Okay, my roomaates and I share this computer. One of them is an avid viewer of pornography. He was using the comp the other day, and now, in front of every URL is the URL below: **Not work safe, it takes you to a Russian pornography site, and is written in cerillic(sp?).**

h..p://www.sexyque.com/cgi-bin/proliv/proliv.cgi?

and then the URL. I have downloaded and used AdAware and Spyblaster, and it wont get rid of the prefix URL. What do I need to do to get rid of this, as it redirects at random to XXX sites, and I dont like that, and neither does the gf. PLease help me!!! Thanks in advance for any suggestions.

Fergie

- disabled the link - LWM

Hi fergie,

Posting a HijackThis log is the best way for people to help you with this browser hijack problem.

-{ Quote: "Go to http://www.tomcoyote.org/hjt and download "HijackThis!" (via button in the left section with flashing green light next to it). Unzip it. Run the HijackThis.exe file and press the [Scan] button... When the scan is finished, the [Scan] button will change into a [Save Log] button. Press that, save the log somewhere and paste the contents into a post here for us to look at.

Note that much of what will be listed there is correct and should not be fixed. So, just post the output here and let's see if the people here can help identify the problem." }-

Someone should be by soon to help you once you've posted the log.

Best Wishes,
LowWaterMark

-{ Quote: "
Logfile of HijackThis v1.97.2
Scan saved at 6:04:21 PM, on 9/16/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\SMARTDSK\FLASH\FLSHSTAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searchaccurate.com/ie2/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.puh.ru/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webmail.nau.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&query=%s&i=enu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 169.254.6.176
F1 - win.ini: run=hpfsched
O1 - Hosts: 66.159.20.28 worldsex.com
O1 - Hosts: 66.159.20.28 www.worldsex.com
O1 - Hosts: 66.159.20.29 thehun.net
O1 - Hosts: 66.159.20.29 www.thehun.net
O2 - BHO: (no name) - {66993893-61B8-47DC-B10D-21E0C86DD9C8} - C:\WINDOWS\SYSTEM\IEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Utopia Angel] C:\UTOPIA\ANGEL\ANGEL.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Flashpath Status.lnk = C:\SMARTDSK\FLASH\FLSHSTAT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM (HKLM)
O13 - DefaultPrefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
O13 - WWW Prefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}" }-

This is the log. HTH

Fergie

PS- Thanks for putting the post in the right spot.

Hi,
I'll let the HijackThis-experts further look at your log.
But a quick reply: that sexyque site is listed in the IE-SPYAD list that puts it in the restricted zone of IE.
But that is of later concern, now you must get rid of all the nasties.....

Well, the prefixing problem itself is done with those two O13 entries at the bottom of the listing.

I know for sure you should fix all of these. Close all windows except for HijackThis, check the following items, and then press "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = h..p://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = h..p://www.searchaccurate.com/ie2/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h..p://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h..p://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h..p://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h..p://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = h..p://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = h..p://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h..p://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h..p://www.puh.ru/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h..p://www.puh.ru/search.html
O13 - DefaultPrefix: h..p://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
O13 - WWW Prefix: h..p://www.sexyque.com/cgi-bin/proliv/proliv.cgi?

I don't know if there is more, as there are a couple items in there I don't know, so you should try fixing the ones I note above and see what that does. Rebooting and running another HijackThis report will tell us if any of these are going to regenerate because of other hijacks not fixed.

-{ Quote: "
Logfile of HijackThis v1.97.2
Scan saved at 6:33:33 PM, on 9/16/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\SMARTDSK\FLASH\FLSHSTAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webmail.nau.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&query=%s&i=enu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 169.254.6.176
F1 - win.ini: run=hpfsched
O1 - Hosts: 66.159.20.28 worldsex.com
O1 - Hosts: 66.159.20.28 www.worldsex.com
O1 - Hosts: 66.159.20.29 thehun.net
O1 - Hosts: 66.159.20.29 www.thehun.net
O2 - BHO: (no name) - {66993893-61B8-47DC-B10D-21E0C86DD9C8} - C:\WINDOWS\SYSTEM\IEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Utopia Angel] C:\UTOPIA\ANGEL\ANGEL.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Flashpath Status.lnk = C:\SMARTDSK\FLASH\FLSHSTAT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM (HKLM)
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}
" }-

Here is the new log. Thanks

Close all windows except for HijackThis, check the following items, and then press "Fix checked" button.


O1 - Hosts: 66.159.20.28 worldsex.com
O1 - Hosts: 66.159.20.28 www.worldsex.com
O1 - Hosts: 66.159.20.29 thehun.net
O1 - Hosts: 66.159.20.29 www.thehun.net

Rebooting and running another HijackThis report will tell us if any of these are going to regenerate because of other hijacks not fixed.

Close all windows except for HijackThis, check the following items, and then press "Fix checked" button.

O4 - HKCU\..\Run: [Utopia Angel] C:\UTOPIA\ANGEL\ANGEL.EXE

Rebooting and running another HijackThis report will tell us if any of these are going to regenerate because of other hijacks not fixed.

Close all windows except for HijackThis, check the following items, and then press "Fix checked" button.


O2 - BHO: (no name) - {66993893-61B8-47DC-B10D-21E0C86DD9C8} - C:\WINDOWS\SYSTEM\IEHELPER.DLL

Rebooting and running another HijackThis report will tell us if any of these are going to regenerate because of other hijacks not fixed.

PS:
Info at:
http://www.spywareinfoforum.com/bhos/archives/000170.php
Quote:
X {66993893-61B8-47DC-B10D-21E0C86DD9C8}: iehelper.dll - LinkReplacer
Further info:
http://www.doxdesk.com/parasite/LinkReplacer.html

Hi Fergie,

Are you using:
1. firewall
2. Antivirus program (AV)
3. AntiTrojan program (AT) ?

What AV are you using?
Would you please update your AV with its latest definitions, and then do a full system scan with it, as deep as possible.

I'm a little bit worried about that angel.exe file.
Let's do, after you did all the mentioned HijackThis fixes, first a full system scan with your AV.
Let us know how it goes, please.

Regards, Jan.

Norton antivirus, and no AT. Dont know what that is even. Angel is from a game...that I no longer play. Any suggestions as to what AT and new AV to run would be appreciated.

The weird URL no longer appears, and none regenerate themselves. Thanks for all the help.

Fergie

Good job, guys.

There is one more that is worrying me:
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}

It has the same CLSID as the BHO and I think that is too much to be a coincidence.

Have HijackThis fix that one as well.

As fo AT and AV's have a look here: http://www.wilders.org/ and follow the links from there.

Regards,

Pieter

Thanks Pieter :D
I'm trying to learn it a little bit from you ;)

Oops,

This one is bad news too:
O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H

http://research.pestpatrol.com/PestInfo/Pest_Detail.asp?id=453060662

-{ Quote: " quoting: fergie link=board=21;threadid=13874;start=0#msg88172 date=1063757612]Okay, my roomaates and I share this computer. One of them is an avid viewer of pornography." }-

One final tip to help you prevent reinfection: close all windows, including HijackThis, but not the one overlooking the street. Throw your roommate out of it.

8)

-{ Quote: " quoting: Checkout link=board=21;threadid=13874;start=0#msg88643 date=1063909629]
-{ Quote: " quoting: fergie link=board=21;threadid=13874;start=0#msg88172 date=1063757612]Okay, my roomaates and I share this computer. One of them is an avid viewer of pornography." }-

One final tip to help you prevent reinfection: close all windows, including HijackThis, but not the one overlooking the street. Throw your roommate out of it.

8)
" }-
CO,

Hehe ! That's funny !! ;D ;D

Hopefully, with no FireWall, the Roomate will pass right through !!

Thanks for the chuckle !! ;D

regards,
bill