On 7 Nov 2003 13:11:29 -0800, jms6188@hotmail.com (Jms) wrote:
>Hi, I recently got spyware on my cpu, my homepage gets reset to
>http://wxx.sexpatriot.net/search/, and as I fix it, it doesn't stay
>fixed for very long.
>
>
>I have Windows 98
>I ran a hijackthis scan, and here's the info.
>Running processes:
>C:\WINDOWS\SYSTEM\KERNEL32.DLL
>C:\WINDOWS\SYSTEM\MSGSRV32.EXE
>C:\WINDOWS\SYSTEM\MPREXE.EXE
>C:\WINDOWS\SYSTEM\mmtask.tsk
>C:\WINDOWS\EXPLORER.EXE
>C:\WINDOWS\SYSTEM\SYSTRAY.EXE
>C:\WINDOWS\ptsnoop.exe
>C:\WINDOWS\LOADQM.EXE
>C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
>C:\WINDOWS\SYSTEM\WMIEXE.EXE
>C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
>C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
>C:\WINDOWS\SYSTEM\DDHELP.EXE
>C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
>C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
>C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
>C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
>
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
>http://www.sexpatriot.net/search/
>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
>about:blank
>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
>O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no
>file)
>O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
>C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
>O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
>C:\WINDOWS\SYSTEM\MSDXM.OCX
>O4 - HKLM\..\Run: [SystemTray] systray.exe
>O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
>O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
>O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
>O4 - HKLM\..\Run: [LoadQM] loadqm.exe
>O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
>Files\Real\Update_OB\realsched.exe" -osboot
>O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program
>Files\Network Associates\VirusScan\AVSYNMGR.EXE
>O9 - Extra button: Translate (HKLM)
>O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
>O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
>O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
>O9 - Extra button: Net2Phone (HKLM)
>O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
>O9 - Extra button: Messenger (HKLM)
>O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
>Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
>O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
>Environment 1.4.0_03) -
>O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime
>Environment 1.4.0_03) -
>O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam
>Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
>Control) - http://download.macromedia.com/pub/s...irector/sw.cab
>O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
>http://v4.windowsupdate.microsoft.co...920.4685300926
>
>Any help would be appreciated. Thanks,
>Jms
http://forums.spywareinfo.com/index....&hl=sexpatriot
http://forums.spywareinfo.com/index....&hl=sexpatriot
http://forums.spywareinfo.com/index....&hl=sexpatriot
HTH
--
siljaline
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_
Reply With Quote