My browser keeps getting redirected to hanky pank college girls website every time I try to go to a site thta I have been to recently.
I cleared my temp internet files , history, cokkies, used spybot, rebeeted and it is still getting redirected. I can go to sites that I have not been to recently though. This may have something to do with having and not being able to remove Nimda Virus.
HHHHHeeeeeellllppppp Please.

No, it has nothing to do with Nimda.

You have been hijacked.

Grab HijackThis (http://www.spywareinfo.com/~merijn/), run it and save the log, then go to the config button -> misc tools and run a Startup list, post both logs here.

MJC, here are both of the log files generated by hijackthis.
I hope this helps. FunHouse\



Logfile of HijackThis v1.91.2
Scan saved at 6:37:27 PM, on 1/29/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=D:\Program Files\Copernic 2001 Basic\Search Bar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=D:\Program Files\Copernic 2001 Basic\Search Bar.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .AIFF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .psd: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]





StartupList report, 1/29/2003, 6:40:48 PM
StartupList version: 1.51
Started from : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.EXE
Detected: Windows 2000 SP2 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
PowerReg Scheduler.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
AtiPTA = atiptaxx.exe
pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
PCCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
Pop3trap.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"

--------------------------------------------------


Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]

--------------------------------------------------
End of report, 3,173 bytes
Report generated in 0.040 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

I don't see anything there that indicates a hijacker.

So, clear out your cookies, temp internet files, history, etc. Also do a search for a Hosts file (no extension).

Also give Spybot Search and Destroy a run . (link on my AV page ...link in sig)

If you have the URL for the site you want, erase your bookmark/favorite and reenter the URL. Try going there that way. Your bookmark/favorite for the site may simply be wrong, possibly as a side effect of the virus.

Budfred

I already ran Spybot several times and fix all the adware and cleaned all of the temp. temp internet/ and cookies and history and everything. And now when I go to certain sites I still get my browser taken over completly. If i use the fire wall to denie acces to the porn sites comming up then I cant get to the desired site either. As far ass host files Im not sure how to determine what is good and bad.
Any Ideas.
Thanks
FuNHoUSegROup

Have you tried typing in the URL?

Also, in your first post you say that you have been unable to remove the Nimda virus. If this is still true, it may be time to zero out your hard drive and start over.

Budfred

Most likely it will be in the first 30 lines of the Hosts file, so post that.

Ignore anything that starts with a #.

Yeah I deleted the history and typed the url manualy and also changed my start page both several times. Now when you say book mark do you mean netscape bookmark same as IE favaorites. No entries for the site in question there. And Host file.( Am I just looking for an IE logfile named host ?). Sorry bout all the questions, Im just trying to understand.
Awsome, FunnyHouseeeee

It is a system file and should be in the windows (winnt) folder.