IE browser hijacked - home page problem

Countryboy · 12-09-2007, 01:37 PM

Hi Folks, I had hoped that I would never need your help again after your sterling work cleaning up my system last year (*thanks* again!). But somehow something has slipped in...

I am unable to reset my IE homepage, it always defaults to: http://www.keyitaly.com/property/188881/gallery/ and occasionally when I key in a web address it goes somewhere completely different. I've run Adaware and Spybot SD and nothing is found.

I can see that you are extremely busy but any help you can give will be gratefully received. Below is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 8:27:21 PM, on 09-12-07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: Hitware Popup Killer Lite - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\SYPCMS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...bscan_ansi.cab

Panda Active Scan result that I last ran.

Incident Status Location

Potentially unwanted tool:application/regclean32 Not disinfected C:\WINDOWS\Application Data\Registry Cleaner
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\SDFix.zip[SDFix/Process.exe]
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Cookies\arwen@serving-sys[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process0.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process1.exe

I also note that I am running an old level of HJT. Do you need a log from the latest version?

Please accept my apologies.

TIA CB

Ried · 12-14-2007, 08:06 PM

Hello Countryboy,

If you still require assitance, I'd like a bit more information.

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
The list will automatically be saved in your HijackThis folder.

Please copy and paste the uninstall_list.txt here, along with a new HijackThis log.

Countryboy · 12-15-2007, 08:41 AM

Hi Ried, thanks for your help. Herewith the files that you asked for:

7-Zip 4.32
AceFTP 3 Freeware
Ad-aware 6 Personal
Adobe Acrobat 4.0, 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe PhotoDeluxe Home Edition 3.1
Adobe Reader 6.0.1
Adobe Type Manager
ArcSoft VideoImpression 1.6
Atomic Clock Sync
BCWipe 2.0
BT Openworld
BTO Connect PAYG Dialler Manager 3.3
ClearSkinFX for Digital Cameras
Cryptainer LE
DAEMON Tools
Delete Windows 98 Second Edition uninstall information
Digital Camera Enhancer 1.3
DP Editor Ver.1.0
Evidence Eliminator
Exif Launcher Ver.1.1
exPressIT 5
FilterSIM for Digital Cameras
FinePixViewer Ver.1.1
HijackThis 1.99.1
Hitware Popup Killer Lite 3.0.1.12
HSP56 MR Drivers
IBM Infoprint Color 8 Software
IDcide Privacy Companion
InCD (ahead software)
IrfanView (remove only)
Kai's Power SHOW
Kaspersky Online Scanner
KeyMaestro Multimedia Driver V1.02.00
Lexmark X73
LiveUpdate 2.0 (Symantec Corporation)
Macromedia Dreamweaver 4
Macromedia Flash Player 8
MGI PhotoSuite 8.1 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft DirectX Transform optional components
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 97, Professional Edition
Microsoft Outlook Express 6
Microsoft Publisher 2000 SR-1
Microsoft VGX Q833989
Microsoft Windows Critical Update Notification
Mozilla Firefox (1.5.0.5)
Mozilla Thunderbird (0.8)
MSN Messenger 7.0
Nero - Burning Rom
Neuratron PhotoScore Lite Sibelius Plugin 1.61
NVIDIA Windows 95/98/ME Display Drivers
Outlook Express Q837009
Panda ActiveScan
PC Registry Cleaner 1.0
PCI Audio Applications
Polaroid Digital Cam
PowerDVD
QuickTime
Serif PhotoPlus 6.0
Sibelius v1.105
SiS 900 PCI Fast Ethernet Adapter Driver
Spybot - Search & Destroy 1.3
Sygate Personal Firewall
Symantec AntiVirus
The Proxomitron Ver. Naoko-4.1
Tweak UI
Uninstall Windows 98 Second Edition
Westell DSL Modem
Windows 98 KB891711 Update
Windows 98 KB896358 Update
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q888113 Update
Windows 98 Q890175 Update
Windows Media Player system update (9 Series)
WinZip

Logfile of HijackThis v1.99.1
Scan saved at 3:36:20 PM, on 15-12-07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: Hitware Popup Killer Lite - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\SYPCMS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...bscan_ansi.cab

Cheers,

CB

Ried · 12-15-2007, 10:07 AM

Hi CB,

Let's see what Kaspersky's online scanner has to say. First, uninstall the Kaspersky Online Scanner via the Add/Remove programs.

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Countryboy · 12-15-2007, 11:28 AM

Sorry Ried, when I go to the Kaspersky site and click on 'Kaspersky Online Scanner' nothing happens. Did you mean for me to download the free trial?

Cheers,

CB.

Ried · 12-15-2007, 05:22 PM

No, do not download the free trial. Please check your ActiveX security settings (Start -> (Settings) -> Control Panel -> Internet Options, Security Tab -> Internet -> Custom Level).

ActiveX controls and plug-ins

Download signed ActiveX controls (Prompt)
Download unsigned ActiveX controls (Prompt)
Initialize and script ActiveX controls not marked as safe (Disable)
Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
Script ActiveX controls marked safe for scripting (Prompt)

Go back to the Security tab

Ensure that default level of medium is in effect.
On the Advanced tab, ensure that "Reuse windows for launching shortcuts" is checked.

Countryboy · 12-16-2007, 02:35 PM

Hi Ried, I did as you instructed but still nothing happens when I click on 'Kaspersky Online Scanner'. Very curious indeed...

Could it be because I am only on Windows 98SE? Please excuse my ignorance I'm not good at all this :-(

Cheers,

CB.

Ried · 12-16-2007, 03:06 PM

It's possible it's no longer compatible. Let's try another online scan at Panda again and see if anything different turns up.

Has Spybot detected and removed anything recently?

Countryboy · 12-17-2007, 03:47 PM

Hi Ried, it's true, Kaspersky now only works on Win 2000 and above...

Spybot did remove something the last time I ran it but I don't remember what it was. I just ran it again and it found 1 entry for TagASaurus and 1 for Omniture.

Panda Active scan didn't find anything new:

Incident Status Location

Potentially unwanted tool:application/regclean32 Not disinfected C:\WINDOWS\Application Data\Registry Cleaner
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\SDFix.zip[SDFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process0.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process1.exe Your help and persistence is much appreciated!

Cheers,

CB.

Ried · 12-17-2007, 09:47 PM

Hi CB,

Delete this folder, although it won't affect the issue at hand.

C:\WINDOWS\Application Data\ Registry Cleaner

Also delete smitrem.exe and SDFix.exe

Do you recall installing any new software just before this isssue surfaced? When did you install Proxomitron?

Countryboy · 12-18-2007, 06:50 AM

Hi Ried, I've deleted those items. I've been using the Proxomitron for a few years... And I haven't knowingly installed any new software.....

Cheers,

CB.

Ried · 12-18-2007, 10:17 PM

Has Spybot been set to lock the homepage?

Launch Spybot S&D. At the very top left, click 'Mode'>Advanced Mode

Click 'Tools'>'IE tweaks'

Is there a 'check' next to "Lock IE startpage setting against user changes".

Quote:

occasionally when I key in a web address it goes somewhere completely different.

What web page shows up?

Countryboy · 12-21-2007, 07:15 AM

Hi Ried, I checked and Spybot is not set to lock the home page. Regarding the odd occurrence of pages, it happens infrequently but appears to be advertising pages. If it happens again I'll make a note of the address.

Without fail IE goes to:

http://www.keyitaly.com/property/188881/gallery/

whenever I fire it up.

Cheers,

CB.

Ried · 12-21-2007, 09:36 PM

Hi CB,

Sorry for the delay, we're a bit limited on tools with this being a 98 system.

Download MGTOOLS.zip to your desktop.

Extract the contents of MGTOOLS.zip to the root directory of drive C:\. This will create a folder named MGTOOLS in the root directory of Drive C.

Now please navigate to C:\MGTOOLS folder and locate the ShowNew.bat. Double click on it to run it, and copy/paste the results in your next reply.

Countryboy · 12-29-2007, 08:32 AM

Hi Ried, I'm sorry about the archaic operating system. I was hoping Santa might bring me a new laptop but he must have forgotten it! I'm now browsing the sales to try and get one myself. But I'd still like to get this PC 'clean'.....

Here is the result of shownew.bat:

******************************************************************************
* ShowNew.Bat - (c) 07/01/2006 By Chaslang *
* *
* 03/26/2007 Version 0.33 beta *
* - Fixed AllUsers to not be recursive - logs too big! *
******************************************************************************
* Most of the information reported below is not necessarily bad. You must *
* not take any steps on any of these lines without consulting an expert. *
******************************************************************************

Windows OS is

Windows 98 [Version 4.10.2222]

It's Sat December 29, 2007 03:30:42 PM

******************************************************************************
ShowNew installation folder and files

"C:\security\mgtools\MGTOOLS\"
chodefix.bat Feb 21 2007 5214 "chodefix.bat"
fixexp~1.bat Feb 24 2007 487 "FixExplorerPolicies.bat"
getrun~1.bat Feb 21 2007 55183 "GetRunKey.bat"
getunk~1.bat Aug 12 2006 1478 "GetUnKeys.bat"
grep.exe Apr 14 2003 80412 "grep.exe"
hideit.bat Mar 31 2007 1114 "HideIT.bat"
locate.com Jan 13 2005 11254 "locate.com"
ltime.exe Oct 28 1986 13184 "ltime.exe"
msconf~1.bat Feb 23 2007 578 "MSConfigFix.bat"
regedi~1.bat Mar 30 2007 650 "RegEditFix.bat"
showit.bat Mar 31 2007 1055 "ShowIT.bat"
shownew.bat Mar 26 2007 44194 "ShowNew.bat"
swreg.exe Feb 15 2007 139776 "swreg.exe"
system~1.bat Feb 28 2007 369 "SystemRestoreFix.bat"
taskmg~1.bat Feb 24 2007 288 "TaskMgrFix.bat"

15 items found: 15 files, 0 directories.
Total of file sizes: 355,236 bytes 346.91 K

******************************************************************************

System Environment Variables
TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
PROMPT=$p$g
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
CLASSPATH=C:\PROGRA~1\PHOTOD~1.1\ADOBEC~1
windir=C:\WINDOWS
BLASTER=A220 I5 D1
ERRCODE=0
CMDLINE=find "bytes free"

******************************************************************************

Showing any Pocket Killbox backup files

No matches found.

******************************************************************************

Not All Files Found are bad files: DO NOT TOUCH THEM WITHOUT EXPERT HELP!!!!
******************************************************************************

Recursively locating all files created in C:\Windows\Profiles within the last 60 days.

No matches found.
******************************************************************************

Locating all files created in C:\Program Files\ within the last 90 days.

"C:\Program Files\"
folder.htt Nov 13 2007 11079 "folder.htt"
desktop.ini Nov 13 2007 266 "desktop.ini"
ADVANC~1 Dec 7 2007 "Advanced Spyware Remover"

3 items found: 2 files (2 H/S), 1 directory.
Total of file sizes: 11,345 bytes 11.08 K
******************************************************************************

DeluxeCommunications Search (new form of SurfSideKick)
Locating all files created in C:\Program Files\DeluxeCommunications\ within the last 90 days.

No matches found.
******************************************************************************

WebHancer Search
Locating all files created in \em\ within the last 90 days.

No matches found.
******************************************************************************

Locating all files created in C:\Program Files\Common Files\ within the last 90 days.

No matches found.
******************************************************************************

Locating all files created in C:\Program Files\Common Files\Microsoft Shared\Web Folders within the last 120 days.

No matches found.
******************************************************************************

Locating all files in C:\Program Files\Common Files\RGGZS

No matches found.
******************************************************************************

Locating all files in C:\Program Files\Common Files\WANSO

No matches found.
******************************************************************************

Locating all files created in c:\ within the last 90 days.

"C:\"
suhdlog.dat Nov 13 2007 5166 "SUHDLOG.DAT"
detlog.txt Nov 13 2007 9128 "DETLOG.TXT"
scandisk.log Dec 29 2007 140813 "SCANDISK.LOG"
msdos.sys Nov 13 2007 1703 "MSDOS.SYS"
win386.swp Dec 29 2007 247463936 "WIN386.SWP"
bootlog.txt Nov 20 2007 95270 "BOOTLOG.TXT"
netlog.txt Nov 13 2007 10085 "NETLOG.TXT"
bootlog.prv Nov 19 2007 103045 "BOOTLOG.PRV"
balance.txt Nov 28 2007 2010 "balance.txt"
autoexec.bat Nov 13 2007 152 "AUTOEXEC.BAT"
menuli~1.doc Dec 17 2007 138752 "MENU LIST.doc"
x73_ds.bmp Nov 28 2007 70222 "X73_DS.bmp"
PHOTO~25 Dec 24 2007 "photos24Dec07"
ucanam~1.doc Dec 17 2007 47616 "UCA NAME.doc"
file0001.chk Nov 13 2007 262144 "FILE0001.CHK"
config.sys Nov 13 2007 241 "CONFIG.SYS"
setuplog.txt Nov 13 2007 150530 "SETUPLOG.TXT"
SYMANTEC Jun 19 2083 "symantec"
msdos.bak Nov 13 2007 1703 "MSDOS.BAK"
AVG Jun 19 2083 "avg"
system.1st Nov 13 2007 8015904 "SYSTEM.1ST"
christ~3.doc Dec 11 2007 25088 "christmas card list.doc"
birthday.doc Oct 23 2007 23552 "Birthday.doc"
newfiles.txt Dec 29 2007 5503 "newfiles.txt"
w98undo.dat Nov 13 2007 186939635 "W98UNDO.DAT"
w98undo.ini Nov 13 2007 393430 "W98UNDO.INI"
birthd~2.doc Oct 23 2007 22016 "Birthday Final Amounts.doc"

27 items found: 24 files (10 H/S), 3 directories.
Total of file sizes: 443,927,644 bytes 423.36 M
******************************************************************************

Locating all files created in C:\WINDOWS\Downloaded Program Files\ within the last 90 days.

No matches found.
******************************************************************************

Locating all files created in C:\WINDOWS\Command within the last 90 days.

No matches found.
******************************************************************************

Locating .EXE files created in C:\WINDOWS within the last 360 days.

"C:\WINDOWS\"
setver.exe Nov 13 2007 18939 "SETVER.EXE"

1 item found: 1 file, 0 directories.
Total of file sizes: 18,939 bytes 18.49 K
******************************************************************************

Locating .EXE files created in C:\WINDOWS\system within the last 90 days.

No matches found.
******************************************************************************

Locating .DLL files created in C:\WINDOWS within the last 360 days.

"C:\WINDOWS\"
winsock.dll Nov 13 2007 21504 "WINSOCK.DLL"
pidgen.dll Nov 13 2007 27616 "PIDGEN.DLL"
hidci.dll Nov 13 2007 3216 "HIDCI.DLL"

3 items found: 3 files, 0 directories.
Total of file sizes: 52,336 bytes 51.11 K
******************************************************************************

Locating .DLL files created in C:\WINDOWS\System within the last 90 days.

"C:\WINDOWS\SYSTEM\"
netapi.dll Nov 13 2007 106704 "NETAPI.DLL"
dindi.dll Nov 13 2007 26848 "DINDI.DLL"
issetup.dll Nov 13 2007 12864 "ISSETUP.DLL"
commctrl.dll Nov 13 2007 155136 "COMMCTRL.DLL"
mstcp.dll Nov 13 2007 39568 "MSTCP.DLL"
dlcndi.dll Nov 13 2007 2490 "DLCNDI.DLL"
infrared.dll Nov 13 2007 70144 "INFRARED.DLL"
ndswan16.dll Nov 13 2007 1728 "NDSWAN16.DLL"
netos.dll Nov 13 2007 27680 "NETOS.DLL"
nwnds.dll Nov 13 2007 7408 "NWNDS.DLL"
pppndi.dll Nov 13 2007 2160 "PPPNDI.DLL"
rnasetup.dll Nov 13 2007 8608 "RNASETUP.DLL"
odfox32.dll Nov 13 2007 24576 "ODFOX32.DLL"
odexl32.dll Nov 13 2007 24576 "ODEXL32.DLL"
cfgwiz.dll Nov 13 2007 2544 "CFGWIZ.DLL"
lzexpand.dll Nov 13 2007 23696 "LZEXPAND.DLL"
netdi.dll Nov 13 2007 317872 "NETDI.DLL"
odtext32.dll Nov 13 2007 24576 "ODTEXT32.DLL"
wsock32.dll Nov 13 2007 40960 "WSOCK32.DLL"
vbajet32.dll Nov 13 2007 40960 "VBAJET32.DLL"
oddbse32.dll Nov 13 2007 24576 "ODDBSE32.DLL"
dskmaint.dll Nov 13 2007 215056 "DSKMAINT.DLL"
ksuser.dll Nov 13 2007 4096 "KSUSER.DLL"
msprint.dll Nov 13 2007 86368 "MSPRINT.DLL"
sysdetmg.dll Nov 13 2007 328992 "SYSDETMG.DLL"
hidci.dll Nov 13 2007 3216 "HIDCI.DLL"

26 items found: 26 files, 0 directories.
Total of file sizes: 1,623,402 bytes 1.55 M
******************************************************************************

Locating .EXE files created in C:\WINDOWS\system32 within the last 90 days.

No matches found.
******************************************************************************

Locating .DLL files created in C:\WINDOWS\System32 within the last 90 days.

No matches found.
******************************************************************************

Locating all files in C:\WINDOWS\System\com - used by the W32.Pagipef worm
*** BE CAREFUL ---- Not all files in this folder are bad ***

No matches found.
******************************************************************************

Locating all files created in C:\WINDOWS\System\drivers within the last 90 days.

No matches found.
******************************************************************************

Locating .SYS files created in C:\WINDOWS\System within the last 90 days.

No matches found.
******************************************************************************

Locating .BAK* files created in C:\WINDOWS\System32 within the last 90 days.

No matches found.
******************************************************************************

Locating .TMP files created in C:\WINDOWS\System within the last 90 days.

No matches found.
******************************************************************************

Locating .INI files created in C:\WINDOWS\System within the last 90 days.

"C:\WINDOWS\SYSTEM\"
desktop.ini Nov 13 2007 266 "desktop.ini"

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 266 bytes 0.26 K
******************************************************************************

Locating .DAT files created in C:\WINDOWS\System32 within the last 90 days.

No matches found.
******************************************************************************

Locating all files created in C:\WINDOWS\System\components within the last 90 days.
This folder is sometimes used by Trojan.FakeAlert.CX aka SmitFraud

No matches found.
******************************************************************************

Locating C:\WINDOWS\TEMP files created within the last 90 days.

"C:\WINDOWS\Temp\"
viewal~1.jpg Dec 4 2007 2700 "viewAllComments.jpg"
fla1040.tmp Dec 5 2007 0 "fla1040.TMP"
fla1123.tmp Dec 5 2007 0 "fla1123.TMP"
fla3282.tmp Dec 5 2007 0 "fla3282.TMP"
h2r00d4.tmp Dec 9 2007 0 "h2r00D4.TMP"
~df2738.tmp Dec 8 2007 3072 "~DF2738.TMP"
ADOBE Dec 5 2007 "Adobe"
ASHEUR~1 Dec 7 2007 "ASHeuristic"
cueawiqu.lnk Dec 11 2007 0 "cueawiqu.lnk"
h2r6161.tmp Dec 11 2007 0 "h2r6161.TMP"
PLUGTM~1 Dec 11 2007 "plugtmp-1"
h2r81d0.tmp Dec 11 2007 0 "h2r81D0.TMP"
PLUGTM~2 Dec 12 2007 "plugtmp-2"
fla13b1.tmp Dec 12 2007 0 "fla13B1.TMP"
h2r7024.tmp Dec 12 2007 0 "h2r7024.TMP"
flaa186.tmp Dec 14 2007 0 "flaA186.TMP"
flaa114.tmp Dec 25 2007 0 "flaA114.TMP"
h2rb2a3.tmp Dec 17 2007 0 "h2rB2A3.TMP"
h2rb2a5.tmp Dec 17 2007 0 "h2rB2A5.TMP"

19 items found: 15 files, 4 directories.
Total of file sizes: 5,772 bytes 5.64 K
******************************************************************************

Locating .COM files in the C:\WINDOWS\System folder

"C:\WINDOWS\SYSTEM\"
locate.com Jan 13 2005 11254 "locate.com"

1 item found: 1 file, 0 directories.
Total of file sizes: 11,254 bytes 10.99 K
******************************************************************************

Checking for .COM files to Delete. They will only print if deleted!

******************************************************************************

Dumping HKLM Uninstall Programs list

"DisplayName"="7-Zip 4.32"
"DisplayName"="AceFTP 3 Freeware"
"DisplayName"="Ad-aware 6 Personal"
"DisplayName"="Adobe Acrobat 4.0, 5.0"
"DisplayName"="Adobe Download Manager 1.2 (Remove Only)"
"DisplayName"="Adobe PhotoDeluxe Home Edition 3.1"
"DisplayName"="Adobe Reader 6.0.1"
"DisplayName"="Adobe Type Manager"
"DisplayName"="ArcSoft VideoImpression 1.6"
"DisplayName"="Atomic Clock Sync"
"DisplayName"="BCWipe 2.0"
"DisplayName"="BT Openworld"
"DisplayName"="BTO Connect PAYG Dialler Manager 3.3"
"DisplayName"="ClearSkinFX for Digital Cameras"
"DisplayName"="Cryptainer LE"
"DisplayName"="DAEMON Tools"
"DisplayName"="Delete Windows 98 Second Edition uninstall information"
"DisplayName"="Digital Camera Enhancer 1.3"
"DisplayName"="DP Editor Ver.1.0"
"DisplayName"="Evidence Eliminator"
"DisplayName"="Exif Launcher Ver.1.1"
"DisplayName"="exPressIT 5"
"DisplayName"="FilterSIM for Digital Cameras"
"DisplayName"="Find... On the Internet"
"DisplayName"="FinePixViewer Ver.1.1"
"DisplayName"="HijackThis 1.99.1"
"DisplayName"="Hitware Popup Killer Lite 3.0.1.12"
"DisplayName"="HSP56 MR Drivers"
"DisplayName"="IBM Infoprint Color 8 Software"
"DisplayName"="IDcide Privacy Companion"
"DisplayName"="InCD (ahead software)"
"DisplayName"="IrfanView (remove only)"
"DisplayName"="Kai's Power SHOW"
"DisplayName"="KeyMaestro Multimedia Driver V1.02.00"
"DisplayName"="Lexmark X73"
"DisplayName"="LiveUpdate 2.0 (Symantec Corporation)"
"DisplayName"="Macromedia Dreamweaver 4"
"DisplayName"="Macromedia Flash Player 8"
"DisplayName"="MGI PhotoSuite 8.1 (Remove Only)"
"DisplayName"="Microsoft .NET Framework 1.1"
"DisplayName"="Microsoft .NET Framework 1.1"
"DisplayName"="Microsoft Data Access Components KB870669"
"DisplayName"="Microsoft Internet Explorer 6 SP1 and Internet Tools"
"DisplayName"="Microsoft Office 97, Professional Edition"
"DisplayName"="Microsoft Outlook Express 6"
"DisplayName"="Microsoft Publisher 2000 SR-1"
"DisplayName"="Microsoft VGX Q833989"
"DisplayName"="Microsoft Windows Critical Update Notification"
"DisplayName"="Mozilla Firefox (1.5.0.5)"
"DisplayName"="Mozilla Thunderbird (0.8)"
"DisplayName"="MSN Messenger 7.0"
"DisplayName"="Nero - Burning Rom"
"DisplayName"="NetMeeting 3.0"
"DisplayName"="Neuratron PhotoScore Lite Sibelius Plugin 1.61"
"DisplayName"="NVIDIA Windows 95/98/ME Display Drivers"
"DisplayName"="Outlook Express Q837009"
"DisplayName"="Panda ActiveScan"
"DisplayName"="PC Registry Cleaner 1.0"
"DisplayName"="PCI Audio Applications"
"DisplayName"="Polaroid Digital Cam"
"DisplayName"="PowerDVD"
"DisplayName"="QuickTime"
"DisplayName"="Serif PhotoPlus 6.0"
"DisplayName"="Sibelius v1.105"
"DisplayName"="SiS 900 PCI Fast Ethernet Adapter Driver"
"DisplayName"="Spybot - Search & Destroy 1.3"
"DisplayName"="Sygate Personal Firewall"
"DisplayName"="Symantec AntiVirus"
"DisplayName"="The Proxomitron Ver. Naoko-4.1"
"DisplayName"="Tweak UI"
"DisplayName"="Uninstall Windows 98 Second Edition"
"DisplayName"="Westell DSL Modem"
"DisplayName"="Windows 98 KB891711 Update"
"DisplayName"="Windows 98 KB896358 Update"
"DisplayName"="Windows 98 Q823559 Update"
"DisplayName"="Windows 98 Q840315 Update"
"DisplayName"="Windows 98 Q888113 Update"
"DisplayName"="Windows 98 Q890175 Update"
"DisplayName"="Windows Media Player system update (9 Series)"
"DisplayName"="WinZip"
******************************************************************************

Cheers,

CB.

Ried · 12-29-2007, 08:24 PM

Quote:

I'm sorry about the archaic operating system. I was hoping Santa might bring me a new laptop but he must have forgotten it! I'm now browsing the sales to try and get one myself. But I'd still like to get this PC 'clean'.....

Of course I'll keep plugging away at this for you.

This is what I'd like you to:

1. Right click on this link http://www.mvps.org/winhelp2002/DelDomains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

2. Clear your Temp and Temporary Internet Files: Go to Start > Run and type cleanmgr in the box to launch the Windows Disc Cleanup Utility.

Let it scan your system for files to remove. Make sure Temporary Internet Files and Temporary Files are 'checked' and click OK.

-----------------------------------------------------

Launch Internet Explorer>Tools>Internet Options

Click the Programs tab, then click 'Reset Web Settings'. Click Apply and OK.

Close IE and re-open it. Can you now reset the home page and have it 'stick'?

Countryboy · 12-31-2007, 05:11 AM

Hi Ried, I appreciate your perseverance ;-)

I followed your instructions but to no avail, I'm afraid it still goes directly to: http://www.keyitaly.com/property/188881/gallery/

Regards,

CB.

Ried · 12-31-2007, 11:09 AM

This doesn't make sense, that appears to be a legit site. I need a bit more info from you--are you able to change the homepage, or is that button grayed out?

Do you actually change it to something else first, via the Internet Options, click Apply, and then the next time you reload IE it reverts back?

Countryboy · 01-02-2008, 06:16 AM

Hi Ried, it certainly is curious!

I am able to type in a new home page e.g. www.google.com and have it 'stick' when I click on Apply but when I open an IE window it always comes up with that keyitaly page. If I then open Tools > Internet Options the homepage entry is still www.google.com but the page displayed is the keyitaly one...

It used to behave normally but then this started happening. I'm (almost!) sure I didn't change anything....

Cheers,

CB.

Ried · 01-02-2008, 09:20 PM

Please download SilentRunners.vbs (299kb) - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts

Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete.

When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.

Download StartDreck (397kb)

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following box only:
List Modules - (listed under 'Running Proceses')
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts

Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete.

When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.

Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post that log here as well.

12-09-2007, 01:37 PM	#1 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	IE browser hijacked - home page problem Hi Folks, I had hoped that I would never need your help again after your sterling work cleaning up my system last year (thanks again!). But somehow something has slipped in... I am unable to reset my IE homepage, it always defaults to: http://www.keyitaly.com/property/188881/gallery/ and occasionally when I key in a web address it goes somewhere completely different. I've run Adaware and Spybot SD and nothing is found. I can see that you are extremely busy but any help you can give will be gratefully received. Below is my HJT log. Logfile of HijackThis v1.99.1 Scan saved at 8:27:21 PM, on 09-12-07 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\TASKMON.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE C:\WINDOWS\SYSTEM\GSICON.EXE C:\WINDOWS\SYSTEM\DSLAGENT.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080 O2 - BHO: Hitware Popup Killer Lite - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\SYPCMS.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...bscan_ansi.cab Panda Active Scan result that I last ran. Incident Status Location Potentially unwanted tool:application/regclean32 Not disinfected C:\WINDOWS\Application Data\Registry Cleaner Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\smitRem.exe[smitRem/Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\SDFix.zip[SDFix/Process.exe] Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Cookies\arwen@serving-sys[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process0.exe Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process1.exe I also note that I am running an old level of HJT. Do you need a log from the latest version? Please accept my apologies. TIA CB Last edited by Countryboy; 12-09-2007 at 01:56 PM. Reason: Additional information added (Panda Active scan results)

12-14-2007, 08:06 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,527 OS: WinXP and Vista	Re: IE browser hijacked - home page problem Hello Countryboy, If you still require assitance, I'd like a bit more information. Open HijackThis Click on the "Configure" button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" The list will automatically be saved in your HijackThis folder. Please copy and paste the uninstall_list.txt here, along with a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

12-15-2007, 08:41 AM	#3 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	Re: IE browser hijacked - home page problem Hi Ried, thanks for your help. Herewith the files that you asked for: 7-Zip 4.32 AceFTP 3 Freeware Ad-aware 6 Personal Adobe Acrobat 4.0, 5.0 Adobe Download Manager 1.2 (Remove Only) Adobe PhotoDeluxe Home Edition 3.1 Adobe Reader 6.0.1 Adobe Type Manager ArcSoft VideoImpression 1.6 Atomic Clock Sync BCWipe 2.0 BT Openworld BTO Connect PAYG Dialler Manager 3.3 ClearSkinFX for Digital Cameras Cryptainer LE DAEMON Tools Delete Windows 98 Second Edition uninstall information Digital Camera Enhancer 1.3 DP Editor Ver.1.0 Evidence Eliminator Exif Launcher Ver.1.1 exPressIT 5 FilterSIM for Digital Cameras FinePixViewer Ver.1.1 HijackThis 1.99.1 Hitware Popup Killer Lite 3.0.1.12 HSP56 MR Drivers IBM Infoprint Color 8 Software IDcide Privacy Companion InCD (ahead software) IrfanView (remove only) Kai's Power SHOW Kaspersky Online Scanner KeyMaestro Multimedia Driver V1.02.00 Lexmark X73 LiveUpdate 2.0 (Symantec Corporation) Macromedia Dreamweaver 4 Macromedia Flash Player 8 MGI PhotoSuite 8.1 (Remove Only) Microsoft .NET Framework 1.1 Microsoft Data Access Components KB870669 Microsoft DirectX Transform optional components Microsoft Internet Explorer 6 SP1 and Internet Tools Microsoft Office 97, Professional Edition Microsoft Outlook Express 6 Microsoft Publisher 2000 SR-1 Microsoft VGX Q833989 Microsoft Windows Critical Update Notification Mozilla Firefox (1.5.0.5) Mozilla Thunderbird (0.8) MSN Messenger 7.0 Nero - Burning Rom Neuratron PhotoScore Lite Sibelius Plugin 1.61 NVIDIA Windows 95/98/ME Display Drivers Outlook Express Q837009 Panda ActiveScan PC Registry Cleaner 1.0 PCI Audio Applications Polaroid Digital Cam PowerDVD QuickTime Serif PhotoPlus 6.0 Sibelius v1.105 SiS 900 PCI Fast Ethernet Adapter Driver Spybot - Search & Destroy 1.3 Sygate Personal Firewall Symantec AntiVirus The Proxomitron Ver. Naoko-4.1 Tweak UI Uninstall Windows 98 Second Edition Westell DSL Modem Windows 98 KB891711 Update Windows 98 KB896358 Update Windows 98 Q823559 Update Windows 98 Q840315 Update Windows 98 Q888113 Update Windows 98 Q890175 Update Windows Media Player system update (9 Series) WinZip Logfile of HijackThis v1.99.1 Scan saved at 3:36:20 PM, on 15-12-07 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\LOADQM.EXE C:\WINDOWS\TASKMON.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE C:\WINDOWS\SYSTEM\GSICON.EXE C:\WINDOWS\SYSTEM\DSLAGENT.EXE C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080 O2 - BHO: Hitware Popup Killer Lite - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\SYPCMS.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...bscan_ansi.cab Cheers, CB

12-15-2007, 10:07 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,527 OS: WinXP and Vista	Re: IE browser hijacked - home page problem Hi CB, Let's see what Kaspersky's online scanner has to say. First, uninstall the Kaspersky Online Scanner via the Add/Remove programs. Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

12-15-2007, 11:28 AM	#5 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	Re: IE browser hijacked - home page problem Sorry Ried, when I go to the Kaspersky site and click on 'Kaspersky Online Scanner' nothing happens. Did you mean for me to download the free trial? Cheers, CB.

12-15-2007, 05:22 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,527 OS: WinXP and Vista	Re: IE browser hijacked - home page problem No, do not download the free trial. Please check your ActiveX security settings (Start -> (Settings) -> Control Panel -> Internet Options, Security Tab -> Internet -> Custom Level). ActiveX controls and plug-ins Download signed ActiveX controls (Prompt) Download unsigned ActiveX controls (Prompt) Initialize and script ActiveX controls not marked as safe (Disable) Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX) Script ActiveX controls marked safe for scripting (Prompt) Go back to the Security tab Ensure that default level of medium is in effect. On the Advanced tab, ensure that "Reuse windows for launching shortcuts" is checked. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

12-16-2007, 02:35 PM	#7 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	Re: IE browser hijacked - home page problem Hi Ried, I did as you instructed but still nothing happens when I click on 'Kaspersky Online Scanner'. Very curious indeed... Could it be because I am only on Windows 98SE? Please excuse my ignorance I'm not good at all this :-( Cheers, CB.

12-16-2007, 03:06 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,527 OS: WinXP and Vista	Re: IE browser hijacked - home page problem It's possible it's no longer compatible. Let's try another online scan at Panda again and see if anything different turns up. Has Spybot detected and removed anything recently? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

12-17-2007, 03:47 PM	#9 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	Re: IE browser hijacked - home page problem Hi Ried, it's true, Kaspersky now only works on Win 2000 and above... Spybot did remove something the last time I ran it but I don't remember what it was. I just ran it again and it found 1 entry for TagASaurus and 1 for Omniture. Panda Active scan didn't find anything new: Incident Status Location Potentially unwanted tool:application/regclean32 Not disinfected C:\WINDOWS\Application Data\Registry Cleaner Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\smitRem.exe[smitRem/Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\SDFix.zip[SDFix/Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process0.exe Potentially unwanted tool:Application/Processor Not disinfected C:\DoctorWeb\Quarantine\Process1.exe Your help and persistence is much appreciated! Cheers, CB.

12-17-2007, 09:47 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,527 OS: WinXP and Vista	Re: IE browser hijacked - home page problem Hi CB, Delete this folder, although it won't affect the issue at hand. C:\WINDOWS\Application Data\ Registry Cleaner Also delete smitrem.exe and SDFix.exe Do you recall installing any new software just before this isssue surfaced? When did you install Proxomitron? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

12-18-2007, 06:50 AM	#11 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	Re: IE browser hijacked - home page problem Hi Ried, I've deleted those items. I've been using the Proxomitron for a few years... And I haven't knowingly installed any new software..... Cheers, CB.

12-21-2007, 07:15 AM	#13 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	Re: IE browser hijacked - home page problem Hi Ried, I checked and Spybot is not set to lock the home page. Regarding the odd occurrence of pages, it happens infrequently but appears to be advertising pages. If it happens again I'll make a note of the address. Without fail IE goes to: http://www.keyitaly.com/property/188881/gallery/ whenever I fire it up. Cheers, CB.

12-21-2007, 09:36 PM	#14 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,527 OS: WinXP and Vista	Re: IE browser hijacked - home page problem Hi CB, Sorry for the delay, we're a bit limited on tools with this being a 98 system. Download MGTOOLS.zip to your desktop. Extract the contents of MGTOOLS.zip to the root directory of drive C:\. This will create a folder named MGTOOLS in the root directory of Drive C. Now please navigate to C:\MGTOOLS folder and locate the ShowNew.bat. Double click on it to run it, and copy/paste the results in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

12-29-2007, 08:32 AM	#15 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	Re: IE browser hijacked - home page problem Hi Ried, I'm sorry about the archaic operating system. I was hoping Santa might bring me a new laptop but he must have forgotten it! I'm now browsing the sales to try and get one myself. But I'd still like to get this PC 'clean'..... Here is the result of shownew.bat: ****************************************************************************** * ShowNew.Bat - (c) 07/01/2006 By Chaslang * * * * 03/26/2007 Version 0.33 beta * * - Fixed AllUsers to not be recursive - logs too big! * ****************************************************************************** * Most of the information reported below is not necessarily bad. You must * * not take any steps on any of these lines without consulting an expert. * **************************************************************************** Windows OS is Windows 98 [Version 4.10.2222] It's Sat December 29, 2007 03:30:42 PM ************************************************************************** ShowNew installation folder and files "C:\security\mgtools\MGTOOLS\" chodefix.bat Feb 21 2007 5214 "chodefix.bat" fixexp~1.bat Feb 24 2007 487 "FixExplorerPolicies.bat" getrun~1.bat Feb 21 2007 55183 "GetRunKey.bat" getunk~1.bat Aug 12 2006 1478 "GetUnKeys.bat" grep.exe Apr 14 2003 80412 "grep.exe" hideit.bat Mar 31 2007 1114 "HideIT.bat" locate.com Jan 13 2005 11254 "locate.com" ltime.exe Oct 28 1986 13184 "ltime.exe" msconf~1.bat Feb 23 2007 578 "MSConfigFix.bat" regedi~1.bat Mar 30 2007 650 "RegEditFix.bat" showit.bat Mar 31 2007 1055 "ShowIT.bat" shownew.bat Mar 26 2007 44194 "ShowNew.bat" swreg.exe Feb 15 2007 139776 "swreg.exe" system~1.bat Feb 28 2007 369 "SystemRestoreFix.bat" taskmg~1.bat Feb 24 2007 288 "TaskMgrFix.bat" 15 items found: 15 files, 0 directories. Total of file sizes: 355,236 bytes 346.91 K ************************************************************************** System Environment Variables TMP=C:\WINDOWS\TEMP TEMP=C:\WINDOWS\TEMP PROMPT=$p$g winbootdir=C:\WINDOWS PATH=C:\WINDOWS;C:\WINDOWS\COMMAND COMSPEC=C:\WINDOWS\COMMAND.COM CLASSPATH=C:\PROGRA~1\PHOTOD~1.1\ADOBEC~1 windir=C:\WINDOWS BLASTER=A220 I5 D1 ERRCODE=0 CMDLINE=find "bytes free" ************************************************************************** Showing any Pocket Killbox backup files No matches found. ************************************************************************** Not All Files Found are bad files: DO NOT TOUCH THEM WITHOUT EXPERT HELP!!!! ************************************************************************** Recursively locating all files created in C:\Windows\Profiles within the last 60 days. No matches found. ************************************************************************** Locating all files created in C:\Program Files\ within the last 90 days. "C:\Program Files\" folder.htt Nov 13 2007 11079 "folder.htt" desktop.ini Nov 13 2007 266 "desktop.ini" ADVANC~1 Dec 7 2007 "Advanced Spyware Remover" 3 items found: 2 files (2 H/S), 1 directory. Total of file sizes: 11,345 bytes 11.08 K ************************************************************************** DeluxeCommunications Search (new form of SurfSideKick) Locating all files created in C:\Program Files\DeluxeCommunications\ within the last 90 days. No matches found. ************************************************************************** WebHancer Search Locating all files created in \em\ within the last 90 days. No matches found. ************************************************************************** Locating all files created in C:\Program Files\Common Files\ within the last 90 days. No matches found. ************************************************************************** Locating all files created in C:\Program Files\Common Files\Microsoft Shared\Web Folders within the last 120 days. No matches found. ************************************************************************** Locating all files in C:\Program Files\Common Files\RGGZS No matches found. ************************************************************************** Locating all files in C:\Program Files\Common Files\WANSO No matches found. ************************************************************************** Locating all files created in c:\ within the last 90 days. "C:\" suhdlog.dat Nov 13 2007 5166 "SUHDLOG.DAT" detlog.txt Nov 13 2007 9128 "DETLOG.TXT" scandisk.log Dec 29 2007 140813 "SCANDISK.LOG" msdos.sys Nov 13 2007 1703 "MSDOS.SYS" win386.swp Dec 29 2007 247463936 "WIN386.SWP" bootlog.txt Nov 20 2007 95270 "BOOTLOG.TXT" netlog.txt Nov 13 2007 10085 "NETLOG.TXT" bootlog.prv Nov 19 2007 103045 "BOOTLOG.PRV" balance.txt Nov 28 2007 2010 "balance.txt" autoexec.bat Nov 13 2007 152 "AUTOEXEC.BAT" menuli~1.doc Dec 17 2007 138752 "MENU LIST.doc" x73_ds.bmp Nov 28 2007 70222 "X73_DS.bmp" PHOTO~25 Dec 24 2007 "photos24Dec07" ucanam~1.doc Dec 17 2007 47616 "UCA NAME.doc" file0001.chk Nov 13 2007 262144 "FILE0001.CHK" config.sys Nov 13 2007 241 "CONFIG.SYS" setuplog.txt Nov 13 2007 150530 "SETUPLOG.TXT" SYMANTEC Jun 19 2083 "symantec" msdos.bak Nov 13 2007 1703 "MSDOS.BAK" AVG Jun 19 2083 "avg" system.1st Nov 13 2007 8015904 "SYSTEM.1ST" christ~3.doc Dec 11 2007 25088 "christmas card list.doc" birthday.doc Oct 23 2007 23552 "Birthday.doc" newfiles.txt Dec 29 2007 5503 "newfiles.txt" w98undo.dat Nov 13 2007 186939635 "W98UNDO.DAT" w98undo.ini Nov 13 2007 393430 "W98UNDO.INI" birthd~2.doc Oct 23 2007 22016 "Birthday Final Amounts.doc" 27 items found: 24 files (10 H/S), 3 directories. Total of file sizes: 443,927,644 bytes 423.36 M ************************************************************************** Locating all files created in C:\WINDOWS\Downloaded Program Files\ within the last 90 days. No matches found. ************************************************************************** Locating all files created in C:\WINDOWS\Command within the last 90 days. No matches found. ************************************************************************** Locating .EXE files created in C:\WINDOWS within the last 360 days. "C:\WINDOWS\" setver.exe Nov 13 2007 18939 "SETVER.EXE" 1 item found: 1 file, 0 directories. Total of file sizes: 18,939 bytes 18.49 K ************************************************************************** Locating .EXE files created in C:\WINDOWS\system within the last 90 days. No matches found. ************************************************************************** Locating .DLL files created in C:\WINDOWS within the last 360 days. "C:\WINDOWS\" winsock.dll Nov 13 2007 21504 "WINSOCK.DLL" pidgen.dll Nov 13 2007 27616 "PIDGEN.DLL" hidci.dll Nov 13 2007 3216 "HIDCI.DLL" 3 items found: 3 files, 0 directories. Total of file sizes: 52,336 bytes 51.11 K ************************************************************************** Locating .DLL files created in C:\WINDOWS\System within the last 90 days. "C:\WINDOWS\SYSTEM\" netapi.dll Nov 13 2007 106704 "NETAPI.DLL" dindi.dll Nov 13 2007 26848 "DINDI.DLL" issetup.dll Nov 13 2007 12864 "ISSETUP.DLL" commctrl.dll Nov 13 2007 155136 "COMMCTRL.DLL" mstcp.dll Nov 13 2007 39568 "MSTCP.DLL" dlcndi.dll Nov 13 2007 2490 "DLCNDI.DLL" infrared.dll Nov 13 2007 70144 "INFRARED.DLL" ndswan16.dll Nov 13 2007 1728 "NDSWAN16.DLL" netos.dll Nov 13 2007 27680 "NETOS.DLL" nwnds.dll Nov 13 2007 7408 "NWNDS.DLL" pppndi.dll Nov 13 2007 2160 "PPPNDI.DLL" rnasetup.dll Nov 13 2007 8608 "RNASETUP.DLL" odfox32.dll Nov 13 2007 24576 "ODFOX32.DLL" odexl32.dll Nov 13 2007 24576 "ODEXL32.DLL" cfgwiz.dll Nov 13 2007 2544 "CFGWIZ.DLL" lzexpand.dll Nov 13 2007 23696 "LZEXPAND.DLL" netdi.dll Nov 13 2007 317872 "NETDI.DLL" odtext32.dll Nov 13 2007 24576 "ODTEXT32.DLL" wsock32.dll Nov 13 2007 40960 "WSOCK32.DLL" vbajet32.dll Nov 13 2007 40960 "VBAJET32.DLL" oddbse32.dll Nov 13 2007 24576 "ODDBSE32.DLL" dskmaint.dll Nov 13 2007 215056 "DSKMAINT.DLL" ksuser.dll Nov 13 2007 4096 "KSUSER.DLL" msprint.dll Nov 13 2007 86368 "MSPRINT.DLL" sysdetmg.dll Nov 13 2007 328992 "SYSDETMG.DLL" hidci.dll Nov 13 2007 3216 "HIDCI.DLL" 26 items found: 26 files, 0 directories. Total of file sizes: 1,623,402 bytes 1.55 M ************************************************************************** Locating .EXE files created in C:\WINDOWS\system32 within the last 90 days. No matches found. ************************************************************************** Locating .DLL files created in C:\WINDOWS\System32 within the last 90 days. No matches found. ************************************************************************** Locating all files in C:\WINDOWS\System\com - used by the W32.Pagipef worm * BE CAREFUL ---- Not all files in this folder are bad * No matches found. ************************************************************************** Locating all files created in C:\WINDOWS\System\drivers within the last 90 days. No matches found. ************************************************************************** Locating .SYS files created in C:\WINDOWS\System within the last 90 days. No matches found. **************************************************************************** Locating .BAK* files created in C:\WINDOWS\System32 within the last 90 days. No matches found. **************************************************************************** Locating .TMP files created in C:\WINDOWS\System within the last 90 days. No matches found. ************************************************************************** Locating .INI files created in C:\WINDOWS\System within the last 90 days. "C:\WINDOWS\SYSTEM\" desktop.ini Nov 13 2007 266 "desktop.ini" 1 item found: 1 file (1 H/S), 0 directories. Total of file sizes: 266 bytes 0.26 K ************************************************************************** Locating .DAT files created in C:\WINDOWS\System32 within the last 90 days. No matches found. ************************************************************************** Locating all files created in C:\WINDOWS\System\components within the last 90 days. This folder is sometimes used by Trojan.FakeAlert.CX aka SmitFraud No matches found. ************************************************************************** Locating C:\WINDOWS\TEMP files created within the last 90 days. "C:\WINDOWS\Temp\" viewal~1.jpg Dec 4 2007 2700 "viewAllComments.jpg" fla1040.tmp Dec 5 2007 0 "fla1040.TMP" fla1123.tmp Dec 5 2007 0 "fla1123.TMP" fla3282.tmp Dec 5 2007 0 "fla3282.TMP" h2r00d4.tmp Dec 9 2007 0 "h2r00D4.TMP" ~df2738.tmp Dec 8 2007 3072 "~DF2738.TMP" ADOBE Dec 5 2007 "Adobe" ASHEUR~1 Dec 7 2007 "ASHeuristic" cueawiqu.lnk Dec 11 2007 0 "cueawiqu.lnk" h2r6161.tmp Dec 11 2007 0 "h2r6161.TMP" PLUGTM~1 Dec 11 2007 "plugtmp-1" h2r81d0.tmp Dec 11 2007 0 "h2r81D0.TMP" PLUGTM~2 Dec 12 2007 "plugtmp-2" fla13b1.tmp Dec 12 2007 0 "fla13B1.TMP" h2r7024.tmp Dec 12 2007 0 "h2r7024.TMP" flaa186.tmp Dec 14 2007 0 "flaA186.TMP" flaa114.tmp Dec 25 2007 0 "flaA114.TMP" h2rb2a3.tmp Dec 17 2007 0 "h2rB2A3.TMP" h2rb2a5.tmp Dec 17 2007 0 "h2rB2A5.TMP" 19 items found: 15 files, 4 directories. Total of file sizes: 5,772 bytes 5.64 K ************************************************************************** Locating .COM files in the C:\WINDOWS\System folder "C:\WINDOWS\SYSTEM\" locate.com Jan 13 2005 11254 "locate.com" 1 item found: 1 file, 0 directories. Total of file sizes: 11,254 bytes 10.99 K ************************************************************************** Checking for .COM files to Delete. They will only print if deleted! ************************************************************************** Dumping HKLM Uninstall Programs list "DisplayName"="7-Zip 4.32" "DisplayName"="AceFTP 3 Freeware" "DisplayName"="Ad-aware 6 Personal" "DisplayName"="Adobe Acrobat 4.0, 5.0" "DisplayName"="Adobe Download Manager 1.2 (Remove Only)" "DisplayName"="Adobe PhotoDeluxe Home Edition 3.1" "DisplayName"="Adobe Reader 6.0.1" "DisplayName"="Adobe Type Manager" "DisplayName"="ArcSoft VideoImpression 1.6" "DisplayName"="Atomic Clock Sync" "DisplayName"="BCWipe 2.0" "DisplayName"="BT Openworld" "DisplayName"="BTO Connect PAYG Dialler Manager 3.3" "DisplayName"="ClearSkinFX for Digital Cameras" "DisplayName"="Cryptainer LE" "DisplayName"="DAEMON Tools" "DisplayName"="Delete Windows 98 Second Edition uninstall information" "DisplayName"="Digital Camera Enhancer 1.3" "DisplayName"="DP Editor Ver.1.0" "DisplayName"="Evidence Eliminator" "DisplayName"="Exif Launcher Ver.1.1" "DisplayName"="exPressIT 5" "DisplayName"="FilterSIM for Digital Cameras" "DisplayName"="Find... On the Internet" "DisplayName"="FinePixViewer Ver.1.1" "DisplayName"="HijackThis 1.99.1" "DisplayName"="Hitware Popup Killer Lite 3.0.1.12" "DisplayName"="HSP56 MR Drivers" "DisplayName"="IBM Infoprint Color 8 Software" "DisplayName"="IDcide Privacy Companion" "DisplayName"="InCD (ahead software)" "DisplayName"="IrfanView (remove only)" "DisplayName"="Kai's Power SHOW" "DisplayName"="KeyMaestro Multimedia Driver V1.02.00" "DisplayName"="Lexmark X73" "DisplayName"="LiveUpdate 2.0 (Symantec Corporation)" "DisplayName"="Macromedia Dreamweaver 4" "DisplayName"="Macromedia Flash Player 8" "DisplayName"="MGI PhotoSuite 8.1 (Remove Only)" "DisplayName"="Microsoft .NET Framework 1.1" "DisplayName"="Microsoft .NET Framework 1.1" "DisplayName"="Microsoft Data Access Components KB870669" "DisplayName"="Microsoft Internet Explorer 6 SP1 and Internet Tools" "DisplayName"="Microsoft Office 97, Professional Edition" "DisplayName"="Microsoft Outlook Express 6" "DisplayName"="Microsoft Publisher 2000 SR-1" "DisplayName"="Microsoft VGX Q833989" "DisplayName"="Microsoft Windows Critical Update Notification" "DisplayName"="Mozilla Firefox (1.5.0.5)" "DisplayName"="Mozilla Thunderbird (0.8)" "DisplayName"="MSN Messenger 7.0" "DisplayName"="Nero - Burning Rom" "DisplayName"="NetMeeting 3.0" "DisplayName"="Neuratron PhotoScore Lite Sibelius Plugin 1.61" "DisplayName"="NVIDIA Windows 95/98/ME Display Drivers" "DisplayName"="Outlook Express Q837009" "DisplayName"="Panda ActiveScan" "DisplayName"="PC Registry Cleaner 1.0" "DisplayName"="PCI Audio Applications" "DisplayName"="Polaroid Digital Cam" "DisplayName"="PowerDVD" "DisplayName"="QuickTime" "DisplayName"="Serif PhotoPlus 6.0" "DisplayName"="Sibelius v1.105" "DisplayName"="SiS 900 PCI Fast Ethernet Adapter Driver" "DisplayName"="Spybot - Search & Destroy 1.3" "DisplayName"="Sygate Personal Firewall" "DisplayName"="Symantec AntiVirus" "DisplayName"="The Proxomitron Ver. Naoko-4.1" "DisplayName"="Tweak UI" "DisplayName"="Uninstall Windows 98 Second Edition" "DisplayName"="Westell DSL Modem" "DisplayName"="Windows 98 KB891711 Update" "DisplayName"="Windows 98 KB896358 Update" "DisplayName"="Windows 98 Q823559 Update" "DisplayName"="Windows 98 Q840315 Update" "DisplayName"="Windows 98 Q888113 Update" "DisplayName"="Windows 98 Q890175 Update" "DisplayName"="Windows Media Player system update (9 Series)" "DisplayName"="WinZip" **************************************************************************** Cheers, CB.

12-31-2007, 05:11 AM	#17 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	Re: IE browser hijacked - home page problem Hi Ried, I appreciate your perseverance ;-) I followed your instructions but to no avail, I'm afraid it still goes directly to: http://www.keyitaly.com/property/188881/gallery/ Regards, CB.

12-31-2007, 11:09 AM	#18 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,527 OS: WinXP and Vista	Re: IE browser hijacked - home page problem This doesn't make sense, that appears to be a legit site. I need a bit more info from you--are you able to change the homepage, or is that button grayed out? Do you actually change it to something else first, via the Internet Options, click Apply, and then the next time you reload IE it reverts back? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-02-2008, 06:16 AM	#19 (permalink)
Countryboy Registered User Join Date: Aug 2006 Posts: 31 OS: Win98SE	Re: IE browser hijacked - home page problem Hi Ried, it certainly is curious! I am able to type in a new home page e.g. www.google.com and have it 'stick' when I click on Apply but when I open an IE window it always comes up with that keyitaly page. If I then open Tools > Internet Options the homepage entry is still www.google.com but the page displayed is the keyitaly one... It used to behave normally but then this started happening. I'm (almost!) sure I didn't change anything.... Cheers, CB.

01-02-2008, 09:20 PM	#20 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,527 OS: WinXP and Vista	Re: IE browser hijacked - home page problem Please download SilentRunners.vbs (299kb) - Right click & choose Save As... SilentRunners.vbs Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete. When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply. Download StartDreck (397kb) Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following box only: List Modules - (listed under 'Running Proceses') Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete. When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply. Download StartDreck Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: *System/Running Process* -> List Modules *System/Drivers* -> NT Services *System/Drivers* -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post that log here as well. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."