Hijacked IE Browser Start Page

Ran Spybot S&D as instructed.

The problem I have is that my IE browser start page gets repeatedly changed even though
I keep changing it back to what I want.
Tried Spyware Blaster.
No matter what I do, it keeps changing to 1 of 2 URLs.
The Start Pages that keep showing up are:
http://t.rack.cc/hp.php
or
http://t.rack.cc/sp.php

I see both of those in the log below
Please help me prevent these from taking over my start page.
************************
Here is my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 12:00:46 PM, on 12/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kelly's\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/hp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/hp.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=dticon005&c=3c01&lc=0409
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} - C:\WINDOWS\mscfhf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53E10C2C-43B2-4657-BA29-AAE179E7D35C} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchIt&! - {21301D69-B8F1-46AA-B0B5-09EE2285914C} - C:\WINDOWS\ctb\CustomToolbar.dll
O3 - Toolbar: (no name) - {23DDAE8C-6A79-4d62-80AA-E95D89CB9811} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Print Spool] PrnSpool.exe
O4 - HKLM\..\Run: [ovxpkxpi] C:\WINDOWS\System32\ovxpkxpi.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\RunServices: [Print Spool] PrnSpool.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: -
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O15 - Trusted Zone: http://www.cash2nv.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93855FEF-8F76-4AB4-88B4-E491029CED7F}: NameServer = 64.105.97.90 64.105.113.138

**********************
Thanks for any help

 

Hi ekelly,

Have only HijackThis running and fix :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/hp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/hp.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=dticon005&c=3c01&lc=0409

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} - C:\WINDOWS\mscfhf.dll
O2 - BHO: (no name) - {53E10C2C-43B2-4657-BA29-AAE179E7D35C} - (no file)

O3 - Toolbar: (no name) - {23DDAE8C-6A79-4d62-80AA-E95D89CB9811} - (no file)

O4 - HKLM\..\Run: [ovxpkxpi] C:\WINDOWS\System32\ovxpkxpi.exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409

Did you add this yourself into the trusted zone? :

O15 - Trusted Zone: http://www.cash2nv.com

If you did and you plan on keeping it there, you can add it to the ignore list with HijackThis, if you didnt, you can fix that one also.

Reboot after doing all this and remove :

C:\WINDOWS\System32\ovxpkxpi.exe <- this file (make sure hifdden files are set to show : here's how)
sys.reg <- this file (if still present) You can search via start -> search -> files/folders

Hope this helps,

Keep us posted

Cheers,

 

OK, did all as instructed.
When I connected to internet after rebooting, the home page was set to about.blank
PERFECT! Ready to start fresh.

I have one question though (actually two)

You said to remove:
C:\WINDOWS\System32\ovxpkxpi.exe
(It was non-existant when I checked after rebooting)

and to remove:
sys.reg (if still present)

I did a search and found this:

sys (not sys.reg just plain sys)
Type of file: Registration Entries
Opens With: Registry Editor
Location: C:\WINDOWS
Created: Sunday, December 07, 2003 (that makes sense)
Modified: Today, December 09, 2003
Accessed: Today, December 09, 2003

When I double clicked on it, I got this message:
Are you sure you want to add the information in C:\WINDOWS\sys.reg to the registry?

Is this the file you meant for me to delete?
Again, it is not showing in the search results as sys.reg......just sys

Thanks

 

Hi ekelly,

I hope you clicked no at that prompt, about merging it with the registry, or else the hijack will be back.
That is the file you should delete.

Read this on how to make your computer show the extra info that may come in very handy sooner or later:
http://www.granneman.com/techinfo/windows/showexte/index

Regards,

Pieter

 

I clicked "no".
I did delete that file and all is well

I am so glad I found this forum.

Thank you Unzy and Pieter!

 

Glad we could help, ekelly.

Pieter