morefinders.com hijack

Discussion in 'adware, spyware & hijack cleaning' started by Clip, Jun 13, 2004.

Thread Status:
Not open for further replies.
  1. Clip

    Clip Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    7
    Hello everybody,
    i have this problem for week:
    my internet explorer homepage was changed with morefinders.com
    evenif i delete it and i set another homepage, when i reboot my computer, it come back again.

    Here i post my hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 8.59.56, on 13/06/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\PROGRAMMI\KERIO\PERSONAL FIREWALL\PERSFW.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\GSICON.EXE
    C:\WINDOWS\SYSTEM\DSLAGENT.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAMMI\PANDA SOFTWARE\PANDA ANTIVIRUS TITANIUM\APVXDWIN.EXE
    C:\WINDOWS\DESKTOP\SPY SWEEPER\SPYSWEEPER.EXE
    C:\WINDOWS\DESKTOP\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAMMI\PANDA SOFTWARE\PANDA ANTIVIRUS TITANIUM\PAVPROXY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html
    R3 - URLSearchHook: FiltURL Class - {5038FED1-CEFE-11D2-9E74-00A0C945A948} - C:\PROGRA~2\NETEX\URLSEA~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\WINDOWS\Desktop\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\WINDOWS\DESKTOP\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [CloneCDTray] "C:\WINDOWS\Desktop\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
    O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
    O4 - HKLM\..\RunServices: [PersFw] "C:\Programmi\Kerio\Personal Firewall\persfw.exe" /hide
    O4 - HKCU\..\Run: [SpySweeper] C:\WINDOWS\DESKTOP\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: NetEx.LNK = C:\Program Files\NetEx\netex.exe
    O4 - Startup: SpywareGuard.lnk = C:\WINDOWS\Desktop\SpywareGuard\sgmain.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38115.4352314815
     
  2. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Clip !

    Welcome to Wilders :)

    Please Go to http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe , and download the latest version of CWShredder by Merijn Bellekom, the creator of Hijack This.

    Run it, press Fix,(Not 'scan only') and allow it to fix all it finds.

    After its done its thing hit the How do i prevent reinfection tab....

    In particular pay attention to the patches for the operating system regarding the ByteVerify vulnerability which is how you got infected in the 1st place.

    When it is finished restart your computer. Rescan your machine with Hijackthis and show us a fresh log.

    With Thanks !
    Newkid !
     
  3. Clip

    Clip Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    7
    I followed all your instrunctions.
    I downloaded the internet explorer patch too by windows update.
    This is the hijackthis log after reboot:

    Logfile of HijackThis v1.97.7
    Scan saved at 13.50.41, on 13/06/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\PROGRAMMI\KERIO\PERSONAL FIREWALL\PERSFW.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\GSICON.EXE
    C:\WINDOWS\SYSTEM\DSLAGENT.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAMMI\PANDA SOFTWARE\PANDA ANTIVIRUS TITANIUM\APVXDWIN.EXE
    C:\WINDOWS\DESKTOP\SPY SWEEPER\SPYSWEEPER.EXE
    C:\WINDOWS\DESKTOP\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAMMI\PANDA SOFTWARE\PANDA ANTIVIRUS TITANIUM\PAVPROXY.EXE
    C:\WINDOWS\DESKTOP\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da VirgilioTin
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html
    R3 - URLSearchHook: FiltURL Class - {5038FED1-CEFE-11D2-9E74-00A0C945A948} - C:\PROGRA~2\NETEX\URLSEA~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\WINDOWS\Desktop\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\WINDOWS\DESKTOP\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
    O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
    O4 - HKLM\..\RunServices: [PersFw] "C:\Programmi\Kerio\Personal Firewall\persfw.exe" /hide
    O4 - HKCU\..\Run: [SpySweeper] C:\WINDOWS\DESKTOP\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: NetEx.LNK = C:\Program Files\NetEx\netex.exe
    O4 - Startup: SpywareGuard.lnk = C:\WINDOWS\Desktop\SpywareGuard\sgmain.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Umail (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38115.4352314815

    After i installed the patches, i had this message from my firewall:

    Personal Firewall has detected that application IEXPLORER.EXE was replaced by another application with description "Internet Explorer".
    Do you want to accept replacement of this application?

    Then i clicked on Yes.
    I think it's normal i had this message, because with the patches i upgrated internet explorer version too and on the bar in the bottom i have the old Internet Explorer (that i deleted) and the new one.
     
  4. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Clip,

    Please close down all the browser windows and other window instances & have hijackthis fix the following entries :

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html
    R3 - URLSearchHook: FiltURL Class - {5038FED1-CEFE-11D2-9E74-00A0C945A948} - C:\PROGRA~2\NETEX\URLSEA~1.DLL


    Restart your machine, Rescan your machine with Hijackthis and show us a fresh log.

    Are you aware about the program named NETEX ? Can you put some light on it ?

    With Thanks !
    Newkid !
     
  5. Clip

    Clip Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    7
    After the IE patch and after i fixed the entries with hijackthis, i made a reboot of my computer and i run hijackthis again.
    I noticed morefinders.com entries did not come back :D :) :D !
    This is the hijackthis log after reboot:

    Logfile of HijackThis v1.97.7
    Scan saved at 19.20.39, on 13/06/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\PROGRAMMI\KERIO\PERSONAL FIREWALL\PERSFW.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\GSICON.EXE
    C:\WINDOWS\SYSTEM\DSLAGENT.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAMMI\PANDA SOFTWARE\PANDA ANTIVIRUS TITANIUM\APVXDWIN.EXE
    C:\WINDOWS\DESKTOP\SPY SWEEPER\SPYSWEEPER.EXE
    C:\WINDOWS\DESKTOP\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAMMI\PANDA SOFTWARE\PANDA ANTIVIRUS TITANIUM\PAVPROXY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da VirgilioTin
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\WINDOWS\Desktop\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\WINDOWS\DESKTOP\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
    O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
    O4 - HKLM\..\RunServices: [PersFw] "C:\Programmi\Kerio\Personal Firewall\persfw.exe" /hide
    O4 - HKCU\..\Run: [SpySweeper] C:\WINDOWS\DESKTOP\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: NetEx.LNK = C:\Program Files\NetEx\netex.exe
    O4 - Startup: SpywareGuard.lnk = C:\WINDOWS\Desktop\SpywareGuard\sgmain.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Umail (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38115.4352314815

    netex program is ok. It comes in the cd-rom of the drivers of the modem and the programs that my provider sent me.
    I hope the problem is finally solved now.
     
  6. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
  7. Clip

    Clip Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    7
    When i noticed to be infected, in the dangerous sites section, a lot of porn sites adresses have come.
    Why in the place where i add the dangerous and untrusted sites, when i delete them they continue to return evenif i don't reboot my computer? o_O
    Everytime i delete those sites adresses, SpywareGuard show me messages like:

    Your Internet Explorer current user homepage has been changed from
    http://www.microsoft.com
    to
    http://www.microsoft.com
     
  8. Clip

    Clip Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    7
    I am continueing to have this message from Spywaevery times i enter in a new internet page :(

    Your Internet Explorer current user homepage has been changed from
    http://www.microsoft.com
    to
    http://www.microsoft.com

    Then i have to click on a button:
    Restore old value (button) Keep new value (button)
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Clip,

    Just curious. Do you have another program that is watching your Homepage as well? (Like Spysweeper for instance)

    Regards,

    Pieter
     
  10. Clip

    Clip Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    7
    yes, i also have Spysweeper watching my homepage.
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I would disable that option in one of the two then. Looks like they are conflicting.
    I have seen something similar with AdWatch and SpywareGuard.

    Regards,

    Pieter
     
  12. Clip

    Clip Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    7
    ok, i'll do so then, thanks
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    No problem. Keep us posted.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.