Help please

doing this for a mate ... The problem is

Anyone know how to get rid of trojan software that's attached itself to my pc, it's added 4 pornsites to my bookmarks and changed my homepage, it's annoying the **** out of me, i've tried removing them manually but everytime i reboot there they are again. Also if i leave the pc for half an hour pornsites just suddenly open up and are impossible to close name of Trojan ? ta in advance

 

There are more than one out there that would fit the description so do this..download and run this program

HijackThis Quick Start Help

http://www.tomcoyote.org/hjt/

hijack this is a utility which creates a list of everything which starts up when you boot your computer plus a few other items.

Download it to your desk top..run it..then cut and paste the information it contains in your next post and lets see if it comes up with anything that can help.

 

cheers bud , will do

will be tomorrow mind , coz the bloke i`m doing this for aint about at the mo

 

here goes then ..

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Documents and Settings\Andy Cudworth\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: MSupdate.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

 

Hi rudders,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - Global Startup: MSupdate.exe

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

Then reboot and delete:
MSupdate.exe

Since you clipped your Windows version and the version of HijackThis, I can not be sure if I got all of CWS, so please download, unzip and run CWShredder as an extra check.

Regards,

Pieter

 

cheers for your time & effort mate , tiz well appreciated now sorted , between you and me tho mate , methinx the bugger got outside help anyway , once again i say fanks

 

Hi rudders,

As long as it is solved.

Outside help is always better then an inside job.

Regards,

Pieter

 

these pron site dialers are real hectic to get rid of manually for u dont edit the registry. everytime u search for the .exe name and delete the found results after booting they re-appear. this is because the dialer is maily stored in the windows system32 or windows system folder and an instance of this program along with the path in the system registry. the best way to get rid of this pron dialer or exe is to remove it from the registry entry so that its not reloaded again and again after booting.

the instances after booting can be found under

1 : Start Menu
2 : Start>Programs
3 : Start>Programs>Accesories

first u must delete the registry entries from the following places.

in the run command type regedit and pres enter
when the registry editor opens up go to Edit and then Find and search for the folowing registry paths

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

all will have the data part as
"Info="c:\directory\prondialer.exe"
just delete each of the data items from the registry and press F5 button to make the changes permanent.

then u must rebot the computer and then manually delete the dialer exe from the windows system / system32 folders.

i am sure that you wont get harassed by these dialer exe any longer.

[note: if ur not familiar with the registry editor then u may take the help of some one who can help u out in doing so.]

thanks u