IE home page keeps changing to about:blank

Hello,

Since about 2 weeks, my IE home page keeps changing to about:blank. This about:blank page is not regular one either. It is actually a search engine.

I ran Spybot and Spyware but they could not detect it.

Yesterday, my computer got infected with a virus, on account of this. It is running some programs which makes the CPU usage always at 100%. So my computer has become extremely slow. My memory usage is also always at around 60%. I ran Norton Antivirus. It did not detect anything.

Any suggestions??

Devender

 

Hi devender,

Please download and run CWShredder
Use the Fix button and follow the instructions provided by the program.

If that does not help or you would like us to check for more parasites, look at the instructions posted here:
https://www.wilderssecurity.com/showthread.php?t=15913
You can skip the parts you already performed.

Regards,

Pieter

LOL. Hi Paul.

 

Logfile of HijackThis v1.97.7
Scan saved at 11:35:51 AM, on 4/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\LEXBCES.EXE
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\cisvc.exe
D:\WINNT\System32\svchost.exe
D:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\msdev32.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\Explorer.EXE
D:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINNT\system32\taskmgr.exe
D:\WINNT\System32\svchost.exe
D:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
D:\WINNT\System32\cidaemon.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
D:\devender\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.samachar.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\devender\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8D8FCC68-4F1C-44E7-8211-C0BDE8860E08} - D:\WINNT\system32\pbhocj.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [win32app] D:\WINNT\System32\winpup32.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TempRemove] "D:\DEVENDER\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Internet Optimizer] "D:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [smrtdrv] runtime.exe
O4 - HKLM\..\Run: [WSConfiguration] winspooler.exe
O4 - HKLM\..\Run: [soundman] soundman.exe
O4 - HKLM\..\Run: [VidCnfg Video Configuration] msdev32.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\RunServices: [smrtdrv] runtime.exe
O4 - HKLM\..\RunServices: [WSConfiguration] winspooler.exe
O4 - HKLM\..\RunServices: [soundman] soundman.exe
O4 - HKLM\..\RunServices: [VidCnfg Video Configuration] msdev32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [winpopup] D:\WINNT\winupie.exe
O4 - HKCU\..\Run: [Internet Washer Pro] D:\PROGRA~1\INTERN~2\iw.exe min
O4 - HKCU\..\Run: [System Soap Pro] D:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [SpyKiller] D:\devender\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [rate.exe] D:\WINNT\system32\i11r54n4.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NetAssistant.lnk = D:\Program Files\NetAssistant\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O15 - Trusted Zone: http://www.aimfunds.ca
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/14e75451215649cdde22/netzip/RdxIE.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/ssoap/pptproactauthmirror/systemsoappro.cab
O16 - DPF: {45402494-F730-11D2-8A2C-0060083CFB9C} (OneClickCtl Class) - http://download.mcafee.com/netzip/Nz.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/311b66313cc20d518405/netzip/RdxIE601Arcade.cab
O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - http://www.crystalvoicelive.com/download/CVALAX.CAB
O16 - DPF: {6809E6DF-26CF-4E3C-9520-2D070516ED54} (ItBenIocCtrl Class) - http://email.clubs.indiatimes.com/language/itbenioc.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.gamesmania.com/ExentCtl.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} - http://update.searchsquire.com/SearchSquire33.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37978.6590740741
O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - http://www.flashants.com/codebase/iceplayer.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {B2E33483-7C10-4CF9-BFAF-842329096CCB} (ItHinIocCtrl Class) - http://email.clubs.indiatimes.com/language/ithinioc.cab
O16 - DPF: {BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52} - http://www.online1net.com/kool/coolstuff4.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D53B810F-6219-11D4-95B6-0040950375E7} - http://vad.mainentrypoint.com/dialer/bin/CE17592/dialer_activex.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://ftp.coupons.com/brxpdf5.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSignedAdvertisingcom.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.exchangeexit.com/Config.cab

Thanks Pieter for your help,
Devender

 

Hi devender_g,

Sorry it took me so long. You haave a few very rare entries in there.
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

O2 - BHO: (no name) - {8D8FCC68-4F1C-44E7-8211-C0BDE8860E08} - D:\WINNT\system32\pbhocj.dll (file missing)

O4 - HKLM\..\Run: [win32app] D:\WINNT\System32\winpup32.exe

O4 - HKLM\..\Run: [Internet Optimizer] "D:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [smrtdrv] runtime.exe
O4 - HKLM\..\Run: [WSConfiguration] winspooler.exe
O4 - HKLM\..\Run: [soundman] soundman.exe
O4 - HKLM\..\Run: [VidCnfg Video Configuration] msdev32.exe

O4 - HKLM\..\RunServices: [smrtdrv] runtime.exe
O4 - HKLM\..\RunServices: [WSConfiguration] winspooler.exe
O4 - HKLM\..\RunServices: [soundman] soundman.exe
O4 - HKLM\..\RunServices: [VidCnfg Video Configuration] msdev32.exe

O4 - HKCU\..\Run: [winpopup] D:\WINNT\winupie.exe

O4 - HKCU\..\Run: [SpyKiller] D:\devender\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [rate.exe] D:\WINNT\system32\i11r54n4.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/14e75451215649cdde22/netzip/RdxIE.cab

O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/ssoap/pptproactauthmirror/systemsoappro.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/311b66313cc20d518405/netzip/RdxIE601Arcade.cab

O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} - http://update.searchsquire.com/SearchSquire33.CAB

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

O16 - DPF: {BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52} - http://www.online1net.com/kool/coolstuff4.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://ftp.coupons.com/brxpdf5.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSignedAdvertisingcom.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.exchangeexit.com/Config.cab

Then download and run CWShredder
Use the Fix button and follow the instructions provided by the program.

Then reboot and remove:
D:\WINNT\System32\winpup32.exe
D:\Program Files\Internet Optimizer
D:\WINNT\winupie.exe

A[nd could you zip up the following files and mail them to the address I will PM you in a moment:
runtime.exe
winspooler.exe
soundman.exe
msdev32.exe
D:\WINNT\system32\i11r54n4.exe

Regards,

Pieter

 

Hi Pieter,

I am not able to run the HijackThis program. As soon as I launch the application, it opens a box and closes immediately. I cannot even ask it to fix as this thing happens in like 2 seconds.

Further, I am also not able to send you files, as they have virus. I cannot launch Norton Anti-Virus as computer won't give it any CPU time. I am in a big fix!!

Devender

 

Hi devender_g

Could you copy Pieter's instructions to a .txt file and put it in a location where you can easily find it. Then start your computer in Safe Mode and try opening HijackThis and following Pieter's instructions for both fixing the entries in HijackThis and running CWShredder.

Start your computer in Safe Mode:
- Turn off your computer, wait for 30 seconds, then turn it back on.
- When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
- Choose the Safe mode option by using the arrow keys.
- Press enter.

For the files he requested be submitted, if you zip up a copy of them they should be able to get past any email antivirus scanners.

Let us know if the above works.

Regards,

snap

 

Thank you Pieter and Snap,
I went to safe mode command prompt and just deleted the msdev32.exe file. Now my computer has become fine (Touchwood!!). Since then I have also run HijackThis properly and fix checked the required files as per Pieter. After that I have run CWShredder. Earlier I actually was zipping the file with the exes that Pieter was asking but still both Hotmail and Yahoo were identifying that zipped file with a virus. Pieter I do not have all the files but I will be sending you the winspooler file.

Thanks a lot again for all the help and time
Regards,
Devender

 

Hi devender_g,

Glad to hear you got HijackThis and CWShredder working ok.

Could you please do another scan with HijackThis and post a new log here to be checked so we can make sure nothing was missed, or anything came back that shouldn't.

Thank you,

snap

 

Hello Snapdragin

Here is my updated log from Hijack This.

Logfile of HijackThis v1.97.7
Scan saved at 9:52:03 PM, on 4/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\LEXBCES.EXE
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\cisvc.exe
D:\WINNT\System32\svchost.exe
D:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Winamp\Winampa.exe
D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
D:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\NetAssistant\bin\mpbtn.exe
D:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
D:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\devender\downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.samachar.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\devender\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TempRemove] "D:\DEVENDER\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Internet Washer Pro] D:\PROGRA~1\INTERN~2\iw.exe min
O4 - HKCU\..\Run: [System Soap Pro] D:\Program Files\System Soap Pro\soap.exe min
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NetAssistant.lnk = D:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O15 - Trusted Zone: http://www.aimfunds.ca
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {45402494-F730-11D2-8A2C-0060083CFB9C} (OneClickCtl Class) - http://download.mcafee.com/netzip/Nz.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - http://www.crystalvoicelive.com/download/CVALAX.CAB
O16 - DPF: {6809E6DF-26CF-4E3C-9520-2D070516ED54} (ItBenIocCtrl Class) - http://email.clubs.indiatimes.com/language/itbenioc.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.gamesmania.com/ExentCtl.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37978.6590740741
O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - http://www.flashants.com/codebase/iceplayer.cab
O16 - DPF: {B2E33483-7C10-4CF9-BFAF-842329096CCB} (ItHinIocCtrl Class) - http://email.clubs.indiatimes.com/language/ithinioc.cab
O16 - DPF: {BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52} - http://www.online1net.com/kool/coolstuff4.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D53B810F-6219-11D4-95B6-0040950375E7} - http://vad.mainentrypoint.com/dialer/bin/CE17592/dialer_activex.cab

devender

 

Hi devender_g,

Two more entries that we overlooked before:
O16 - DPF: {BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52} - http://www.online1net.com/kool/coolstuff4.cab

O16 - DPF: {D53B810F-6219-11D4-95B6-0040950375E7} - http://vad.mainentrypoint.com/diale...ler_activex.cab

Fix them with HijackThis and reboot.
The rest looks good.

Regards,

Pieter

 

Ok Pieter,
Have done that.

Devender