Help with teenslook

Pharmajem · May 25, 2004

Hi,

I've had for a while an issue with IE6, my home page keeps coming back to terra.es/personal9/teenslook.

I have run lavasoft, Spybot and hijack this, rebooted several times but it keeps coming back every time, HELP!!

Unzy · May 25, 2004

Hi Pharmajem,

Can you please post your HijackThis log here?

Thnx

Cheers,

Pharmajem · May 25, 2004

Hi, thx for the quick feed back. Here is the log. I've tried many times to fix the last keys but they always come back after I reboot

Logfile of HijackThis v1.97.7
Scan saved at 13:49:08, on 25/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\sysvol.exe
C:\WINNT\System32\sndvol32a.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\csrsc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
P:\Users\GB000217\JEM\New Folder\download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.terra.es/personal9/teenslook/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.terra.es/personal9/teenslook/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.es/personal9/teenslook/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.terra.es/personal9/teenslook/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.terra.es/personal9/teenslook/search.html

Unzy · May 25, 2004

Ah, that's not the complete log,

there's more

Make sure you got the complete log and paste here again

Thnx!

Cheers,

Pharmajem · May 25, 2004

Well, that's all the log shows up, really. I've copied it all!!

Pieter_Arntz · May 25, 2004

There is no scroll ?

Alternatively, in HijackThis click Config > Misc Tools > Generate Startuplist
This will produce a text file. Post the content of that one.

Regards,

Pieter

Pharmajem · May 25, 2004

OK, here you go (note that I attempted to fix again the teenslook keys but not re-booted yet, so they won't show up on this log):

StartupList report, 25/05/2004, 14:46:12
StartupList version: 1.52
Started from : P:\Users\GB000217\JEM\New Folder\download\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\sysvol.exe
C:\WINNT\System32\sndvol32a.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\csrsc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
P:\Users\GB000217\JEM\New Folder\download\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

vptray = C:\PROGRA~1\NavNT\vptray.exe
Synchronization Manager = mobsync.exe /logon
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
sysvol32 = C:\WINNT\System32\sysvol.exe systray
sndvol32 = C:\WINNT\System32\sndvol32a.exe systray

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe
csrsc = C:\WINNT\system32\csrsc.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://housecall.trendmicro-europe.com/housecall/Xscan53.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38009.1080671296

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\SWFLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[GpcContainer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ieatgpc.dll
CODEBASE = https://alcon.webex.com/client/latest/webex/ieatgpc.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
SysTray: stobject.dll
WebCheck: C:\WINNT\system32\webcheck.dll

--------------------------------------------------
End of report, 4,753 bytes
Report generated in 0.180 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Pharmajem · May 25, 2004

Also found that I had loads of "Exclude" in the HijackThis setup (Silly me!). Cleared them all and I've got now a much larger log:

Logfile of HijackThis v1.97.7
Scan saved at 14:52:31, on 25/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\sysvol.exe
C:\WINNT\System32\sndvol32a.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\csrsc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
P:\Users\GB000217\JEM\New Folder\download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.msn.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = chedc017:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.alconnet.com;*.nestec.ch;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\www.msn.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.alconlabs.com/
O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sysvol32] C:\WINNT\System32\sysvol.exe systray
O4 - HKLM\..\Run: [sndvol32] C:\WINNT\System32\sndvol32a.exe systray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [csrsc] C:\WINNT\system32\csrsc.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38009.1080671296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://alcon.webex.com/client/latest/webex/ieatgpc.cab

Pieter_Arntz · May 25, 2004

Hi Pharmajem,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [sysvol32] C:\WINNT\System32\sysvol.exe systray
O4 - HKLM\..\Run: [sndvol32] C:\WINNT\System32\sndvol32a.exe systray

O4 - HKCU\..\Run: [csrsc] C:\WINNT\system32\csrsc.exe

Then reboot and put the following files in a zip folder for me please

C:\WINNT\System32\sysvol.exe
C:\WINNT\System32\sndvol32a.exe
C:\WINNT\system32\csrsc.exe

Send that zipfile to the address in my profile

Regards,

Pieter

Pharmajem · May 25, 2004

just to wrap up for the benefit of other forum members,

All is resolved now, this is fabulous help from you all, million thanks.

Log in or Sign up

Help with teenslook

Pharmajem Registered Member

Unzy Registered Member

Pharmajem Registered Member

Unzy Registered Member

Pharmajem Registered Member

Pieter_Arntz Spyware Veteran

Pharmajem Registered Member

Pharmajem Registered Member

Pieter_Arntz Spyware Veteran

Pharmajem Registered Member

Log in or Sign up

Help with teenslook

Pharmajem Registered Member

Unzy Registered Member

Pharmajem Registered Member

Unzy Registered Member

Pharmajem Registered Member

Pieter_Arntz Spyware Veteran

Pharmajem Registered Member

Pharmajem Registered Member

Pieter_Arntz Spyware Veteran

Pharmajem Registered Member

Useful Searches