Help - Hijacked Home Page!!!

Discussion in 'adware, spyware & hijack cleaning' started by mswsla, May 27, 2004.

Thread Status:
Not open for further replies.
  1. mswsla

    mswsla Registered Member

    Joined:
    May 27, 2004
    Posts:
    6
    I am new to this forum so bare with me. I have a problem...My home page has been hijacked to the "adult" search page and no matter how many times I change it in the Tools bar, it will reappear after 2 or 3 new searches. I have been dealing with this for days now.

    Also... there are quite a few adult/porno sites listed in my *favorites* and I know I didn't put them there. I will delete them and shortly after, they will reappear again.

    I have used SpyBot S&D (first used 2 weeks ago and it found some 80 problems!!). Now here we are again and I don't know what to do. Please help me. I am probably sounding like a complete idiot, though I have tried everything I know *how* to do.

    Please, please, PLEASE let me know what I need to do (or send you) in order for you to be able to help me.
    Thank you - MSWSLA

    Here is my HijackThis Log

    Logfile of HijackThis v1.97.7
    Scan saved at 2:57:14 PM, on 5/27/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\WINDOWS\hh.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.insightbb.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.insightbb.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.insightbb.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.insightbb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.insightbb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.insightbb.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.insightbb.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.insightbb.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://aifind.info/
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\z3hfxp696da.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
    O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: winlogin.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\WINDOWS\testfile.exe
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1085512675186
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.ea.com/downloads/games/common/ieell.cab
    O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38104.6819444444
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak02.pictures.aol.com/ygp/aol/plugin/upload/YGPPicFinder.8.0.3.0.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi mswsla,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.insightbb.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.insightbb.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.insightbb.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.insightbb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.insightbb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.insightbb.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.insightbb.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.insightbb.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://aifind.info/
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\z3hfxp696da.dll

    O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

    O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

    O4 - Global Startup: winlogin.exe

    O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\WINDOWS\testfile.exe
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe

    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab

    Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Then reboot into safe mode and delete:
    C:\Program Files\Q330994.exe
    C:\WINDOWS\testfile.exe
    C:\WINDOWS\System32\sysstartup.exe

    Regards,

    Pieter
     
  3. mswsla

    mswsla Registered Member

    Joined:
    May 27, 2004
    Posts:
    6
    OK...first, thank you for the quick response!!!

    Secondly, I did what you told me to do and when I went to hit "Fix Selected" in Hijackthis, it told me that "04-Global Startup: winloginexe may be in use". I closed everything before I started too. When it told me to try again, I did, same thing. Could it be because I am using a cable modem for my Internet which automatically logs me on when I turn on my computer? Is this a problem?? What can I do (or what do I have to do) to make this work?

    SO...I only followed your instructions through hijackthis (I did not download what you told me to or reboot in safe mode and delete the items you mentioned). I wasn't sure if I should since all of the items wouldn't delete through hijackthis.

    Also...after deleting all of the stuff you told me to through hijackthis, AboutBlank is my new home page.

    HELP!!
    SW
     
    Last edited: May 28, 2004
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I will need some more information.

    1 Can you change your home page (IE > Tools > Internet-options > General tab)
    2 If you do, does it stay at the set value?

    3 Post a new HijackThis log after you updated IE and Windows.

    Regards,

    Pieter
     
  5. mswsla

    mswsla Registered Member

    Joined:
    May 27, 2004
    Posts:
    6
    Pieter - It wasn't letting me reset my Homepage before, but now it seems to be allowing me to do so. The homepage I designated even stayed after I rebooted. Hmmmm...

    Here is my most recent log. Let me know if you still want me to do anything else (i.e. what you mentioned in the earlier post). Could this thing really be fixed? Waiting anxiously to hear back from you and THANKS so much!!!!
    Steph


    Logfile of HijackThis v1.97.7
    Scan saved at 10:42:01 AM, on 5/28/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: winlogin.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1085512675186
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.ea.com/downloads/games/common/ieell.cab
    O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38104.6819444444
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak02.pictures.aol.com/ygp/aol/plugin/upload/YGPPicFinder.8.0.3.0.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    You can Fix this one with HijackThis:
    O4 - Global Startup: winlogin.exe
    But it loks to me like it's no longer active.

    See if you can find a file called winlogin.exe and let me know.
    You will still need to visit Windows Update.

    Regards,

    Pieter
     
  7. mswsla

    mswsla Registered Member

    Joined:
    May 27, 2004
    Posts:
    6
    I did a search for the winlogin.exe file, per your request, though the only time it came up was in the backup files of HijackThis.

    I tired, once again, to remove the 04 Global Startup winlogin.exe through hijackthis, though it says that the program is in use, even though I have closed out of everyting before running the fix. I mentioned this earlier...that as soon as I turn my computer ON in the mornings, it automatically logs me on to the Internet, I don't need to dial up and even when I close out of it or Exit IE, I am still connected until I shut my computer down for the night. That is why it states that the program is still running even though there is nothing in my task manager showing it is there. Am I making any sense? Should I do anything else...or just pray this is fixed? All seems to be "OK"...my homepage is still my designated site.

    THANKS SO MUCH for all of your help. You are the absolute best!!!
    Steph
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I would like to see another HijackThis log. Just to make sure.

    Regards,

    Pieter
     
  9. mswsla

    mswsla Registered Member

    Joined:
    May 27, 2004
    Posts:
    6
    Here is the log per your request:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:18:19 PM, on 6/2/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: winlogin.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1085512675186
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.ea.com/downloads/games/common/ieell.cab
    O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38104.6819444444
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak02.pictures.aol.com/ygp/aol/plugin/upload/YGPPicFinder.8.0.3.0.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi mswsla,

    Have HijackThis Fix:
    O4 - Global Startup: winlogin.exe

    Then reboot into safe mode and delete:
    c:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.