Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Ok recently some type of spyware/trojan has managed to infect my pc and is causing some really pc breaking problems. Every time i reboot my PC my IE favourites fill up with porn links, and spygaurd tells me that my homepage is being changed along with a few other things. Occasionally an open IE will open a porn website or one would appear out of no where. Now i have tried pretty much everything from Adware to Hijactit and nothing removes whatevers causing this.
I really need some help so anything will do
Jay:
If you haven't already, scan for trojans and viruses.
Trojan scans:
PC Flank LINK
Trojan Scan LINKSolarian
0 
Already done both and still no luck, my minds going crazy trying to figure this out. Ive checked my start up files and none of them are suspicious.
0
go to google and look for spybot download it and run it after the first run you will need to do and upgrade then re-run spybut this program works great. Also go to www.webroot.com and download the trail version of spysweeper between the two of them they will find almost anything. Good luck
Doc
0
Done, and still no change. Don't know if this could lead to the problem but when i reboot/turn off my pc i a process win min.exe has to be closed down manually but it doesn't appear in the process list.
Could spyware/adware/trojans on other pcs on my network affect my pc?
0
Of those processes you listed, I did research on each one and they all seem to be legit. Also go to your Startup folder (Start - Programs - Startup) and see if there's anything in there. Check msconfig (Start - Run - type: msconfig) under the startup tab for anything unknown, post anything you don't know.
0
Well in the Start up menu theres a exe called Winlogon which seems a bit old and i know its not normally not there.
0
Theres also a soundmx.exe in the msconfig start up list, but its never in the task bar process list. COuld u also check to see if u anyone has winlogon.exe in the task bar process list
0
quoted from a website
"winmain.exe One of the first of a new breed of malware. When run it immediately loads MSHTA.exe from the Windows folder, placing it on "hot standby", ready to accept HTA scripting within a web page and then EXECUTE what is embedded IN the page as a program! In other words, it's possible for a "rogue" website to actually embed trojans, worms and/or viruses directly into a web page. BOClean's HTA Stop offers an easy way to toggle this capabiltity, or rather vulnerability, on and off. I suggest you leave it disabled! "
0
ok i did some research on winmain.exe and it seems its not that, as i have the MS patch that deals with that and i used a syntamec tool to search for it. heres a log from Hijackthis, theres a few suspicious items which ive highlighted, after each reboot these items keep changing my homepage, default search page and something else. Im starting to think it could be down to registry items being changed, but could that cause favourites being added after each boot.
Logfile of HijackThis v1.97.7
Scan saved at 16:08:07, on 29/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common files\Updater\wupdater.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MICROSTAR\Bluetooth Software\BTTray.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\MICROS~3\BLUETO~1\BTSTAC~1.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.exe
c:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\WINDOWS\System32\GEARSEC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JATIND~1\LOCALS~1\Temp\Rar$EX00.797\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://allneedsearch.com/spm.htm
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\Updater\wupdater.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O4 - Global Startup: winlogon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.2442824074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)I think these lines are the most suspicious
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://allneedsearch.com/spm.htm
0
Could you please let me know the Answer. I am also having the same (Ditto) Problem. I tried a lot. But Still facing the problem.
Thanks,
Muthu
0
Hello Jay,Yesterday I have disable the C:\WINDOWS\system32\Ati2evxx.exe and one more exe starts like the same name ati***xx.exe
And also disable the folder Option. Now it is looking OK for me.
The manual Shut Down has Gone. But still the Home page setting is changing. This is Happening while starting the PC. But after if you change the Home Page it is not appearing again Howmany times if you are Closing IE(This is not the case previously). But f you restart the PC the Home page setting is changing for Initially.
After doing all these still I found one more Porn site at my IE favorite Location , I disable the site by right clicking and in the properties option.
Now I am not facing the problem, which I faced previously.
Temporarily we can quarantine all these Items. But this is not the Ultimate solution.
If anyone throw some light in this area it will be appreciated.Thanks guys all of you to share idea in this debate.
Cheers,
V Muthu
0
I'm having the exact same problem, and I've tried everything from HiJackThis to all sorts of virus scanners. I installed ZoneAlarm to keep the pop-ups from appearing, and I noticed that winlogon.exe is the program that access the internet right before the pop-ups appear.
I checked in my "C:\Documents and Settings\ All Users\ Start Menu\ Programs\ Startup" folder and there's the file "winlogon.exe" created 12/12/2003 which is when the problems started appearing. Ctrl-alt-deleting to Task Manager shows two "winlogon.exe" processes running at the same time: one a System process, and the other a Default User process. It won't let you manually close either one because it's a "critical system function." "winlogon.exe" also shows up in my HiJackThis scans, along with Jay007's :
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allneedsearch.com/spm.htmR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://allneedsearch.com/spm.htm
I deleted the program through HiJackThis a few days ago, but I chickened out and restored it after a few seconds because I thought that it was a critical process. I went back to delete it today, but HiJackThis won't let me delete it anymore while "the program is running" and I can't end it in TaskManager to make it stop running. Crap! I hope you guys look into this and tell me how you do~
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
