Help please

Discussion in 'adware, spyware & hijack cleaning' started by rudders, Nov 14, 2003.

Thread Status:
Not open for further replies.
  1. rudders

    rudders Guest

    doing this for a mate ... The problem is

    Anyone know how to get rid of trojan software that's attached itself to my pc, it's added 4 pornsites to my bookmarks and changed my homepage, it's annoying the **** out of me, i've tried removing them manually but everytime i reboot there they are again. Also if i leave the pc for half an hour pornsites just suddenly open up and are impossible to close name of Trojan ? ta in advance :cool:
  2. Primrose

    Primrose Registered Member

    Sep 21, 2002
    There are more than one out there that would fit the description so do and run this program

    HijackThis Quick Start Help

    hijack this is a utility which creates a list of everything which starts up when you boot your computer plus a few other items.

    Download it to your desk it..then cut and paste the information it contains in your next post and lets see if it comes up with anything that can help.
  3. rudders

    rudders Guest

    cheers bud , will do :cool:

    will be tomorrow mind , coz the bloke i`m doing this for aint about at the mo
  4. rudders

    rudders Guest

    here goes then ..

    Running processes:
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Documents and Settings\Andy Cudworth\Local Settings\Temp\Temporary Directory 2 for\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: MSupdate.exe
    O9 - Extra button: (HKLM)
    O9 - Extra button: Money Viewer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Literati -
    O16 - DPF: Yahoo! Pool 2 -
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) -
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Hi rudders,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - Global Startup: MSupdate.exe

    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -

    Then reboot and delete:

    Since you clipped your Windows version and the version of HijackThis, I can not be sure if I got all of CWS, so please download, unzip and run CWShredder as an extra check.


  6. rudders

    rudders Guest

    cheers for your time & effort mate , tiz well appreciated :cool: now sorted , between you and me tho mate , methinx the bugger got outside help :eek: anyway , once again i say fanks :cool:
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Hi rudders,

    As long as it is solved.

    Outside help is always better then an inside job. ;)


  8. Third_Eye

    Third_Eye Registered Member

    Nov 17, 2003
    these pron site dialers are real hectic to get rid of manually for u dont edit the registry. everytime u search for the .exe name and delete the found results after booting they re-appear. this is because the dialer is maily stored in the windows system32 or windows system folder and an instance of this program along with the path in the system registry. the best way to get rid of this pron dialer or exe is to remove it from the registry entry so that its not reloaded again and again after booting.

    the instances after booting can be found under

    1 : Start Menu
    2 : Start>Programs
    3 : Start>Programs>Accesories

    first u must delete the registry entries from the following places.

    in the run command type regedit and pres enter
    when the registry editor opens up go to Edit and then Find and search for the folowing registry paths







    all will have the data part as
    just delete each of the data items from the registry and press F5 button to make the changes permanent.

    then u must rebot the computer and then manually delete the dialer exe from the windows system / system32 folders.

    i am sure that you wont get harassed by these dialer exe any longer.

    [note: if ur not familiar with the registry editor then u may take the help of some one who can help u out in doing so.]

    thanks u
Thread Status:
Not open for further replies.