hijacked IE home page

I tried that but hijack does not have the check boxes at the beginning of each line. I high lited the line and it says nothing selected. I reinstalled it and its the same. The virus is stopping hijack. I have tried to go to the web site of Coyoto and hes moving the page. Went to the forum and registered but can't prove my email due to the links sent go to the url thats being moved. Can someone tell me how to delete this manually? Housecall doesn't show it and my Nortons or AVG does not show a virus. Now what do I need to wipe the drive and format it? Thanks

 

Did u follow these instructions?

http://www.sophos.com/virusinfo/analyses/w32specxa.html




snowbound

 

When u try to remove it manually, make sure to disable systems restore first. Here's how,

http://www.pchell.com/virus/systemrestore.shtml

This could be why u are being reinfected.




snowbound

 

some inputs from my side

do visit here too

http://www.sophos.com/virusinfo/analyses/w32spybotaa.html

and just was wondering

O4 - HKLM\..\Run: [SKYICO.exe] C:\WINDOWS\SKYICO.exe

was anything good

thx

 

System restore has been turned off for two months. I will delete Skyico. I have now ask the check box question on Coyoto's site. Also the virus or trojan has wiped all microsoft icons off my desktop. Ones for IE and my computer and another that I don't remember what it was. Also I have 3 HD so it could be in one of these also. But the checkers say they are clean. CWshredder says everything is clean. Thanks for the help.

 

The thing has deleted my items from start menue like run search and all the others. How can I get them back and how can I put a MY Computer icon back on the desktop'
Did a search for SKYICO and it doesn't show went into the windows folder and its not there but when I run hijack this it shows. I have folder options unchecked to show hidden files and folders extentions. This thing is driving me crazy. I'll delete the items in the reg.

 

OK here is a new log see if you see anything in it. The SKYICO was in the reg with the iexplore32 neither showed on a search or find. Deleted them both. Hijack this now works without the chech boxes. Now when you hi light it and click again a check mark shows. That wasn't doing before. Still can't make a print screen of it or copy with another program maybe after reinstall.
Thanks to all of you for worrying with this old man.

Logfile of HijackThis v1.97.7
Scan saved at 5:24:39 PM, on 2/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
G:\program files\SpamButcher\spambutcher.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\VSTASCAN\vsaccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
F:\Program Files\3aLab\iRadio\iRadio.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\junk\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Propel Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Anti-Hacker Expert Firewall] C:\Program Files\NET2SOFT\Anti-Hacker&Trojan Expert\Firewall.exe
O4 - HKLM\..\Run: [Accelerate] C:\Program Files\Webroot\Accelerate\accelerate.exe /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpamButcher.lnk = G:\program files\SpamButcher\spambutcher.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink Glanda\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Sothink SWF Decompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37919.540787037
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab