|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-27-2007, 04:59 PM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 9
OS: Win2K
|
Internet Explorer Start Page Hijacked...
Thanks in advance for reviewing this post.
Can someone please take a look at my log and let me know if I should remove all of the registry entries HT recommends be deleted. Logfile of HijackThis v1.99.1 Scan saved at 4:21:40 PM, on 6/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\regedit.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173141610656 O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{48D65D9A-EE32-4E43-9254-8CC51A70A258}: NameServer = 85.255.114.75 O17 - HKLM\System\CCS\Services\Tcpip\..\{B90BC071-7F85-4154-9A0B-05A3578F2485}: NameServer = 85.255.114.75 O17 - HKLM\System\CS1\Services\Tcpip\..\{48D65D9A-EE32-4E43-9254-8CC51A70A258}: NameServer = 85.255.114.75 O17 - HKLM\System\CS3\Services\Tcpip\..\{48D65D9A-EE32-4E43-9254-8CC51A70A258}: NameServer = 85.255.114.75 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
06-28-2007, 12:58 PM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Internet Explorer Start Page Hijacked...
Hi and welcome to TSF.
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please be patient with me during this time. |
|
|
|
|
06-28-2007, 01:49 PM
|
#3 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Internet Explorer Start Page Hijacked...
Hello and welcome to TSF
Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding. Its important that you follow this thru until i give you the all clear,you are infected so i`ll need you to follow all instructions until your clean. ------------------------------------------------------------------------ Download Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://www.bleepingcomputer.com/file...Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. Once the desktop loads post the text that will open (report.txt) into your next post. ----------------------------------------------------------------------- Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
------------------------------------------------------------------------ Logs Required report.txt(from FixWareOut Tool) C:\Deckard\System Scanner\main.txt C:\Deckard\System Scanner\extra.txt<---Attached Also let us know how your system is behaving,thanks. |
|
|
|
|
06-28-2007, 10:50 PM
|
#4 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 9
OS: Win2K
|
Re: Internet Explorer Start Page Hijacked...
Thanks very much TheBruce1
Deckard's System Scanner v20070611.50 Run by raphajm on 2007-06-28 at 23:39:30 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 4 Restore Point(s) -- 4: 2007-06-29 04:39:36 UTC - RP800 - Deckard's System Scanner Restore Point 3: 2007-06-28 21:26:05 UTC - RP799 - System Checkpoint 2: 2007-06-27 20:27:29 UTC - RP798 - Software Distribution Service 3.0 1: 2007-06-27 18:28:54 UTC - RP797 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as raphajm.exe) --------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 11:40:24 PM, on 6/28/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\raphajm.SMITHDELL\My Documents\dss.exe C:\PROGRA~1\HIJACK~1\raphajm.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173141610656 O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{48D65D9A-EE32-4E43-9254-8CC51A70A258}: NameServer = 85.255.114.75 O17 - HKLM\System\CCS\Services\Tcpip\..\{B90BC071-7F85-4154-9A0B-05A3578F2485}: NameServer = 85.255.114.75 O17 - HKLM\System\CS1\Services\Tcpip\..\{48D65D9A-EE32-4E43-9254-8CC51A70A258}: NameServer = 85.255.114.75 O17 - HKLM\System\CS3\Services\Tcpip\..\{48D65D9A-EE32-4E43-9254-8CC51A70A258}: NameServer = 85.255.114.75 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) -------------------- backup-20070627-160805-145 O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe backup-20070627-160805-842 O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE backup-20070627-181028-186 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 backup-20070627-181028-361 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 backup-20070627-181028-394 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 backup-20070627-181028-966 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver> S2 ZPMODEMSYSNTDRVNT - c:\windows\system32\drivers\zpmodemnt.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- All services whitelisted. -- Files created between 2007-05-28 and 2007-06-28 ----------------------------- 2007-06-28 23:32:25 7820 --a------ C:\dnsbak.reg 2007-06-28 14:48:13 0 d-------- C:\Documents and Settings\raphajm.SMITHDELL\Application Data\Macromedia 2007-06-27 20:18:09 0 d-------- C:\Documents and Settings\raphajm.SMITHDELL\Application Data\Thunderbird 2007-06-27 20:14:28 0 d-------- C:\Documents and Settings\raphajm.SMITHDELL\Application Data\Mozilla 2007-06-27 20:08:38 0 d-------- C:\Documents and Settings\raphajm.SMITHDELL\Application Data\Identities 2007-06-27 20:07:52 0 d--h----- C:\Documents and Settings\raphajm.SMITHDELL\Templates 2007-06-27 20:07:52 0 dr------- C:\Documents and Settings\raphajm.SMITHDELL\Start Menu 2007-06-27 20:07:52 0 dr-h----- C:\Documents and Settings\raphajm.SMITHDELL\SendTo 2007-06-27 20:07:52 0 dr-h----- C:\Documents and Settings\raphajm.SMITHDELL\Recent 2007-06-27 20:07:52 0 d--h----- C:\Documents and Settings\raphajm.SMITHDELL\PrintHood 2007-06-27 20:07:52 0 d--h----- C:\Documents and Settings\raphajm.SMITHDELL\NetHood 2007-06-27 20:07:52 0 dr------- C:\Documents and Settings\raphajm.SMITHDELL\My Documents 2007-06-27 20:07:52 0 d--h----- C:\Documents and Settings\raphajm.SMITHDELL\Local Settings <LOCALS~1> 2007-06-27 20:07:52 0 dr------- C:\Documents and Settings\raphajm.SMITHDELL\Favorites 2007-06-27 20:07:52 0 d-------- C:\Documents and Settings\raphajm.SMITHDELL\Desktop 2007-06-27 20:07:52 0 d--hs---- C:\Documents and Settings\raphajm.SMITHDELL\Cookies 2007-06-27 20:07:52 0 dr-h----- C:\Documents and Settings\raphajm.SMITHDELL\Application Data 2007-06-27 20:07:51 1048576 --ah----- C:\Documents and Settings\raphajm.SMITHDELL\NTUSER.DAT 2007-06-27 19:11:41 0 d---s---- C:\Documents and Settings\raphajm.SMITHDELL\UserData 2007-06-27 18:53:48 0 d-------- C:\Program Files\Mozilla Thunderbird 2007-06-27 15:32:51 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-06-27 15:17:27 0 d-------- C:\Program Files\SpywareBlaster 2007-06-27 14:49:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy -- Find3M Report --------------------------------------------------------------- 2007-06-27 16:08:47 0 d-------- C:\Program Files\Google 2007-06-27 14:26:23 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-06-27 14:24:55 0 d-------- C:\Program Files\Symantec -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Symantec Network Driver Update Warning"="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\SNDWarn.EXE" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DirectCD" "hkey"="HKLM" "command"="C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ccApp" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpusave] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="cpusave" "hkey"="HKLM" "command"="c:\\windows\\system32\\cpusave.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ctfmon" "hkey"="HKCU" "command"="C:\\WINDOWS\\system32\\ctfmon.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmrya.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="dmrya" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\dmrya.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="hpztsb08" "hkey"="HKLM" "command"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ISStart" "hkey"="HKLM" "command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="LogiTray" "hkey"="HKLM" "command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Money Express" "hkey"="HKCU" "command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Activation" "hkey"="HKLM" "command"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msmsgs" "hkey"="HKCU" "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NvCpl" "hkey"="HKLM" "command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /install" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run] "key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" "item"="cpusave" "hkey"="HKCU" "command"="c:\\windows\\system32\\cpusave.exe" "inimapping"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="swdoctor" "hkey"="HKCU" "command"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STOPzilla] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="STOPzilla" "hkey"="HKLM" "command"="C:\\Program Files\\STOPzilla!\\STOPzilla.exe /autostart" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="GoogleToolbarNotifier" "hkey"="HKCU" "command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-06-28 at 23:40:47 --------- |
|
|
|
|
06-29-2007, 03:37 PM
|
#5 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Internet Explorer Start Page Hijacked...
Hello again
Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding. Only attached to posts when ask to do so. ------------------------------------------------------ Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) O17 - HKLM\System\CCS\Services\Tcpip\..\{48D65D9A-EE32-4E43-9254-8CC51A70A258}: NameServer = 85.255.114.75 O17 - HKLM\System\CCS\Services\Tcpip\..\{B90BC071-7F85-4154-9A0B-05A3578F2485}: NameServer = 85.255.114.75 O17 - HKLM\System\CS1\Services\Tcpip\..\{48D65D9A-EE32-4E43-9254-8CC51A70A258}: NameServer = 85.255.114.75 O17 - HKLM\System\CS3\Services\Tcpip\..\{48D65D9A-EE32-4E43-9254-8CC51A70A258}: NameServer = 85.255.114.75 ------------------------------------------------------ Reg Fix Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Open notepad and copy/paste the text in the quotebox below: (don't forget to copy and paste REGEDIT4) Quote:
It should look like this:  Double click on the Fix.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. ------------------------------------------------------- If you do not intend keeping Norton then run the Norton Removal Tool ,before beginning the next part of the fix. ---------------------------------------------------------------------- I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer. Please download and install this excellent and FREE anti-virus program: Please download Active Virus Shield (powered by Kaspersky) and save it to your desktop.
----------------------------------------------------------------- No Firewall Onboard You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:. ----------------------------------------------------------------- Please run Deckard System Scanner once again. ----------------------------------------------------------------- Log Required AOL Active Virus Shield Log C:\Deckard\System Scanner\main.txt Let us know how your system is behaving,thanks. |
|
|
|
|
|
06-30-2007, 08:23 AM
|
#6 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 9
OS: Win2K
|
Re: Internet Explorer Start Page Hijacked...
TheBruce1 - OK. I have complied with all of you recommendations. Please note the following in your review. There are 2 disk drives on this Dell Dimension 4550 computer that were both scanned by AOL Active Virus Shield: the existing C drive and the temporarily installed F drive, from which mail and documents were copied to this replacement computer. I will remove the F drive next week when I install an additional 512MB of memory on this slow-running 256 MB Dell Dimension 4550. If the computer is still as slow to launch applications when it has 3/4 GB of memory, then I will be at-a-loss as to what else can be done with this 5-year-old technology that really has no upgrade path beyond adding more memory.
The Firewall that comes with Windows XP seems adequate to me. If you advise against it, should I replace it with ZoneAlarm? It looks like the system is clean now. Thanks very much to you for the time spent analyzing it and confirming the recommended fixes. Let me know if you discover anything else. Again, many thanks to you TheBruce1, I am very grateful for your efforts and TechSupportForum.com. |
|
|
|
|
07-01-2007, 04:07 PM
|
#7 (permalink) | ||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Internet Explorer Start Page Hijacked...
Hello again,
Quote:
You really need a minimum of 512RAM for XP. As to your other question,you may want to visit our Windows XP Forum . ----------------------------------------------------------------------- You still have files in Norton Quarantine folder,see Here on how to remove those files,the quarantine folder can be found at C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine,delete the Symantec folder afterwards. ----------------------------------------------------------------------- Reg Fix Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Open notepad and copy/paste the text in the quotebox below: (don't forget to copy and paste REGEDIT4) Quote:
It should look like this: Double click on the Fix.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. ------------------------------------------------------------- Well done,your logs are clean. Clear IE7 cookies *On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab. *On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too]. *Click OK, and then click OK again. ------------------------------------------------------------------------------------------- To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives".Click Apply, and then OK. This will create a new Restore Point. ------------------------------------- MICROSOFT UPDATES 1.Click Start,Run, type sysdm.cpl, and then press OK. 2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended). Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday". ------------------------------------------------------------------------------------------ Useful Information and Programs to keep you safe. Download the McAfee Site Advisor--free. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, Bad. TrendProtectis a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages: * Content category * Phishing scam detection * Site reputation * Page reputation WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites. WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites. Note:Only compatible with Firefox 1.5 and higher. Only install one of the above -------------------------------------------------------------------------------------- Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Firefox Opera Maxthon ------------------------------------------------------------------------------------------ Free Firewalls A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Comodo Personal Firewall Sygate Personal Firewall ZoneAlarm AntiVirus Products AOL Antivirus Shield(Powered by Kaspersky),do not install the security toolbar. Avast! AVG Antivirus Antivir free Bitdefender Free Only install one firewall and one antivirus product ------------------------------------------------------------------------------------------- Free Antispyware Products SuperAntiSpyware AVG Antispyware Free Ad-Aware Spybot S&D Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Download Spyware Guard to catch and block spyware before it can execute. Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) * Now navigate to C:\ie-spyad. Double click to open it. * From within the folder, double-click install.bat * Select Option #2 - Install the new IE-SPYAD list, by typing 2 * Then return to the main menu. * Select option #4 - Add the old porn sites domain, by typing 4 The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. SnoopFreeis a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users. Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. Also, please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Please reply to this thread once more,so we may mark it as resloved,thanks. |
||
|
|
|
|
07-02-2007, 11:14 PM
|
#8 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 9
OS: Win2K
|
Re: Internet Explorer Start Page Hijacked...
TheBruce1: Wow - what a wealth of good information you have provided. I have followed your latest instructions and have installed an extra 512MB of memory and the ZoneAlarm Firewall. I am pleased that the logs indicate malware-free and that the system restore point is now at a good place. All of this preventative maintenance gives one great comfort and I will consider a donation when my circumstances suggest it. Again, thank you for all of your help. You have been great and the service you have provided has been invaluable. Best of luck and good fortune to you.
|
|
|
|
| Thread Tools | |
|
|
