Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi, I've been stricken by some kind of virus that starts popping up porn sites at seemingly random moments. The PC-Cillin on my computer keeps notifying me about it but I'm not sure what I can do to get rid of it. I have tried adaware and others with no luck. Any suggestions much appreciated! Here are hijack this scan details:
Logfile of HijackThis v1.97.3
Scan saved at 8:44:51 AM, on 10/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ICO.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\msrexe.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\winlogon.exe
C:\WINDOWS\System32\Pelmiced.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Program Files\Apoint\Apntex.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.exe
C:\Documents and Settings\Richard and Laine\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xwebsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xwebsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://xwebsearch.biz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppcfg.exe /installparams
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKLM\..\RunOnce: [washindex] C:\Program Files\Washer\washidx.exe "Richard and Laine"
O4 - HKCU\..\RunOnce: [washindex] C:\Program Files\Washer\washidx.exe "Richard and Laine"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\billmind.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.5124074074
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://66.230.143.209/loader/dploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34DC9BB4-CDA2-4458-97A2-4395C3614C18}: NameServer = 152.163.247.4
I just scanned and it said no viruses detected. But every hour or two I will suddenly have a porn page pop up and PC-Cillin will show an alert that I have a virus and it has been quarantined. I'll get the name next time and post it, but there are two that keep repeating. One is Java something and the other says something about Troja and Winshow. Please let me know if I am doing something wrong regarding Pc-cillin and that is why nothing is turning up. Thanks!
0 
Thanks Tufenuf: I'm afraid I'm too much a novice to understand what it means when the instructions say delete files from the Windows folder. How do I access that folder? Also, it had the following commands to enter:
cd "%WinDir%\System"
regsvr32 /u "..\winshow.dll"
but it doesn't seem to want to accept the second command. Any thoughts? Sorry I am so inept at this and much appreciated.
0
Pest Patrol will detect and remove winshow if you are uncomfortable or having trouble doing it. You can download a free trial version from http://www.wilders.org/ get Spybot/Adaware/Spywareblaster from Wilders while you are there. Your settings for java are insecure. Make sure you have all of Microsoft's critical updates installed. Then go to http://www.grc.com/ and use the "shields up" scan and check out the free stuff at that website. Then do the performance scan at http://www.pcpitstop.com/ and pay special attention to the security settings.
0
I forgot to ask, have you deleted your temp internet files, you open tools at the top of your home page, select internet options and empty the temp internet and off-line content files. You need to do this every so often. You can set it so they are deleted automatically by scrolling down to security and set it so the temp internet files are deleted everytime the browser is closed.
0
rsgray, For the second command follow these instructions:
When you use Regsvr32.exe, it attempts to load the component and call its DLLSelfRegister function. If this attempt is successful, Regsvr32.exe displays a dialog indicating success. If the attempt is unsuccessful, Regsvr32.exe returns an error message, which may include a Win32 error code.
Example: To unregister Winshow's winshow.dll:
Click the Start button, and select Run
Enter this command line:
regsvr32 /u [systemroot]\winshow.dllFor example, in a Windows XP machine in which your systemroot was at c:\winnt, you would enter:
regsvr32 /u c:\winnt\winshow.dll
Note: On your system it's possible that your system root is c:\windows instead of c:\winnt. If this is the case you would then enter:
regsvr32 /u c:\windows\winshow.dllTo find files you would click Start/Search/all files and folders and type in "winshow.dll" (without the quotes), the click "search".
HTH
Tufenuf
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
