help me!! something's taken over my computer!

Discussion in 'malware problems & news' started by finnman1, May 18, 2004.

Thread Status:
Not open for further replies.
  1. finnman1

    finnman1 Registered Member

    May 17, 2004
    Hi, i've got a big problem. I have some kind of spyware or something that has taken over my internet explorer browser. My boyfriend always looks at porn on my computer and spyware always gets downloaded. I can always get it off by using Ad-aware, Spybot 2.6.1, and spywareblaster. But now, this one isn't being detected.
    I would download spybot 3.1 but the problem is, it starts my homepage at hxxp:// . The problem is that when i try to download any new kind of freeware or any new spyware removal program, it automatically re-directs me to hxxp:// OR hxxp:// .
    No matter what i try it doesnt work. Most of the time, any kind of links are automatically re-directed to one of the above 3 websites. I cant download any kind of file, it just re-directs me to the porn sites. I am familiar w/ computers so any kind of help... even technical would help.
    I have McAfee n it doesnt detect it either. I try to change my homepage and 3 seconds later, it automatically puts it back to the "". I am clueless to this problem.. i cant even check my bank statements online anymore because i get redirected to the porn sites when i try to access my bank website. Please help!! :rolleyes:
    Thank you for your time,
    Last edited by a moderator: May 18, 2004
  2. finnman1

    finnman1 Registered Member

    May 17, 2004
    Also. Since i can not download 'hijackthis', is there any way i can purchase it and have it mailed to me?? ANY help would be great. Thank you,
    Last edited by a moderator: May 18, 2004
  3. badboy

    badboy Guest

    One thing you could do is download 'hijack this' to a floppy disk on a friends computer or at your local library computer. Hope this helps.
  4. snapdragin

    snapdragin Administrator

    Feb 16, 2002
    Southern Ont., Canada
    Hi finnman1,

    Since you are able to post here at this site, it may also be possible to download CWShredder from here too.

    Please go to this link:

    Right-click on and save it to your harddrive. Go off line, and unzip it. Make sure you have closed ALL browsers and any running applications, then run the program by clicking the "Fix" button (not "scan only"). Follow the instructions you will receive when the program runs.

    Also, download Hijackthis from this link by right-clicking the zip file and saving it to your harddrive:

    Once you have downloaded HijackThis, create a new, permanent folder on your C drive and unzip Hijackthis.exe into the new folder. Run the program, then when the scan is finished, the "Scan" button will then change to a "Save Log" button. Press the "Save Log" button. Copy and paste it's contents here. NOTE: Most of what it lists will be harmless and even essential - so, do NOT fix anything yet. Someone will review your log and give you instructions on what needs to be fixed.

    Try the above first, and if you are unable to save the above to files, then post back here.

    BTW..what is your operating system?


    Last edited: May 18, 2004
  5. finnman11

    finnman11 Guest

    Thanks guys. I downloaded CWShredder and HiJackThis. Here is my log-file. What should i do next??

    Logfile of HijackThis v1.97.7
    Scan saved at 12:33:57 AM, on 5/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Common Files\Dpi\dpi.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *;<local>
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: (no name) - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
    O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\udpmod.dll (file missing)
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - (no file)
    O3 - Toolbar: (no name) - {F76BA917-E811-4240-A212-92AE0E99FD5F} - (no file)
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1424.0\en-us\msntb.dll (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [hgwgrdf] rundll32 C:\WINDOWS\System32\hgwgrdf.dll,Init 1
    O4 - HKLM\..\Run: [Video driver] c:\exe.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFREE.EXE"
    O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: DLHelperEXE.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) -
    O16 - DPF: {11111111-1111-1111-1111-111111111123} -
    O16 - DPF: {11111111-1111-1111-1111-111111111237} -
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} -
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) -
    O16 - DPF: {CCA6CE4C-2199-4A4F-9542-12E0163D6841} (Dialer Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) -
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} -
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -,5,0,4338/
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) -
  6. what?

    what? Guest

    All hijackthis logs need to be posted in the Adware, spyware & hijack cleaning section of this site. Good luck.
  7. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands

    Your log file indeed belongs to the forum mentioned right above. Since that particular forum is for registered members only, please log in as a member (since you obviously are one) and repost your log file in a newly started thread, so our team can address it.

    No offense intended, but this thread has been closed.


Thread Status:
Not open for further replies.