IE home page keeps changing to about:blank

Discussion in 'adware, spyware & hijack cleaning' started by devender_g, Apr 17, 2004.

Thread Status:
Not open for further replies.
  1. devender_g

    devender_g Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    6
    Hello,

    Since about 2 weeks, my IE home page keeps changing to about:blank. This about:blank page is not regular one either. It is actually a search engine.

    I ran Spybot and Spyware but they could not detect it.

    Yesterday, my computer got infected with a virus, on account of this. It is running some programs which makes the CPU usage always at 100%. So my computer has become extremely slow. My memory usage is also always at around 60%. I ran Norton Antivirus. It did not detect anything.

    Any suggestions??

    Devender
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    devender,

    Please follow these instructions to the letter, and post your log please.

    regards.

    paul
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi devender,

    Please download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    If that does not help or you would like us to check for more parasites, look at the instructions posted here:
    https://www.wilderssecurity.com/showthread.php?t=15913
    You can skip the parts you already performed.

    Regards,

    Pieter

    LOL. Hi Paul. :D
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Grin...Heya, Pieter ;)

    paul
     
  5. devender_g

    devender_g Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    6
    Logfile of HijackThis v1.97.7
    Scan saved at 11:35:51 AM, on 4/17/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINNT\System32\smss.exe
    D:\WINNT\system32\winlogon.exe
    D:\WINNT\system32\services.exe
    D:\WINNT\system32\lsass.exe
    D:\WINNT\system32\svchost.exe
    D:\WINNT\system32\LEXBCES.EXE
    D:\WINNT\system32\spoolsv.exe
    D:\WINNT\System32\cisvc.exe
    D:\WINNT\System32\svchost.exe
    D:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    D:\WINNT\system32\regsvc.exe
    D:\WINNT\system32\MSTask.exe
    D:\WINNT\system32\msdev32.exe
    D:\WINNT\System32\mspmspsv.exe
    D:\WINNT\Explorer.EXE
    D:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
    D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    D:\WINNT\system32\taskmgr.exe
    D:\WINNT\System32\svchost.exe
    D:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
    D:\WINNT\System32\cidaemon.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    D:\devender\downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.samachar.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
    R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\devender\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {8D8FCC68-4F1C-44E7-8211-C0BDE8860E08} - D:\WINNT\system32\pbhocj.dll (file missing)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [win32app] D:\WINNT\System32\winpup32.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [PrinTray] D:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [TempRemove] "D:\DEVENDER\Crystal Ball\CB Predictor\terminator.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Internet Optimizer] "D:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [smrtdrv] runtime.exe
    O4 - HKLM\..\Run: [WSConfiguration] winspooler.exe
    O4 - HKLM\..\Run: [soundman] soundman.exe
    O4 - HKLM\..\Run: [VidCnfg Video Configuration] msdev32.exe
    O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\RunServices: [smrtdrv] runtime.exe
    O4 - HKLM\..\RunServices: [WSConfiguration] winspooler.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [VidCnfg Video Configuration] msdev32.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [winpopup] D:\WINNT\winupie.exe
    O4 - HKCU\..\Run: [Internet Washer Pro] D:\PROGRA~1\INTERN~2\iw.exe min
    O4 - HKCU\..\Run: [System Soap Pro] D:\Program Files\System Soap Pro\soap.exe min
    O4 - HKCU\..\Run: [SpyKiller] D:\devender\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [rate.exe] D:\WINNT\system32\i11r54n4.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: NetAssistant.lnk = D:\Program Files\NetAssistant\bin\matcli.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O15 - Trusted Zone: http://www.aimfunds.ca
    O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
    O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/14e75451215649cdde22/netzip/RdxIE.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/ssoap/pptproactauthmirror/systemsoappro.cab
    O16 - DPF: {45402494-F730-11D2-8A2C-0060083CFB9C} (OneClickCtl Class) - http://download.mcafee.com/netzip/Nz.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/311b66313cc20d518405/netzip/RdxIE601Arcade.cab
    O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - http://www.crystalvoicelive.com/download/CVALAX.CAB
    O16 - DPF: {6809E6DF-26CF-4E3C-9520-2D070516ED54} (ItBenIocCtrl Class) - http://email.clubs.indiatimes.com/language/itbenioc.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.gamesmania.com/ExentCtl.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
    O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} - http://update.searchsquire.com/SearchSquire33.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37978.6590740741
    O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - http://www.flashants.com/codebase/iceplayer.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {B2E33483-7C10-4CF9-BFAF-842329096CCB} (ItHinIocCtrl Class) - http://email.clubs.indiatimes.com/language/ithinioc.cab
    O16 - DPF: {BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52} - http://www.online1net.com/kool/coolstuff4.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D53B810F-6219-11D4-95B6-0040950375E7} - http://vad.mainentrypoint.com/dialer/bin/CE17592/dialer_activex.cab
    O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
    O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://ftp.coupons.com/brxpdf5.cab
    O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSignedAdvertisingcom.cab
    O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.exchangeexit.com/Config.cab

    Thanks Pieter for your help,
    Devender

     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi devender_g,

    Sorry it took me so long. You haave a few very rare entries in there.
    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
    R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

    O2 - BHO: (no name) - {8D8FCC68-4F1C-44E7-8211-C0BDE8860E08} - D:\WINNT\system32\pbhocj.dll (file missing)

    O4 - HKLM\..\Run: [win32app] D:\WINNT\System32\winpup32.exe

    O4 - HKLM\..\Run: [Internet Optimizer] "D:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [smrtdrv] runtime.exe
    O4 - HKLM\..\Run: [WSConfiguration] winspooler.exe
    O4 - HKLM\..\Run: [soundman] soundman.exe
    O4 - HKLM\..\Run: [VidCnfg Video Configuration] msdev32.exe

    O4 - HKLM\..\RunServices: [smrtdrv] runtime.exe
    O4 - HKLM\..\RunServices: [WSConfiguration] winspooler.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [VidCnfg Video Configuration] msdev32.exe

    O4 - HKCU\..\Run: [winpopup] D:\WINNT\winupie.exe

    O4 - HKCU\..\Run: [SpyKiller] D:\devender\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [rate.exe] D:\WINNT\system32\i11r54n4.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab

    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/14e75451215649cdde22/netzip/RdxIE.cab

    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/ssoap/pptproactauthmirror/systemsoappro.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/311b66313cc20d518405/netzip/RdxIE601Arcade.cab

    O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} - http://update.searchsquire.com/SearchSquire33.CAB

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

    O16 - DPF: {BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52} - http://www.online1net.com/kool/coolstuff4.cab

    O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
    O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://ftp.coupons.com/brxpdf5.cab
    O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSignedAdvertisingcom.cab
    O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.exchangeexit.com/Config.cab

    Then download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot and remove:
    D:\WINNT\System32\winpup32.exe
    D:\Program Files\Internet Optimizer
    D:\WINNT\winupie.exe

    A[nd could you zip up the following files and mail them to the address I will PM you in a moment:
    runtime.exe
    winspooler.exe
    soundman.exe
    msdev32.exe
    D:\WINNT\system32\i11r54n4.exe

    Regards,

    Pieter
     
  7. devender_g

    devender_g Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    6
    Hi Pieter,

    I am not able to run the HijackThis program. As soon as I launch the application, it opens a box and closes immediately. I cannot even ask it to fix as this thing happens in like 2 seconds.

    Further, I am also not able to send you files, as they have virus. I cannot launch Norton Anti-Virus as computer won't give it any CPU time. I am in a big fix!!

    Devender
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi devender_g

    Could you copy Pieter's instructions to a .txt file and put it in a location where you can easily find it. Then start your computer in Safe Mode and try opening HijackThis and following Pieter's instructions for both fixing the entries in HijackThis and running CWShredder.

    Start your computer in Safe Mode:
    - Turn off your computer, wait for 30 seconds, then turn it back on.
    - When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
    - Choose the Safe mode option by using the arrow keys.
    - Press enter.

    For the files he requested be submitted, if you zip up a copy of them they should be able to get past any email antivirus scanners.

    Let us know if the above works.

    Regards,

    snap
     
  9. devender_g

    devender_g Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    6
    Thank you Pieter and Snap,
    I went to safe mode command prompt and just deleted the msdev32.exe file. Now my computer has become fine (Touchwood!!). Since then I have also run HijackThis properly and fix checked the required files as per Pieter. After that I have run CWShredder. Earlier I actually was zipping the file with the exes that Pieter was asking but still both Hotmail and Yahoo were identifying that zipped file with a virus. Pieter I do not have all the files but I will be sending you the winspooler file.

    Thanks a lot again for all the help and time
    Regards,
    Devender

     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi devender_g,

    Glad to hear you got HijackThis and CWShredder working ok.

    Could you please do another scan with HijackThis and post a new log here to be checked so we can make sure nothing was missed, or anything came back that shouldn't.

    Thank you,

    snap
     
  11. devender_g

    devender_g Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    6
    Hello Snapdragin

    Here is my updated log from Hijack This.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:52:03 PM, on 4/20/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINNT\System32\smss.exe
    D:\WINNT\system32\winlogon.exe
    D:\WINNT\system32\services.exe
    D:\WINNT\system32\lsass.exe
    D:\WINNT\system32\svchost.exe
    D:\WINNT\system32\LEXBCES.EXE
    D:\WINNT\system32\spoolsv.exe
    D:\WINNT\System32\cisvc.exe
    D:\WINNT\System32\svchost.exe
    D:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    D:\WINNT\system32\regsvc.exe
    D:\WINNT\system32\MSTask.exe
    D:\WINNT\System32\WBEM\WinMgmt.exe
    D:\WINNT\System32\mspmspsv.exe
    D:\WINNT\system32\svchost.exe
    D:\WINNT\Explorer.EXE
    D:\Program Files\Winamp\Winampa.exe
    D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    D:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
    D:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    D:\Program Files\QuickTime\qttask.exe
    D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    D:\Program Files\NetAssistant\bin\mpbtn.exe
    D:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
    D:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
    D:\WINNT\system32\wuauclt.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\devender\downloads\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.samachar.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\devender\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] D:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [PrinTray] D:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [TempRemove] "D:\DEVENDER\Crystal Ball\CB Predictor\terminator.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Internet Washer Pro] D:\PROGRA~1\INTERN~2\iw.exe min
    O4 - HKCU\..\Run: [System Soap Pro] D:\Program Files\System Soap Pro\soap.exe min
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: NetAssistant.lnk = D:\Program Files\NetAssistant\bin\matcli.exe
    O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://d:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://d:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O15 - Trusted Zone: http://www.aimfunds.ca
    O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
    O16 - DPF: YExplorer1_8US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_8us.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {45402494-F730-11D2-8A2C-0060083CFB9C} (OneClickCtl Class) - http://download.mcafee.com/netzip/Nz.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} (CVALAXObj Class) - http://www.crystalvoicelive.com/download/CVALAX.CAB
    O16 - DPF: {6809E6DF-26CF-4E3C-9520-2D070516ED54} (ItBenIocCtrl Class) - http://email.clubs.indiatimes.com/language/itbenioc.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.gamesmania.com/ExentCtl.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37978.6590740741
    O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - http://www.flashants.com/codebase/iceplayer.cab
    O16 - DPF: {B2E33483-7C10-4CF9-BFAF-842329096CCB} (ItHinIocCtrl Class) - http://email.clubs.indiatimes.com/language/ithinioc.cab
    O16 - DPF: {BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52} - http://www.online1net.com/kool/coolstuff4.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D53B810F-6219-11D4-95B6-0040950375E7} - http://vad.mainentrypoint.com/dialer/bin/CE17592/dialer_activex.cab

    devender
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  13. devender_g

    devender_g Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    6
    Ok Pieter,
    Have done that.

    Devender
     
Thread Status:
Not open for further replies.