|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
May 25th, 2004, 08:06 AM
|
|||
|
|||
Help with teenslook
Hi,
I've had for a while an issue with IE6, my home page keeps coming back to terra.es/personal9/teenslook. I have run lavasoft, Spybot and hijack this, rebooted several times but it keeps coming back every time, HELP!! |
|
#2
May 25th, 2004, 08:07 AM
|
||||
|
||||
|
Re: Help with teenslook
Hi Pharmajem,
Can you please post your HijackThis log here? Thnx Cheers,
__________________
TonyKlein's "How can I be better protected?" |
|
#3
May 25th, 2004, 08:59 AM
|
|||
|
|||
|
Re: Help with teenslook
Hi, thx for the quick feed back. Here is the log. I've tried many times to fix the last keys but they always come back after I reboot
 Logfile of HijackThis v1.97.7 Scan saved at 13:49:08, on 25/05/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\NavNT\DefWatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\NavNT\vptray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\System32\sysvol.exe C:\WINNT\System32\sndvol32a.exe C:\WINNT\system32\internat.exe C:\WINNT\system32\csrsc.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe P:\Users\GB000217\JEM\New Folder\download\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.terra.es/personal9/teenslook/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.terra.es/personal9/teenslook/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.es/personal9/teenslook/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.terra.es/personal9/teenslook/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.terra.es/personal9/teenslook/search.html |
|
#4
May 25th, 2004, 09:15 AM
|
||||
|
||||
|
Re: Help with teenslook
Ah, that's not the complete log,
 there's more Make sure you got the complete log and paste here again Thnx! Cheers,
__________________
TonyKlein's "How can I be better protected?" |
|
#6
May 25th, 2004, 09:45 AM
|
||||
|
||||
|
Re: Help with teenslook
There is no scroll ?
Alternatively, in HijackThis click Config > Misc Tools > Generate Startuplist This will produce a text file. Post the content of that one. Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#7
May 25th, 2004, 09:53 AM
|
|||
|
|||
|
Re: Help with teenslook
OK, here you go (note that I attempted to fix again the teenslook keys but not re-booted yet, so they won't show up on this log):
StartupList report, 25/05/2004, 14:46:12 StartupList version: 1.52 Started from : P:\Users\GB000217\JEM\New Folder\download\HijackThis.EXE Detected: Windows 2000 SP4 (WinNT 5.00.2195) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\NavNT\DefWatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\NavNT\vptray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\System32\sysvol.exe C:\WINNT\System32\sndvol32a.exe C:\WINNT\system32\internat.exe C:\WINNT\system32\csrsc.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE P:\Users\GB000217\JEM\New Folder\download\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINNT\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run vptray = C:\PROGRA~1\NavNT\vptray.exe Synchronization Manager = mobsync.exe /logon TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot sysvol32 = C:\WINNT\System32\sysvol.exe systray sndvol32 = C:\WINNT\System32\sndvol32a.exe systray -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run internat.exe = internat.exe csrsc = C:\WINNT\system32\csrsc.exe -------------------------------------------------- Shell & screensaver key from C:\WINNT\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINNT\System32\logon.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - D:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} -------------------------------------------------- Enumerating Download Program Files: [HouseCall Control] InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx CODEBASE = http://housecall.trendmicro-europe.c...ll/Xscan53.cab [Update Class] InProcServer32 = C:\WINNT\System32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.co...009.1080671296 [Shockwave Flash Object] InProcServer32 = C:\WINNT\system32\SWFLASH.OCX CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab [GpcContainer Class] InProcServer32 = C:\WINNT\Downloaded Program Files\ieatgpc.dll CODEBASE = https://alcon.webex.com/client/latest/webex/ieatgpc.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll SysTray: stobject.dll WebCheck: C:\WINNT\system32\webcheck.dll -------------------------------------------------- End of report, 4,753 bytes Report generated in 0.180 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only |
|
#8
May 25th, 2004, 10:00 AM
|
|||
|
|||
|
Re: Help with teenslook
Also found that I had loads of "Exclude" in the HijackThis setup (Silly me!). Cleared them all and I've got now a much larger log:
 Logfile of HijackThis v1.97.7 Scan saved at 14:52:31, on 25/05/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\NavNT\DefWatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\NavNT\vptray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\System32\sysvol.exe C:\WINNT\System32\sndvol32a.exe C:\WINNT\system32\internat.exe C:\WINNT\system32\csrsc.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe P:\Users\GB000217\JEM\New Folder\download\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.msn.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.co.uk R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = chedc017:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.alconnet.com;*.nestec.ch;<local> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\www.msn.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.co.uk R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.alconlabs.com/ O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sysvol32] C:\WINNT\System32\sysvol.exe systray O4 - HKLM\..\Run: [sndvol32] C:\WINNT\System32\sndvol32a.exe systray O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [csrsc] C:\WINNT\system32\csrsc.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.c...ll/Xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...009.1080671296 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://alcon.webex.com/client/latest/webex/ieatgpc.cab |
|
#9
May 25th, 2004, 10:17 AM
|
||||
|
||||
|
Re: Help with teenslook
Hi Pharmajem,
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: O4 - HKLM\..\Run: [sysvol32] C:\WINNT\System32\sysvol.exe systray O4 - HKLM\..\Run: [sndvol32] C:\WINNT\System32\sndvol32a.exe systray O4 - HKCU\..\Run: [csrsc] C:\WINNT\system32\csrsc.exe Then reboot and put the following files in a zip folder for me please C:\WINNT\System32\sysvol.exe C:\WINNT\System32\sndvol32a.exe C:\WINNT\system32\csrsc.exe Send that zipfile to the address in my profile Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
