Help! c:\searchpage.html#1525

[Apok]

hi, i'm new to "hijackthis"
i d/l it cuz my home page on internet explorer keeps resetting to c:\searchpage.html#1525...
did a google search, found these forums, got "hijackthis", scanned, and deleted every line that had "c:\searchpage.html#1525" in it..
but 15 sec later, its back, home page keeps reverting back to it..
anyway, heres my "hijackthis" log, maybe theres something else i gotta delete.
thanks in advanced


Logfile of HijackThis v1.97.7
Scan saved at 3:49:58 PM, on 5/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ANTHON~1.S00\LOCALS~1\Temp\Rar$EX00.953\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html#1525
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1525
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html#1525
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html#1525
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1525
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1525
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1525
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1525
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINNT\IPINSIGT.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_6390.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://download.ha.net2phone.com/com...enter7272a.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

[Apok]

oh wow, i think i jus figured it out.
i jus kept lookin for lines that didnt belong.
i have no idea wut this lines is for, so i deleted it, along wit the other searchpage lines..

O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab

it seems to be gone now, problem solved, plz delete my thread if neccesary.

[snapdragin]

Hi Apok,

You really should not be fixing anything in HijackThis by yourself without an Expert's instructions. HijackThis is a powerful tool and you could do unrepairable damage to your computer if you should happen to delete the wrong entries.

Right now you are running HijackThis from within the zipped folder. When you run it from there you will be unable to save backups. So if anything went wrong, you will be unable to use the backup feature to repair the damage.

Please create a permanent folder on your C drive for HijackThis (call it what you wish) and unzip the Hijackthis.exe file into that permanent folder.

Then do another scan and post a new log here to be checked. If you have missed anything in what you have fixed, you could end up being reinfected over and over.

Regards,

snap

[Apok]

hi snap, thx for the input..
heres my hijack log, about 3+ hours after i went delete crazy..


Logfile of HijackThis v1.97.7
Scan saved at 11:26:05 PM, on 5/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINNT\IPINSIGT.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_6390.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://download.ha.net2phone.com/com...enter7272a.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

[Pieter_Arntz]

Hi Apok,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINNT\IPINSIGT.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll

Download and run: http://www.spywareinfoforum.com/~mer...CWShredder.exe
Use the Fix button and follow the instructions you will receive.

Then reboot.

Regards,

Pieter

[Apok]

omg thx pieter..
that dam ipinsigt.dll been on this computer since i 1st got it from gateway..
i always thought it had something to do with maintaining my ip/internet, so i didnt wanna delete it..

maybe this is why i get never ending packetloss when playin online games,
(but i still blame cox.net for most of it )

if this helps my packetloss, i will bare ur children Pieter!!

[Pieter_Arntz]

http://www.doxdesk.com/parasite/IPInsight.html