Results 1 to 4 of 4

Thread: New spyware problem, need assistance please

Hybrid View

  1. 11-07-2003, 04:11 PM #1
    Jms Guest

    New spyware problem, need assistance please

    Hi, I recently got spyware on my cpu, my homepage gets reset to
    http://www.sexpatriot.net/search/, and as I fix it, it doesn't stay
    fixed for very long.


    I have Windows 98
    I ran a hijackthis scan, and here's the info.
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.sexpatriot.net/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no
    file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] systray.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program
    Files\Network Associates\VirusScan\AVSYNMGR.EXE
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
    Environment 1.4.0_03) -
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime
    Environment 1.4.0_03) -
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam
    Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
    Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.co...920.4685300926

    Any help would be appreciated. Thanks,
    Jms
    Reply With Quote Reply With Quote
  2. 11-07-2003, 06:07 PM #2
    siljaline Guest

    Re: New spyware problem, need assistance please

    On 7 Nov 2003 13:11:29 -0800, jms6188@hotmail.com (Jms) wrote:

    >Hi, I recently got spyware on my cpu, my homepage gets reset to
    >http://wxx.sexpatriot.net/search/, and as I fix it, it doesn't stay
    >fixed for very long.
    >
    >
    >I have Windows 98
    >I ran a hijackthis scan, and here's the info.
    >Running processes:
    >C:\WINDOWS\SYSTEM\KERNEL32.DLL
    >C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    >C:\WINDOWS\SYSTEM\MPREXE.EXE
    >C:\WINDOWS\SYSTEM\mmtask.tsk
    >C:\WINDOWS\EXPLORER.EXE
    >C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    >C:\WINDOWS\ptsnoop.exe
    >C:\WINDOWS\LOADQM.EXE
    >C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    >C:\WINDOWS\SYSTEM\WMIEXE.EXE
    >C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    >C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
    >C:\WINDOWS\SYSTEM\DDHELP.EXE
    >C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
    >C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
    >C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
    >C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    >
    >R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    >http://www.sexpatriot.net/search/
    >R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    >about:blank
    >R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    >O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no
    >file)
    >O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    >C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    >O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    >C:\WINDOWS\SYSTEM\MSDXM.OCX
    >O4 - HKLM\..\Run: [SystemTray] systray.exe
    >O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    >O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    >O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    >O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    >O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    >Files\Real\Update_OB\realsched.exe" -osboot
    >O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program
    >Files\Network Associates\VirusScan\AVSYNMGR.EXE
    >O9 - Extra button: Translate (HKLM)
    >O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    >O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    >O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    >O9 - Extra button: Net2Phone (HKLM)
    >O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    >O9 - Extra button: Messenger (HKLM)
    >O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    >O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    >Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    >O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
    >Environment 1.4.0_03) -
    >O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime
    >Environment 1.4.0_03) -
    >O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam
    >Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    >O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
    >Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    >O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    >http://v4.windowsupdate.microsoft.co...920.4685300926
    >
    >Any help would be appreciated. Thanks,
    >Jms


    http://forums.spywareinfo.com/index....&hl=sexpatriot
    http://forums.spywareinfo.com/index....&hl=sexpatriot
    http://forums.spywareinfo.com/index....&hl=sexpatriot

    HTH


    --
    siljaline

    "Arguing with anonymous strangers on the Internet is a sucker's game
    because they almost always turn out to be -- or to be indistinguishable from
    -- self-righteous sixteen-year-olds possessing infinite amounts of free time."
    - Neil Stephenson, _Cryptonomicon_
    Reply With Quote Reply With Quote
  3. 11-08-2003, 09:53 AM #3
    discogail Guest

    Re: New spyware problem, need assistance please

    Close all other windows......Check off:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.sexpatriot.net/search/
    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no
    file)

    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot

    "Fix Checked".......reboot






    Reply With Quote Reply With Quote
  4. 11-21-2003, 10:51 PM #4
    tim Guest

    Re: New spyware problem, need assistance please

    use regedit to find all sexpatriot.net and royalsearch and also find
    msoffice.hta in the registry and and delete. find msoffice.hta in
    c:\windows\fonts and delete. the msoffice.hta run from start up in the
    run from hkey hardware
    cheers

    jms6188@hotmail.com (Jms) wrote in message news:<f76831e2.0311071311.3ed1ae51@posting.google. com>...
    > Hi, I recently got spyware on my cpu, my homepage gets reset to
    > http://www.sexpatriot.net/search/, and as I fix it, it doesn't stay
    > fixed for very long.
    >
    >
    > I have Windows 98
    > I ran a hijackthis scan, and here's the info.
    > Running processes:
    > C:\WINDOWS\SYSTEM\KERNEL32.DLL
    > C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    > C:\WINDOWS\SYSTEM\MPREXE.EXE
    > C:\WINDOWS\SYSTEM\mmtask.tsk
    > C:\WINDOWS\EXPLORER.EXE
    > C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    > C:\WINDOWS\ptsnoop.exe
    > C:\WINDOWS\LOADQM.EXE
    > C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    > C:\WINDOWS\SYSTEM\WMIEXE.EXE
    > C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    > C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
    > C:\WINDOWS\SYSTEM\DDHELP.EXE
    > C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
    > C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
    > C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
    > C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    >
    > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    > http://www.sexpatriot.net/search/
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    > about:blank
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    > O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no
    > file)
    > O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    > C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > C:\WINDOWS\SYSTEM\MSDXM.OCX
    > O4 - HKLM\..\Run: [SystemTray] systray.exe
    > O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    > O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    > O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    > O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    > Files\Real\Update_OB\realsched.exe" -osboot
    > O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program
    > Files\Network Associates\VirusScan\AVSYNMGR.EXE
    > O9 - Extra button: Translate (HKLM)
    > O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    > O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    > O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    > O9 - Extra button: Net2Phone (HKLM)
    > O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    > O9 - Extra button: Messenger (HKLM)
    > O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    > O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    > Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    > O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
    > Environment 1.4.0_03) -
    > O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime
    > Environment 1.4.0_03) -
    > O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam
    > Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    > O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
    > Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    > O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    > http://v4.windowsupdate.microsoft.co...920.4685300926
    >
    > Any help would be appreciated. Thanks,
    > Jms
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules