HELP

[macdog]

a websight dounlouded a inapropeot site to my right click menu how can i get rid of it fast.

[unlovedwarrior]

whats windows and protection do you have

[macdog]

i have windows 2000 and i only have ad-aware SE personal

[unlovedwarrior]

dl avg free and avg antispyware and spybot search and destroy

update them and run the scans

[macdog]

is there any other way i dont have administrator privliges

[unlovedwarrior]

google trend micro house call and edwido online scanner

[CBMatt]

You're giving us very little to work with here.  What exactly has been added to your menu?  It might not even be an infection.  We need more details to be able to instruct you further.

[macdog]

all the thing says is >>>>FREE PORN GALLERYS<<<< and i didnt put it there

[Spero-T]

And where is it ?

[patio]

                       

[The Saviour]

Nice image patio...and believe me...I understand...

Can I use that as well?

[macdog]

Spero-T i said in my original post that it was in my right click menu, the menu that pops up when u right click

[CBMatt]

Download HijackThis and post a log for us to take a look at.

[macdog]

Logfile of HijackThis v1.99.1
Scan saved at 3:01:55 PM, on 9/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\DELL TrueMobile 1180 Wireless USB\WLAN_Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ian.MACDONAL-6BF5BE\Local Settings\Temporary Internet Files\Content.IE5\ST6N0H2N\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www/the-exit.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.the-exit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.the-exit.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.the-exit.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.the-exit.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.the-exit.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [RelevantKnowledge] c:\winnt\system32\rlvknlg.exe -boot
O4 - HKLM\..\Run: [erwghjjrjt] c:\winnt\system32\drivers\ucbcg.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Client Manager.lnk = C:\Program Files\DELL TrueMobile 1180 Wireless USB\WLAN_Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.neopets.com
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/4c791e23a585b1d7ea5127848837a5ed_35.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://games.bigfishgames.com/en_mysteryofsharkisla/online/MysteryOfSharkIslandWeb.1.0.0.8.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143755057205
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://193.172.162.99:8080/activex/AMC.cab
O16 - DPF: {754693AA-011F-40DD-B075-DD4644A47F54} (Importer.Imp) - http://www.imvu.com/catalog/invite/Importer.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.25.14/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://87.245.83.189/activex/AMC.cab
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: RelevantKnowledge - C:\WINNT\system32\rlls.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

[Fed]

O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
 Look familiar? 

[macdog]

how do i delette it?

[macdog]

nvm i deletted it

[Fed]

I just knew you'd work it out.

[CBMatt]

With that gone, you no longer see the results of the infection, but you're still not clean.  The site that added this to your menu has hijacked your browser, so if you don't pay attention, you'll just keep getting the entry added to your menu.  And you also have a couple of trojans and downloaders, which you should get rid of.

Before we start, you need to get some anti-virus software.  Download AVG Free, update it, and scan with it in Safe Mode.  You should do the same with SUPERAntiSpyware.  Scanning with those should get rid of most of your infections, but just in case, I will instruct you on what needs to be removed...

Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file.  Open HijackThis and scan again.  Check the following entries, but don't do anything to them yet...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www/the-exit.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.the-exit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.the-exit.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.the-exit.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.the-exit.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.the-exit.com

O4 - HKLM\..\Run: [RelevantKnowledge] c:\winnt\system32\rlvknlg.exe -boot
O4 - HKLM\..\Run: [erwghjjrjt] c:\winnt\system32\drivers\ucbcg.exe

O15 - Trusted Zone: http://www.neopets.com

O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/4c791e23a585b1d7ea5127848837a5ed_35.exe
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Inst all3.0/Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/ install/installer.exe

O20 - Winlogon Notify: RelevantKnowledge - C:\WINNT\system32\rlls.dll

Now, close all windows (including this one) besides HijackThis, then click Fix Checked.  Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Navigate to and delete the following file(s) if present...

c:\winnt\system32\drivers\ucbcg.exe
C:\WINNT\system32\rlls.dll
c:\winnt\system32\rlvknlg.exe

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log so we can see if there's any other junk we need to clean up.  Let me know how everything's running now and if you had any problems following my steps.

[oddjob]

firewall? antivirus?  where's winlogon ? 


OJ

[CBMatt]

Due to lack of feedback, I am closing this topic.  If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.