search-dot.com

DeadEyedStare · Jan 4, 2004

ok i have the usual symptoms.Every time I open I.E. my start up page is

.I change it and i can open and reopen it and its ok. but one i restart my computer it changes it again.IT adds it self to my favorites along with other sites.I downloaded cwshredder and it wont work.It gets an Unepected error.I downloaded Hijack This and this came up.

Logfile of HijackThis v1.97.7
Scan saved at 6:40:41 PM, on 1/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALTNET\DOWNLOAD MANAGER\ASM.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPCLIENT.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,8,0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [OAKSTART] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKSTART.EXE
O4 - HKLM\..\Run: [OAKTASK] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\FONTS\fonts.hta
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: DSL Web Hosting 1.00.lnk = C:\Program Files\DSL Speed\DSL Web Hosting 1.00\Dslhost.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

Any help please.please.

kippy13 · Jan 7, 2004

Download and run in this order:

cwshredder *
SpyBot 1.2 *
AdAware *

* = Update the definition files within the program as the first step.

http://www.spywareinfo.com/downloads.php?cat=sp#det

If Cwshredder doesnt work then move on to the next one.

"Sometimes I do not know but I try hard"- R.F. Haughty 1923

MarcLodge · Jan 7, 2004

See this link for various ways other people have got rid of this nasty peice of work.....

http://www.computing.net/security/wwwboard/forum/6838.html

Hope one of these helps for you.
Marc

carrr · Jan 7, 2004

This is a pretty clever little turd of malware prog.
The key seems to lie files with .hta extensions.
One that I've seen come up associated with this hijack is "font.hta"

Removing this entry using Hijack This! should cure your problem:

O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\FONTS\fonts.hta

DeadEyedStare · Jan 8, 2004

Thanks guys i got it by running Regedit,cwshredder,add-aware and h.t..I didnt mean to take up another post but i did a search and nothing came up.THanks again!

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

search-dot.com

DeadEyedStare

Technical User

kippy13

IS-IT--Management

MarcLodge

Programmer

carrr

Technical User

DeadEyedStare

Technical User

Similar threads

Part and Inventory Search

Sponsor