Hi guys,

I'm not very savvy, so please please please help me out.

I don't even know when this started, but it's been happening for a very long time. Every time I go online, after 1/2 hour, a porn page will pop up even though I have anti-popup programs. After I close that page, all the links on the page that I am looking at will turn into links that will take me to the porn page again. To get rid of it, I have to either close the browser, or refresh the page. I cannot believe something like this can happen, but I've downloaded a bunch of anti-spyware programs like Adware, Spybot, CWshredder, you name it. I've also briefly searched Google for what this thing might be, and I found nothing. If you can tell me what it is and how I can get rid of it, I owe you my life. It happens EVERY time I go online these days, and it's the most annoying thing in the world.

If you don't know the answer to my question, but can suggest another forum that might be able to help, please link me.

Thank you so much.

Alrighty, try downloading HiJiackThis!

from http://www.wilderssecurity.com/attachments/hijackthis1973.zip (http://www.wilderssecurity.com/attachments/hijackthis1973.zip)

and run a scan. Do not fix anything yet, as lot of the things it finds are indeed supposed to be there. "save log" and paste it in this thread, and one of our HiJackThis experts will tell ya what needs fixing in no time ;)

Logfile of HijackThis v1.97.3
Scan saved at 9:47:57 PM, on 11/5/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svcpack.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Stickies\Stickies.exe
C:\windows\winlogon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\NetZero\zCast.exe
C:\Program Files\NetZero\chkras.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Stickies] C:\Program Files\Stickies\Stickies.exe
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: NetZero and NZ Platinum.lnk = C:\Program Files\NetZero\nzStart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9217ED15-26DF-4FB2-89DE-85BF28698304}: NameServer = 64.136.20.121 64.136.20.133

Hi bavary,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll

O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe

Then reboot and delete:
c:\windows\winlogon.exe <= make sure to get the right one, other files called winlogon.exe will be on your computer, but they are the "real thing"

You should install SP1 for IE6 and all the security patches issued afterwards.

Regards,

Pieter

Hi Pieter, thanks a lot for responding.

I deleted the two things with Hijack This, and when I rebooted, I couldn't find the file c:\windows\winlogon.exe. Does this mean it has already been deleted and everything should be okay?

Hi bavary,

If you can not find it, it may be a hidden file.
To "unhide" hidden files and folders:
Launch My Computer from the Desktop Icon.
Select View, Details.
Select the Folders button.
Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
Like Current Folder (located near the top of the Folder Options box). Then select OK.

If you can't find it then, the startup entry was probably orphaned.

Regards,

Pieter

Hi Pieter,

I followed the steps and I still cannot find the file. So far I haven't had problems, so thanks a lot for taking your time out to help me. If the problems occur again, I'll post another reply on this thread.

Hi bavary,

It should be gone then.
And certainly, if you have any problems, let us know.

Regards,

Pieter