Hi guys, I'm not very savvy, so please please please help me out. I don't even know when this started, but it's been happening for a very long time. Every time I go online, after 1/2 hour, a porn page will pop up even though I have anti-popup programs. After I close that page, all the links on the page that I am looking at will turn into links that will take me to the porn page again. To get rid of it, I have to either close the browser, or refresh the page. I cannot believe something like this can happen, but I've downloaded a bunch of anti-spyware programs like Adware, Spybot, CWshredder, you name it. I've also briefly searched Google for what this thing might be, and I found nothing. If you can tell me what it is and how I can get rid of it, I owe you my life. It happens EVERY time I go online these days, and it's the most annoying thing in the world. If you don't know the answer to my question, but can suggest another forum that might be able to help, please link me. Thank you so much.
Alrighty, try downloading HiJiackThis! from https://www.wilderssecurity.com/attachments/hijackthis1973.zip and run a scan. Do not fix anything yet, as lot of the things it finds are indeed supposed to be there. "save log" and paste it in this thread, and one of our HiJackThis experts will tell ya what needs fixing in no time
Logfile of HijackThis v1.97.3 Scan saved at 9:47:57 PM, on 11/5/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svcpack.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe C:\Program Files\Stickies\Stickies.exe C:\windows\winlogon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Program Files\AIM95\aim.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\cidaemon.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\NetZero\zCast.exe C:\Program Files\NetZero\chkras.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Stickies] C:\Program Files\Stickies\Stickies.exe O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Startup: NetZero and NZ Platinum.lnk = C:\Program Files\NetZero\nzStart.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: ICQ Lite (HKLM) O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9217ED15-26DF-4FB2-89DE-85BF28698304}: NameServer = 64.136.20.121 64.136.20.133
Hi bavary, Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe Then reboot and delete: c:\windows\winlogon.exe <= make sure to get the right one, other files called winlogon.exe will be on your computer, but they are the "real thing" You should install SP1 for IE6 and all the security patches issued afterwards. Regards, Pieter
Hi Pieter, thanks a lot for responding. I deleted the two things with Hijack This, and when I rebooted, I couldn't find the file c:\windows\winlogon.exe. Does this mean it has already been deleted and everything should be okay?
Hi bavary, If you can not find it, it may be a hidden file. To "unhide" hidden files and folders: Launch My Computer from the Desktop Icon. Select View, Details. Select the Folders button. Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then Like Current Folder (located near the top of the Folder Options box). Then select OK. If you can't find it then, the startup entry was probably orphaned. Regards, Pieter
Hi Pieter, I followed the steps and I still cannot find the file. So far I haven't had problems, so thanks a lot for taking your time out to help me. If the problems occur again, I'll post another reply on this thread.
Hi bavary, It should be gone then. And certainly, if you have any problems, let us know. Regards, Pieter