects you wish to eliminate for removal. There are many options available with a right-click.
Make a Quarantine only if you do not have the Auto-Quarantine option ON.
Then choose "Next" to remove the chosen objects.
Finally ... Reboot

Please read http://forums.techguy.org/t164245/s.html for further instructions, settings , etc.

At that point, a fresh HT log would be useful.

Once you are cleaned up, you might want to visit http://www.wilderssecurity.net/index.html and download the following:

SpywareBlaster v2.6.1
SpywareGuard v2.2

These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

Lastly, consider installing IE-SPYAD, a registry file that adds a long list of known crapware to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
 
Joined
Aug 18, 2003
Messages
2,438
You might want to visit http://www.wilderssecurity.net/index.html and download the following:

SpywareBlaster v2.6.1
SpywareGuard v2.2

These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

Lastly, consider installing IE-SPYAD, a registry file that adds a long list of known crapware to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Closed duplicate and merged triplicate. Hopefully everything still flows for you guys......
 

angry newby

Thread Starter
Joined
Jul 22, 2003
Messages
39
Hi all. Many thanks to everyone who replied i really appreciate the help/ instruction. I did as instructed and checked the boxes in my hijack this log scan, then deleted the Adult-x dialer exe software. This time it did let me delete it so i was very pleased, but!
after this when i connected to the internet no pages would be displayed. I was definitely connected because the icon was displayed and the box showing data speed transfer. Feeling brave! i opened system restore and restored to a point about a month ago (before all my hassle started). This seems to have worked and i am back on line! I see there are now a few more posts to my problem, some suggesting follow up advice about other anti-spyware software and the like. Unfortunately its hard for me to know what to do next. Obviously i don't want this to happen again but so many options are a little confusing for a newby like me!!
Anyway thanks again for the help regards. Angry Newby.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Post a new hijack this log. Here, in this thread ;)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top