unwanted programme and favourites

  mpez 14:27 06 Feb 2005
Locked

Hi

Every time i am on the internet a sex site keeps installing itself , i get a message saying no modem detected - click yes if you have a high rated connection ADSL/cable/lan or click no to check your modem and phone line. I also have 4 sites added themselves to my favourites called sites about which is a folder, only sex website. search the web, seven days of free porn. I am on xp sp2, i have adaware personal (but can only run in safe mode, will not in normal) spyware blaster a squared , did have spybot search and destroy but it is not finding anything and it was disabling its immunization also spywareblaster is disabling its protection in the restricted sites, i have ran all these programmes and still it keeps coming back, I turn off system restore and turn back on after every cleansing. I have phoned bt to block premium and porn diallers, so now i dont know what else to do, oh i forgot i have also got that dreaded about blank page, any help would be gratefullly appreciated

  VoG II 14:32 06 Feb 2005

Please download HijackThis click here

Post a log - see click here

You may need to post in more than one section because of the 800m wortd limit on this site. Please double-space by adding a blank line every other line.

Don't try to "fix" anything until you receive expert advice.

  mpez 14:59 06 Feb 2005

Logfile of HijackThis v1.99.0
Scan saved at 14:39:33, on 06/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\crct32.exe

C:\WINDOWS\system32\RunDll32.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\WINDOWS\system32\epl2.exe

C:\WINDOWS\system32\javahl.exe

C:\WINDOWS\system32\lexpps.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\WINZIP\winzip32.exe

  mpez 14:59 06 Feb 2005

C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jvifj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = click here


R3 - Default URLSearchHook is missing


O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {5C0FEC2D-DA98-9458-4F80-5D030ABD600A} - C:\WINDOWS\system32\mfcau.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [epl2] C:\WINDOWS\system32\epl2.exe

O4 - HKLM\..\Run: [javahl.exe] C:\WINDOWS\system32\javahl.exe

O4 - HKLM\..\RunOnce: [crct32.exe] C:\WINDOWS\system32\crct32.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

  mpez 15:01 06 Feb 2005

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: *.05p.com

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.scoobidoo.com

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.static.topconverting.com

O15 - Trusted Zone: *.xxxtoolbar.com

O15 - Trusted Zone: *.05p.com (HKLM)

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.blazefind.com (HKLM)

O15 - Trusted Zone: *.clickspring.net (HKLM)

O15 - Trusted Zone: *.flingstone.com (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.mt-download.com (HKLM)

O15 - Trusted Zone: *.my-internet.info (HKLM)

  mpez 15:01 06 Feb 2005

O15 - Trusted Zone: *.scoobidoo.com (HKLM)

O15 - Trusted Zone: *.searchbarcash.com (HKLM)

O15 - Trusted Zone: *.searchmiracle.com (HKLM)

O15 - Trusted Zone: *.slotch.com (HKLM)


O15 - Trusted Zone: *.static.topconverting.com (HKLM)

O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)


O15 - Trusted IP range: 206.161.125.149

O15 - Trusted IP range: 206.161.125.149 (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - click here

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - click here


O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - click here

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - click here

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - click here

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - click here

O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - click here
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - click here
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - click here
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - click here
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - click here
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{008DDC60-E084-4487-8E65-52223D2D57FA}: NameServer = 62.241.162.200 158.43.240.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{008DDC60-E084-4487-8E65-52223D2D57FA}: NameServer = 62.241.162.200 158.43.240.3
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\atltj.exe (file missing)

  TomG 15:13 06 Feb 2005

Seems you have some risky sites in your trusted zone

  VoG II 15:15 06 Feb 2005

I've alerted Nellie2 to this. Please await her advice. I can see some dodgy entries too but best to await a complete solution.

  mpez 15:28 06 Feb 2005

i know i could not believe what i saw , thats my kids just clicking willie nillie, even though they are 14 and 17 , i have to get on to them all the time, thanks guys , i will wait for more expert advice

  Nellie2 20:24 06 Feb 2005

Hello

Can you download CWShredder from click here and install it and check for updates.

Next download about:Buster and extract it to your desktop. click here Do not run it yet.

You may want to print these instructions off as you must to the next bit in safe mode and you must be disconnected from the internet.

Now boot into safe mode and make sure you have hidden files and folders set to show. click here for instructions

Now go to Start > Run > services.msc Scroll down to Workstation NetLogon Service double click that service, click on STOP then change its startup type to disabled.

Bring up task manager Ctrl-Alt-Del and end these processes if they are still running

crct32.exe

epl2.exe

javahl.exe

Then find and delete these files

C:\WINDOWS\jvifj.dll

C:\WINDOWS\system32\mfcau.dll

C:\WINDOWS\system32\epl2.exe

C:\WINDOWS\system32\javahl.exe

C:\WINDOWS\system32\crct32.exe

Then run hijackthis and click the scan button, when it has finished scanning put a tick against the following and click 'fix checked'

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jvifj.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5C0FEC2D-DA98-9458-4F80-5D030ABD600A} - C:\WINDOWS\system32\mfcau.dll

O4 - HKLM\..\Run: [epl2] C:\WINDOWS\system32\epl2.exe

O4 - HKLM\..\Run: [javahl.exe] C:\WINDOWS\system32\javahl.exe

O4 - HKLM\..\RunOnce: [crct32.exe] C:\WINDOWS\system32\crct32.exe

O15 - Trusted Zone: *.05p.com

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.scoobidoo.com

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.static.topconverting.com

O15 - Trusted Zone: *.xxxtoolbar.com

O15 - Trusted Zone: *.05p.com (HKLM)

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.blazefind.com (HKLM)

O15 - Trusted Zone: *.clickspring.net (HKLM)

O15 - Trusted Zone: *.flingstone.com (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.mt-download.com (HKLM)

O15 - Trusted Zone: *.my-internet.info (HKLM)


O15 - Trusted Zone: *.scoobidoo.com (HKLM)

O15 - Trusted Zone: *.searchbarcash.com (HKLM)

O15 - Trusted Zone: *.searchmiracle.com (HKLM)

O15 - Trusted Zone: *.slotch.com (HKLM)

O15 - Trusted Zone: *.static.topconverting.com (HKLM)

O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)

O15 - Trusted IP range: 206.161.125.149

O15 - Trusted IP range: 206.161.125.149 (HKLM)

O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\atltj.exe (file missing)

Run CWShredder and make sure you hit 'fix' as opposed to scan only, let it fix what it finds,

Now double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

Reboot back to normal mode and ownload this file to your desktop. click here

Right-click on the deldomains.inf file and select 'Install'

Once it is finished your Zones should be reset.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection

Finally run hijackthis again an post a fresh log please

  mpez 09:42 07 Feb 2005

hi hope this is right
Logfile of HijackThis v1.99.0
Scan saved at 09:27:56, on 07/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RunDll32.exe

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Fujitsu Lifebook P727 laptop review

11 best portfolio websites for designers and artists

Office for Mac buying guide: Price, Office 2017 rumours & new features

Comment désactiver les programmes qui s'exécutent au démarrage de Windows 10 ?