Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IE Start Page Problem 2

Status
Not open for further replies.
Brode

Brode

IS-IT--Management
Nov 22, 2002
45
0
0
US
For no reason that I can think of IE 6 has been "compromised" so that no matter what Start Page I set, as soon as I reboot the Start Page becomes a site I've never knowingly been to. It seems to be connected somehow to the "about:blank" option. That is, that upon rebooting the Start Page gets set to "about:blank" and "about:blank" has been made to refer to luckysearch.net.

Anyone know what I have to do to get rid of this thing? Thanks,

Brode
 
Sort by date Sort by votes
Please heed mpnut's advice. SpyBot is a robust and effective product for the elimination of spyware and browser hijackers, which is clearly what you need in your case Brode. Also effective are AdAware and Hijack This.
 
Upvote 0 Downvote
I already had Adaware in my system so I ran that and deleted a few files that, by their names, seemed harmless--but who could know. Then I used CacheX to empty my cache of temp internet files. And then I went though all my cookies with Toss Your Cookies and took out every cookie from a site I didn't recognize.

Then I rebooted and, voila, my IE Start Page was the one it was supposed to be. So I don't know which activity did the trick, but it's done. My thanks to you all.

Brode
 
Upvote 0 Downvote
Brode

My guess is you still have it - inactive at the moment, but still there.

If it surfaces again or you want to doublecheck .....

Please Download hijackthis from


Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam
 
Upvote 0 Downvote
This is very interesting, Steam. I'm uneasy about publicizing all this information, but here's the log:

Logfile of HijackThis v1.97.2
Scan saved at 3:48:54 PM, on 10/1/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\HYDRAVISION\HYDRAMD.EXE
C:\PROGRAM FILES\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\CLIPMATE6\CLIPMT60.EXE
C:\PROGRAM FILES\CLIPMATE6\CLIPMT60.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 700\BIN\HPOSTR03.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 700\BIN\HPOVDX03.EXE
C:\WINDOWS\SYSTEM\HPOHID03.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "file:///C|/Program Files/Internet Explorer/Start Page/Homepage.htm"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "file:///C|/Program Files/Internet Explorer/Start Page/Homepage.htm"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b05lshs5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b05lshs5.slt\prefs.js)
O1 - Hosts: 3510794918 auto.search.msn.com
O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SXGDSENU] SXGDSENU.exe
O4 - HKLM\..\Run: [HPSCANMonitor] c:\windows\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\SYSTEM\tapicfg.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\HydraVision\HydraMD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [reload] C:\WINDOWS\reload.vbs
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Program Files\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ClipMate6] C:\PROGRAM FILES\CLIPMATE6\CLIPMT60.EXE
O4 - Startup: TClockEx.lnk = C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Startup: HP OfficeJet Series 700 StartUp.lnk = C:\Program Files\HP OfficeJet Series 700\bin\HPOstr03.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .lio: c:\PROGRA~1\INTERN~1\PLUGINS\NPMAD32L.DLL
O12 - Plugin for .mfg: C:\PROGRA~1\INTERN~1\PLUGINS\npmirage.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: Dialpad Java Applet - O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - O19 - User stylesheet: C:\WINDOWS\Web\win.def

Right off the top I'd say that anything with " doesn't belong. What do we do next?

Brode
 
Upvote 0 Downvote
Yes you're right there - but don't fix anything yet

I think you have a new varient of the coolweb hijacker

Download and run this :-


You also have this virus :-

VBS/Loveletter.as

Do a free on-line virus scan here :-


or here :-


This should detect and delete the virus for you.

After you have done this, please post a new hijackthis log - there will be more to do

steam
 
Upvote 0 Downvote
All right, I've put myself in your hands. Ran the hijacker fix and did a scan with Panda, which found 24 infected files and cleaned them.

This surprised me for two reasons. First, Norton Anti-Virus said I had no infected files. Second, and I'm sure you've heard this before, I never open an attachment. Not from anyone. And I don't use Outlook, just in case. So I don't know how all this crud got there.

Anyway, here's the latest hijackthis.log:

Logfile of HijackThis v1.97.2
Scan saved at 10:14:36 PM, on 10/1/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\HYDRAVISION\HYDRAMD.EXE
C:\PROGRAM FILES\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\CLIPMATE6\CLIPMT60.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\PROGRAM FILES\CLIPMATE6\CLIPMT60.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 700\BIN\HPOSTR03.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 700\BIN\HPOVDX03.EXE
C:\WINDOWS\SYSTEM\HPOHID03.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = N1 - Netscape 4: user_pref("browser.startup.homepage", "file:///C|/Program Files/Internet Explorer/Start Page/Homepage.htm"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "file:///C|/Program Files/Internet Explorer/Start Page/Homepage.htm"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b05lshs5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b05lshs5.slt\prefs.js)
O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SXGDSENU] SXGDSENU.exe
O4 - HKLM\..\Run: [HPSCANMonitor] c:\windows\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\HydraVision\HydraMD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [reload] C:\WINDOWS\reload.vbs
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Program Files\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ClipMate6] C:\PROGRAM FILES\CLIPMATE6\CLIPMT60.EXE
O4 - Startup: TClockEx.lnk = C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Startup: HP OfficeJet Series 700 StartUp.lnk = C:\Program Files\HP OfficeJet Series 700\bin\HPOstr03.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .lio: c:\PROGRA~1\INTERN~1\PLUGINS\NPMAD32L.DLL
O12 - Plugin for .mfg: C:\PROGRA~1\INTERN~1\PLUGINS\npmirage.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: Dialpad Java Applet - O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
Now what?

Brode
 
Upvote 0 Downvote
Brode

There is no sensitive data or personaly identifiyable data in the log - no need to worry about posting the log - thousands of people do it every day.

The good news - The hijacker is completely gone from your computer

The bad news - you're still infected with the virus

This entry shows the virus is still there :-

O4 - HKLM\..\RunServices: [reload] C:\WINDOWS\reload.vbs

Go to this link - read all about the virus - at the bottom of the page is a program to download that will clean your computer of it.


Good luck

steam
 
Upvote 0 Downvote
Well, I've run the download and it says that now everything is clean. Thanks mucho.

The question still arises--how did I get those viruses? I'm on a small network--three computers. If someone on another connected computer got the virus, would it have spread to my machine?

Guess it's time to disinfect the other two.

Thanks again,

Brode
 
Upvote 0 Downvote
Hi Brode

You're welcome

According to panda the virus only spreads by opening e-mail attachments, and to be honest I have no idea if it can spread from one computer to another in a network.

However if you want to post the logs for the other 2 machines - feel free.

steam
 
Upvote 0 Downvote
I am not telling you what to do nor am i suggesting you should or should not go or do anything, but the reason that you have these probs is because you or someone on your network has:

gone onto a warez and/or serials site
gone onto a porn site
opened an email (there are several going around, i get the one with the microsoft logo, all official looking, telling me its a critical update but it really is a virus!! So i dont click on it, i just delete it. Actually, with my a\virus updated, my a\virus catches it anyway. There is also another i get at the same time as the one that appears to be from m\soft, it also is a virus. So perhaps someone or your computer or your network has clicked on one of these viruses.

By the sound of it someone has done 2 or 3 of the 3 items i have mentioned! Sometimes the warez sites will change your home page, that is actually very common. If you have goback installed, best thing is to transfer what you have downloaded to another drive and then run goback if you have it installed. Gee, sounds like I have been thru all this?
I have only been thru the part where my home page got changed on me, i used goback and problem solved. I havent had the other 2 probs happen to me because i wont open any attachments that come to me via email. And i simply dont intentionally go onto the porn sites.
But for sure your problems are coming from the places i mentioned above!

 
Upvote 0 Downvote
Brode:
I have the same problem with my windows XP. Looks like some supe information here. I found thru some other searches that this may have come from a porn site that you get when you search for "american girl" dolls. They are online paper dolls that Kids use. My daughter uses them.

I will try some of the soft ware you used to eliminat the problem. Guess the $30 I spent for norton was a false sense of security. Especially since they don't want to acknowledge that it may be a virus changing the homepage.

Regards

Spuddy98
 
Upvote 0 Downvote
Actually, its not a virus that changes the web page.
 
Upvote 0 Downvote
Sorry, i made a mistake, will start over.

Its not a virus that changed your default "start" web page.
Its a program that people use. You are on a web page and you press some button to get something. Instead, or while the button does what you want, it also loads another prog that changes your start page without you knowing.
Next time you turn on internet explorer you get a shock!
But all you have to do most of the time is re-set your default page by going to tools, internet options, use default. If that wont work then get the exact page and manually type it in and press enter. Once you are at your proper home or start page, then go back to internet options
and press on "use current". As i said, i used goback when that happened to me. Other times its a whole program that has even possibly entered a setting in your registry to make that other page your default or permanent start page, as you call it, which is a good a name as any! When that happens you have to install and run adaware and/or sypbot and these progs will root out the offender and get rid of them and the registry setting and then you can put your regular start or home page back in as i mentioned above.

You also got a virus, as mentioned by the other person above, so you got at least 2 different things that happened to you, not just a virus. I can see that you are confused on that issue, hope this helps clear it up for you.
It should be pretty obvious that I go onto warez sites, thats why i know so much about this!!
But as i said, i dont go on porn sites. And maybe nobody did on our computer or your network, but sometimes you are on, say a warez site, and you click on something and instead it brings you to a porn site and while this is happening it is adding a program on your computer!! The program could be anything, but usually something that will make them money, thats why it wouldnt be a virus.
You picked up the virus either thru email or downloading something at a warez site, a serial warez site, or a file-sharing site and prog like morpheus, limewire, bearshare, or any of the other 50 different names!
So you had or have a virus and also a prog that changed your home page (start page). You had or have 2 different things, maybe even more than 2, sorry to say.

Use google search and search for adaware(free), spybot(free) and download them, make sure you not only install them both but update them both so you have the current info on your prog as things change fast in this cat and mouse game!! There are update links right inside the programs once you install them.

You also need to update your antivirus and get rid of the virus you have.
If you dont have an antivirus, then go to AVG antivirus, again use google to search. This is a free antivirus prog, one of the best on the market and free. Download and install then update, they send you a free serial number via email, then you get the update for it and run this antivirus.
Good luck and stay away from porn sites. Course i am only ranting here as i dont know that you were ever at a porn site, it could have been you got these things somewhere else or someone else on your network did. Only reason I mention this is to help you out, plus the fact that I strongly feel God made our bodies beautiful and He made sex beautiful, but He doesnt want us turning sexuality into something ugly!! But God never said anything about warez, lol!!!!




 
Upvote 0 Downvote
Steamwhiz,

I had the same problem with one user, using windows XP. Your steps appear to have cleared it. The other user side has been impacted with a different version where the home page is this bad boy is also loading My Favorites with undesireable links

I'm listing my hijackthis log in hopes that you can help me identify what has to be removed.

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\svcinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\removed.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jay Picklyk\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\JAYPIC~1\LOCALS~1\Temp\mskgmf.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
any help you can give me would be greatly appreciated.

McBoom
 
Upvote 0 Downvote
These show you have a coolweb infection

O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe

Run CWS to eliminate this :-


This we thought may be another varient - but turned out to be "GatorCheat" - adware downloader

O4 - HKCU\..\Run: [removed] C:\windows\removed.exe

Run CWS - it will do a lot of the work for you in cleaning up the log

The post a new log and I will look at it tonight

steam

p.s.

Download and install SpyBot, that will clean the spyware out as well - before you run the new log


click the online tab to search for and download the updates, then shut down and relaunch SpyBot.

Go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .
These aren't needed for our present purpose, and you can always experiment with them later on.

Finally, after closing down Internet Explorer, click 'Check for problems', and have SpyBot remove all it finds 'Fix selected problems'

you may have to run spybot more than once to clear everything

Remove everything pre-ticked in Red
 
Upvote 0 Downvote
Howdy All,

Have been noticing some lag time when I type in fields like this reply form, so I did some searching and found this site/thread.

Steamwhiz ole boy, you got the numbers down.

I'll use this threads info and peform some tasks first before I add more.

Thanks for the info!
 
Upvote 0 Downvote
Steam,

OK I give up here. I have run adaware, followed by CWS. I then ran spybot, making sure I got the updates.

I then reset my home page, emptied my favorites of all univited additions, cleared my cookies, and deleted my temp internet file.

I then reran CWS, followed by Spybot. during that is when Norton started to detect the addition of Trojan byteverify, and Trojan startpage. This occured as my home page reset itself and started reloading the favorites file.

Here is what my Hijackthis log looks like.
unning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svcinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\removed.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jay Picklyk\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Jay Picklyk\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = O1 - Hosts: 65.77.82.162 easypic.com
O1 - Hosts: 65.77.82.162 pichunter.com
O1 - Hosts: 65.77.82.162 pussyslot.com
O1 - Hosts: 65.77.82.162 sexocean.com
O1 - Hosts: 65.77.82.162 worldsex.com
O1 - Hosts: 65.77.82.162 O1 - Hosts: 65.77.82.162 O1 - Hosts: 65.77.82.162 O1 - Hosts: 65.77.82.162 O1 - Hosts: 65.77.82.162 pinkworld.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Key2] C:\WINDOWS\system\serve.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
Any new suggestions you can share with me would be appreciated.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

VicM
  • Locked
  • Question
Problem updating Windows Explorer
Replies
1
Views
162
Nancycaf
Nancycaf
Shengfu
  • Locked
  • Question
PROBLEM WITH FILES IN FLASHDRIVE
Replies
3
Views
82
mikrom
mikrom
iNotes4You
  • Locked
  • Question
Microsoft IExpress 'Extract-To'-Option
Replies
2
Views
162
iNotes4You
iNotes4You
DrB0b
  • Locked
  • Question
Windows CE 6.5 Browser that isnt IE
Replies
1
Views
64
xwb
xwb
Flinx
  • Locked
  • Question
Windows 10 Strange problems recently appear caused by microsoft ransomeware protection
Replies
3
Views
143
Andrzejek
Andrzejek

Part and Inventory Search

Sponsor

Back
Top