Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IE startpage hijacked, dialer on desktop, HJThis Log attached 2

Status
Not open for further replies.
giuseppe68

giuseppe68

Technical User
Nov 20, 2004
3
IT
Hi Guys, I need help. I write from Italy.

Problem: my IE startpage is hijacked and redirected to the site plus I have a dialer (C:\WINDOWS\system32\ShellExt\ATX22.EXE -id 337) on the desktop: though I delete the file, it reappears at every reboot, and, similarly, if I change internet option settings, at the following reboot the start page is the same as before.

I have gone through these steps so far (one after the other, all tools updated)):
1) Run Antivir (Antivir guard 6)
2) Panda scan (online scan)
3) Trend micro scan (online scan)
4) turned off system restore
5) run a2 scanner
6) run cwshredder
7)downloaded windows updates
8) reboot, then run spyboot
9) reboot, then run adware
10) reboot, then turned on system restore
11) HJthis scan and reboot
12) Went through your faqs, and also did as follows:
a) checked within *.hta and *.js files the one with the Url I been hijacked to (didn't find);
b)I deleted the *.tmp files in my archive;
c)after running HjThis, I deleted the following (that reappears at the next reboot, yet): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = and I deleted the following too (which reappears at next reboot): O9 - Extra button: Connector (HKLM).
Please note that I also had a trouble with the IE toolbar, an unwanted connection button, but it seems to be fixed after deleting the following:
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)


Now I'm stuck.
So here is my Hijthis log:

Logfile of HijackThis v1.97.7
Scan saved at 17.52.36, on 20/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Philips\Drive esterno\Blue Button\bbSysTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ShellExt\ATX22.EXE
C:\WINDOWS\System32\RoamMgr.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\a2\a2guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\hjt\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [bbSysTray] C:\Program Files\Philips\Drive esterno\Blue Button\bbSysTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Connector] C:\WINDOWS\System32\ShellExt\ATX22.EXE -n
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Connector (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
Thanks in advance to anybody will help me (and sorry for my english.... ).
Giuseppe
 
Sort by date Sort by votes
1.Turn off system restore
2.Reboot into safe mode
3.Check that the following tasks are not running from task manager. If they are, terminate them.
C:\WINDOWS\System32\ShellExt\ATX22.EXE
C:\WINDOWS\System32\RoamMgr.exe

4. Have HijackThis fix the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O4 - HKLM\..\Run: [Connector] C:\WINDOWS\System32\ShellExt\ATX22.EXE -n
5. Run full virus and spyware scans with up to date scanners. Clean anything that it finds.
Get second opinions - run Ad-Aware and Spybot S&D, your Antivirus personal and Mcafee Stinger as well.
6. Reboot into normal mode
7. If all seems OK, re enable system restore.

Hopefully this should fix it
 
Upvote 0 Downvote
Hi jrbarnett, thanks for answering: I was getting lost!
I'm trying to follow your instructions,but I must be a bit awkward, and I can't start the computer in safe mode. I searched through the help windows center (in my pc) but I can't apply thir istructions to start the computer in safe mode, which are the following:

Click Start, click Shut Down, and then, in the drop-down list, click Shut down.
In the Shut Down Windows dialog box, click Restart, and then click OK.
When you see the message Please select the operating system to start, press F8. (... etc.)

The problem is: I DON'T have a shut down button, nor a drop-down list etc. Only the Turn Off button (or the restart one).

I've tried to reboot and press F8 button, but no success either. Only the F2 possibility at the start, which I don't know how to use.

Sorry again, feel embarassed, but I'm stuck. Any suggestion?

Thanks
Giuseppe
 
Upvote 0 Downvote
When you get the "Windows XP" graphical screen at startup, with the blue or green dots going across the screen, that is the time to hit the F8 key.

John
 
Upvote 0 Downvote
I've done it all and it looks as it is fixed now!
I can't believe it! I cross my fingers, but the desktop looks ok by now, and I haven't been redirected when I started IE.
Really thank you so much!
What can I do for you?
You know, Italy is a bit of a foolish country, but we are definitely good at cooking: if you like it, and if you have any kind of postbox, I would be very pleased to send you some christmas cake. That's just to say thank you!
Let me know.
Giuseppe
 
Upvote 0 Downvote
Thank you very much for your kind offer, Giuseppe, which I have been considering over the last few days. Apologies for the delay in my reply.
I feel I must decline your kind offer, however, as it involves posting personal information on this site, which I don't wish to do.

I hope that you are not too upset by my decision as I am trying to keep within the rules of TT.

John
 
Upvote 0 Downvote
there's also the weight issue isn't there jrbarnett [tongue]

--------------------
Procrastinate Now!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
186
SamBones
SamBones
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
197
goombawaho
goombawaho
2ffat
  • Locked
  • News
C-Ware Bundled on "ALL" Freeware Sites
Replies
6
Views
201
xit
xit
goombawaho
  • Locked
  • Question
Stop Microsoft Security Essentials pop-up on XP machines 1
Replies
9
Views
226
goombawaho
goombawaho
2ffat
  • Locked
  • News
Lenovo isn't the only one with bad certificates 5
Replies
6
Views
429
2ffat
2ffat

Part and Inventory Search

Sponsor

Back
Top