Ok, I couldn't help myself the other night and I started browsing some porn sites. One site that was open in IE (I had like 3 windows open) appeared to be locked up. A moment later, it went back to normal. I was able to browse the page. Ever since that little "freeze" moment, everytime I open IE to connect to the internet, I have 4 bookmarked Porn sites that are in my favorites folder and my IE always wants to connect to some porn search engine.

I ran Norton; nothing. I ran LavaSoft Spyware; picked up some things but it still didn't fix the problem. I tried deleting the bookmarks and reseting the page to blank; doesn't work.

I asked for help on a different website and got nothing crappy responses.

Any ideas how to get rid of this crap? Thanks.

rapidarp,

http://www.safer-networking.org/index.php?page=download


Carl

My bad, i forgot to mention that I already tried that and it didn't work. Any other ideas? I mean, I was told to download Spyware S&D and run it. I ran it, it came back with some errors, fixed them.....but i still get the bookmarks and IE still was to startup connecting to the one page.

Any other ideas? Did I not use Spyware S&D right?

Read this thread:

http://forum.pcmech.com/showthread.php?s=&threadid=99291

Carl

Ok, that stuff didn't work either. I tried it just it said to.

Here is the website that IE always wants to connect to: http://mypoiskovik.com/index.htm

Here are the bookmarks that it keeps putting into My Favorites:

FREE HIDDEN CAMS WORLD

FREE SPY CAM

FREE WEB CAMS CHAT

GET THIS 4 FREE


*EDIT* Kubie, I just noticed you're in Modesto. I'm in Newman.

post a hijackthis log
you can get it at www.spywareinfo.com/~merijn
just click scan then save log, this will give you the results in notepad so you can post them. Dont fix anything yet, most of the stuff is harmless and even needed.
btw, I dont think its a good idea to post the links

Hmm, I noticed that Notepad won't open. I had to change the file type to .doc in order to open it. Anyway, here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 8:24:46 PM, on 5/31/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\DAP\DAP.EXE
D:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\Program Files\Yahoo!\Common\ycheckh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87D11145-131E-4387-B7B6-0A346ABF062D}: NameServer = 66.81.0.251 66.81.0.252

*bump*


I posted the HijackThis results.....anyone care to help? I'm still having the problem.

delete these,
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm

Originally posted by Blue_Gundam2002
delete these,
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm

Just did it. Restarted. Nothing happened. Porn bookmarks and start page are still there. :mad:

In IE did you try:

Tools, Internet options, click on connections, and put a "dot" (check) never dial a connection? Give that a try and let us know if that works. Don't forget to click "apply" and click "OK" on your way out. One of the sites may have changed it to "always dial my default connection".

Once when my homepage was being hijacked like this I was able to fix it by using system restore to the day before it started happening, that may work for you.

this is used to start many viruses
C:\WINDOWS\System32\WScript.exe

R3 - Default URLSearchHook is missing

im not very good with logs so I might have missed something but it seems norton let something pass through. Try scanning with housecall
http://housecall.trendmicro.com

A system restore as Trent Steel said might help but if it doesnt turn it off to remove all restore points since many viruses like to hide there becaus AV's cant get them there.

The info here (http://forums.tomcoyote.com/index.php?showtopic=8278) should help.

:) Cricket

Are you sure you are updating Ad-Aware and Spybot S&D before running them, and are you using the latest versions? Are you sure virus scans are coming up clean with updated definitions? You need to crosscheck Norton with an online scan - try housecall.trendmicro.com . Your HJT log is definitely showing malware.

Winlogin.exe is a Trojan virus. You also have "Bundleware" which is like VX2 and Look2Me, and is very difficult to remove. Try this:

http://www.look2me.com/cgi-bin/UnInstaller

You are running XP - and without SP1 you are vulnerable to some exploits. I also don't see a firewall running.

Well, unfortunately, I could not solve the problem. I've tried multiple help files from google and nothing worked. In the end, I had to reformat. Everything is A-ok......for now. Thanks to everyone who helped.

This is just a lesson to everyone that it is just better to download your porn from mIRC. lol

Wow... just saw this. : / In case anyone else has this problem and your IE is updated then you can try going to tools, internet options, advanced then look through the list for something that says, "Enable 3rd Party Browser Extensions." Uncheck it then restart the computer.

That's saved a lot of people from having to reformat. Taking away some dinky third party software's ability to take over the browser rocks.

I just saw this as I come to PcMech only on weekends. You have (had) the bookmarker worm. For more information go to http://securityresponse.symantec.com/avcenter/venc/data/trojan.bookmarker.gen.htmThen Then do a search using bookmarker as the only word in the searchbox

Make that html instead of htm and you get the right page.

That tells me that your Norton was NOT up to date when you scanned. Antivirus programs are almost worthless if they are not kept updated religiously.