hijacked IE home page

hillbilly · Jan 28, 2004

A search engine took over my home page and greyed it out and I can't change it back. Can someone tell me how to do this. I'm 67 dumb about computers so a step by step help would sure be nice. Thank you very much. I have Search and destroy running, trojan hunter, and they show nothing. Have AVG and Nortons running they show nothing.

subratam · Jan 29, 2004

hey hillbilly ,

welcome to wilders mate

will you please follow these instructions

thx

hillbilly · Jan 29, 2004

hijacked home page greyed out

I ran Spy bottom search and destroy. I also ran cw shredder and it said that a couple of files were locked. Then I ran hijack this and the log is here.

Logfile of HijackThis v1.97.7
Scan saved at 12:28:33 AM, on 1/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
F:\Program Files\3aLab\iRadio\iRadio.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\crmatthews\Desktop\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Not Available
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Propel Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - Startup: SpamButcher.lnk = G:\program files\SpamButcher\spambutcher.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
O9 - Extra button: Sothink SWF Decompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37919.540787037
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

subratam · Jan 29, 2004

Re:hijacked home page greyed out

hey hillbilly,

Close all browser windows - run hijackthis and tick to fix :-
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

reboot and post your fresh log

thx

Pieter_Arntz · Jan 29, 2004

Re:hijacked home page greyed out

quoting: subratam link=board=17;threadid=20664;start=0#msg125210 date=1075355492]
hey hillbilly,

Close all browser windows - run hijackthis and tick to fix :-
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

reboot and post your fresh log

thx
Click to expand...

Correction.
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab

Then reboot.

Regards,

Pieter

hillbilly · Jan 29, 2004

Has anyone got to take a look at my log file? I also ran Adaware and it showed nothing. How can I find the lock files that cwshredder said were locked. It said to unlock the last two items in spybot but I don't find any items listed in spybot. I clicked on everything in spybot and nothing showed to give me a clue to what cw is saying.
Thanks for any help. My page is still greyed out. This prevents me from changing it. Can I get a copy of IE 6 and reinstall it? would that fix it?

hillbilly · Jan 29, 2004

Here is the new log after deleteing or fix R3 and F2

Logfile of HijackThis v1.97.7
Scan saved at 2:13:10 PM, on 1/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
G:\program files\SpamButcher\spambutcher.exe
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Agent\agent.exe
F:\Program Files\3aLab\iRadio\iRadio.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\crmatthews\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Not Available
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Propel Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [IELoader32] iexplore32.exe
O4 - HKLM\..\Run: [SKYICO.exe] C:\WINDOWS\SKYICO.exe
O4 - HKLM\..\Run: [Anti-Hacker Expert Firewall] C:\Program Files\NET2SOFT\Anti-Hacker&Trojan Expert\Firewall.exe
O4 - HKLM\..\Run: [Accelerate] C:\Program Files\Webroot\Accelerate\accelerate.exe /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpamButcher.lnk = G:\program files\SpamButcher\spambutcher.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Sothink SWF Decompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37919.540787037
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

hillbilly · Jan 29, 2004

Here is the new log after going back and deleteing or fix of O16-Dpf (211977

Logfile of HijackThis v1.97.7
Scan saved at 2:18:21 PM, on 1/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
G:\program files\SpamButcher\spambutcher.exe
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Agent\agent.exe
F:\Program Files\3aLab\iRadio\iRadio.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\crmatthews\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Not Available
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Propel Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [IELoader32] iexplore32.exe
O4 - HKLM\..\Run: [SKYICO.exe] C:\WINDOWS\SKYICO.exe
O4 - HKLM\..\Run: [Anti-Hacker Expert Firewall] C:\Program Files\NET2SOFT\Anti-Hacker&Trojan Expert\Firewall.exe
O4 - HKLM\..\Run: [Accelerate] C:\Program Files\Webroot\Accelerate\accelerate.exe /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpamButcher.lnk = G:\program files\SpamButcher\spambutcher.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Sothink SWF Decompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37919.540787037
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

Pieter_Arntz · Jan 29, 2004

Hi hillbilly,

You seem to have acquired some new malware along the way.
http://www.sophos.com/virusinfo/analyses/w32specxa.html

Have HijackThis Fix:
O4 - HKLM\..\Run: [IELoader32] iexplore32.exe

Then reboot into safe mode and delete:
iexplore32.exe <= exactly that name, NOT anything resembling it.

Regards,

Pieter

hillbilly · Jan 29, 2004

I told you I was sure dumb How do I boot to safe mode and delete iexplore32.exe. Also I saw somewhere a program that would tell me when something was trying to change my home page. Can you tell me where to find it. Thanks

Pieter_Arntz · Jan 29, 2004

Hi hillbilly,

How to start your computer in safe mode

To delete the file, I just realized you may be better off running an online virusscan: http://housecall.antivirus.com/

Regards,

Pieter

subratam · Jan 29, 2004

quoting: hillbilly link=board=17;threadid=20664;start=0#msg125462 date=1075404631]
Also I saw somewhere a program that would tell me when something was trying to change my home page. Can you tell me where to find it. Thanks
Click to expand...

maybe you are looking for spywareguard (download from BTN mirror)

thx

hillbilly · Jan 29, 2004

House call did not find anything. I had delete the logfile with hijack And here is the log now. The program I was looking for was listed on cwshredder Startpage Guard. I had used F8 to safe mode and did a search for iexplore32.exe and nothing was found. The page is still greyed out says in it about.blank. I see in the log file a line that says start page= Is there a way to type in google.com? heres log and thanks for taking the time to help. I would be lost without you. I would have reformated the drive.

Logfile of HijackThis v1.97.7
Scan saved at 3:39:23 PM, on 1/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
G:\program files\SpamButcher\spambutcher.exe
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\crmatthews\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Propel Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SKYICO.exe] C:\WINDOWS\SKYICO.exe
O4 - HKLM\..\Run: [Anti-Hacker Expert Firewall] C:\Program Files\NET2SOFT\Anti-Hacker&Trojan Expert\Firewall.exe
O4 - HKLM\..\Run: [Accelerate] C:\Program Files\Webroot\Accelerate\accelerate.exe /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpamButcher.lnk = G:\program files\SpamButcher\spambutcher.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Sothink SWF Decompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37919.540787037
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

Pieter_Arntz · Jan 29, 2004

quoting: hillbilly link=board=17;threadid=20664;start=0#msg125507 date=1075409161]
The page is still greyed out says in it about.blank. I see in the log file a line that says start page= Is there a way to type in google.com?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Click to expand...

Have HijackThis fix the entry I quoted above and you should be able to change your Startpage the normal way.

Regards,

Pieter

hillbilly · Jan 29, 2004

All I can say is God bless you. That worked sure wish I had 1/2 the brains you do. I sure get upset not being able to do things with a computer. THANK YOU VERY VERY MUCH.

Pieter_Arntz · Jan 30, 2004

Glad we could help.

Pieter

hillbilly · Jan 30, 2004

I downloaded the Spy file that was recommended and it has a sgmain.exe that causes a BPSSR to try to load. I tried to uninstall it and it left 2 dll that won't delete. Also I thought I would run hijack this and copy the log and let you look at it. But the hijack this does not have the check boxes next to the items. So one could not delete or fix these if you said to. Have any ideal about this.

Pieter_Arntz · Jan 31, 2004

Hi hilbilly,

Read this for the Uninstall of SpywareGuard: http://www.wilderssecurity.com/showthread.php?t=20200

I am in the dark about the problems with HijackThis you describe. It did work before, and there are no reports of the checkboxes disappearing I know of.

Regards,

Pieter

hillbilly · Jan 31, 2004

When I opened the spywareguard then I got a bprrs trying to start every time I try to open another program. Also it put iexplore32.exe in the reg which I deleted. And now when I start my machine I get a silver or gray line about 1/2 inch high across the bottom of the screen. My easy cd creator 5 which I use to make slide shows puts a red circle with a diagonal across it on every picture and will not allow me to make a slide show. I ran housecall and nothing was found. I guess I need to uninstall hijack this and see if a reinstall will straighten it out. That is all the problems that I know of as of now. Thanks

hillbilly · Jan 31, 2004

I reinstalled hijack this still no check boxes. Tried to go to tom coyoto web site to see if I could get an answer but can't get a question on the chat room the top is grabbled. Don't see any place to email someone. Does anyone know why that hijack doesn't have check boxes today after working the last couple of days. Must still be something on my machine. Thanks

subratam · Jan 31, 2004

hey hill,

can you post a pic of the hijackthis box you are getting??
(if you dunno by any chance how to post an image,

quoting: Wayne - DiamondCS link=board=9;threadid=20526;start=0#msg124741 date=1075257762]
Just press the PrintScrn key on your keyboard to take a snapshot of the entire screen (the image is copied to the clipboard, so you can then just load a graphics program such as Paint or Photoshop and press Ctrl+V to paste the image). The key is somewhat a 'leftover' of the old DOS days when pressing the key would send the data straight to your dot matrix printer.
To capture just the current window, use Alt+PrintScrn.
Click to expand...

and then save it as either .gif or any image format and post the attach.
lets see whats actually the problem you are facing

hillbilly · Jan 31, 2004

Something won't let me capture the screen I have a program to do that and it now gives me an error. My email program has grayed out boxes so does eudora. I have log can you see anything wrong?

Logfile of HijackThis v1.97.7
Scan saved at 1:02:51 PM, on 1/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
G:\program files\SpamButcher\spambutcher.exe
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
G:\program files\Qualcomm\Eudora\Eudora.exe
F:\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Propel Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SKYICO.exe] C:\WINDOWS\SKYICO.exe
O4 - HKLM\..\Run: [Anti-Hacker Expert Firewall] C:\Program Files\NET2SOFT\Anti-Hacker&Trojan Expert\Firewall.exe
O4 - HKLM\..\Run: [Accelerate] C:\Program Files\Webroot\Accelerate\accelerate.exe /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IELoader32] iexplore32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpamButcher.lnk = G:\program files\SpamButcher\spambutcher.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Sothink SWF Decompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37919.540787037
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

hillbilly · Jan 31, 2004

Ran spybot again this time it found two dlls I delete them and now have a new log. It shows I think iexplore32.exe in ie loader O4 Hklm. Is that the virus again?

Logfile of HijackThis v1.97.7
Scan saved at 4:25:27 PM, on 1/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
G:\program files\SpamButcher\spambutcher.exe
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
F:\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Propel Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SKYICO.exe] C:\WINDOWS\SKYICO.exe
O4 - HKLM\..\Run: [Anti-Hacker Expert Firewall] C:\Program Files\NET2SOFT\Anti-Hacker&Trojan Expert\Firewall.exe
O4 - HKLM\..\Run: [Accelerate] C:\Program Files\Webroot\Accelerate\accelerate.exe /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IELoader32] iexplore32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpamButcher.lnk = G:\program files\SpamButcher\spambutcher.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Sothink SWF Decompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37919.540787037
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

hillbilly · Jan 31, 2004

Has anybody looked at the two above messages? I just got an email saying they had received a virus from me by email someone I have never heard of.

snowbound · Jan 31, 2004

Hi hillbilly

Looks like u are infected again

Please repeat instructions that Pieter gave u in reply#8 in this thread.

snowbound

Log in or Sign up

hijacked IE home page

hillbilly Registered Member

subratam Registered Member

hillbilly Registered Member

subratam Registered Member

Pieter_Arntz Spyware Veteran

hillbilly Registered Member

hillbilly Registered Member

hillbilly Registered Member

Pieter_Arntz Spyware Veteran

hillbilly Registered Member

Pieter_Arntz Spyware Veteran

subratam Registered Member

hillbilly Registered Member

Pieter_Arntz Spyware Veteran

hillbilly Registered Member

Pieter_Arntz Spyware Veteran

hillbilly Registered Member

Pieter_Arntz Spyware Veteran

hillbilly Registered Member

hillbilly Registered Member

subratam Registered Member

hillbilly Registered Member

hillbilly Registered Member

hillbilly Registered Member

snowbound Retired Moderator

Log in or Sign up

hijacked IE home page

hillbilly Registered Member

subratam Registered Member

hillbilly Registered Member

subratam Registered Member

Pieter_Arntz Spyware Veteran

hillbilly Registered Member

hillbilly Registered Member

hillbilly Registered Member

Pieter_Arntz Spyware Veteran

hillbilly Registered Member

Pieter_Arntz Spyware Veteran

subratam Registered Member

hillbilly Registered Member

Pieter_Arntz Spyware Veteran

hillbilly Registered Member

Pieter_Arntz Spyware Veteran

hillbilly Registered Member

Pieter_Arntz Spyware Veteran

hillbilly Registered Member

hillbilly Registered Member

subratam Registered Member

hillbilly Registered Member

hillbilly Registered Member

hillbilly Registered Member

snowbound Retired Moderator

Useful Searches