|
|
#1
November 14th, 2003, 05:54 PM
|
|||
|
|||
Help please
doing this for a mate ... The problem is
Anyone know how to get rid of trojan software that's attached itself to my pc, it's added 4 pornsites to my bookmarks and changed my homepage, it's annoying the shit out of me, i've tried removing them manually but everytime i reboot there they are again. Also if i leave the pc for half an hour pornsites just suddenly open up and are impossible to close name of Trojan ? ta in advance  |
|
#2
November 14th, 2003, 05:59 PM
|
||||
|
||||
|
Re:Help please
There are more than one out there that would fit the description so do this..download and run this program
HijackThis Quick Start Help http://www.tomcoyote.org/hjt/ hijack this is a utility which creates a list of everything which starts up when you boot your computer plus a few other items. Download it to your desk top..run it..then cut and paste the information it contains in your next post and lets see if it comes up with anything that can help.
__________________
Missing Kids http://www.bigcatrescue.org/ |
|
#3
November 14th, 2003, 06:02 PM
|
|||
|
|||
|
Re:Help please
cheers bud , will do
will be tomorrow mind , coz the bloke i`m doing this for aint about at the mo |
|
#4
November 15th, 2003, 02:40 AM
|
|||
|
|||
|
Re:Help please
here goes then ..
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\zHotkey.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\BigFix\BigFix.exe C:\Documents and Settings\Andy Cudworth\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: MSupdate.exe O9 - Extra button: Real.com (HKLM) O9 - Extra button: Money Viewer (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab |
|
#5
November 15th, 2003, 12:31 PM
|
||||
|
||||
|
Re:Help please
Hi rudders,
Check the following items in HijackThis. Close all windows except HijackThis and click Fix checked: O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - Global Startup: MSupdate.exe O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab Then reboot and delete: MSupdate.exe Since you clipped your Windows version and the version of HijackThis, I can not be sure if I got all of CWS, so please download, unzip and run CWShredder as an extra check. Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. Remove & Prevent spyware It's human to make mistakes. It's even more so to blame the computer for it. |
|
#6
November 15th, 2003, 02:27 PM
|
|||
|
|||
|
Re:Help please
cheers for your time & effort mate , tiz well appreciated
now sorted , between you and me tho mate , methinx the bugger got outside help  anyway , once again i say fanks |
|
#7
November 15th, 2003, 04:43 PM
|
||||
|
||||
|
Re:Help please
Hi rudders,
As long as it is solved. Outside help is always better then an inside job.  Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. Remove & Prevent spyware It's human to make mistakes. It's even more so to blame the computer for it. |
|
#8
November 17th, 2003, 05:58 PM
|
|||
|
|||
|
Re:Help please
these pron site dialers are real hectic to get rid of manually for u dont edit the registry. everytime u search for the .exe name and delete the found results after booting they re-appear. this is because the dialer is maily stored in the windows system32 or windows system folder and an instance of this program along with the path in the system registry. the best way to get rid of this pron dialer or exe is to remove it from the registry entry so that its not reloaded again and again after booting.
the instances after booting can be found under 1 : Start Menu 2 : Start>Programs 3 : Start>Programs>Accesories first u must delete the registry entries from the following places. in the run command type regedit and pres enter when the registry editor opens up go to Edit and then Find and search for the folowing registry paths [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] all will have the data part as "Info="c:\directory\prondialer.exe" just delete each of the data items from the registry and press F5 button to make the changes permanent. then u must rebot the computer and then manually delete the dialer exe from the windows system / system32 folders. i am sure that you wont get harassed by these dialer exe any longer. [note: if ur not familiar with the registry editor then u may take the help of some one who can help u out in doing so.] thanks u
__________________
I See It All.......... |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
