Advertisement

07.23.2004 at 06:25AM PDT, ID: 21069043
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.2

IE has been hijacked to D:\WINDOWS\secure.html - can't delete offending registers with Spybot S&D

Asked by ddemakes in Networking Security Vulnerabilities

Hi,
I have a tenacious little virus, bot, spy, worm, malware, ad thing that won't go away.  The symptom is that I can't change IE to start with any other URL but D:\WINDOWS\secure.html.  

I ran Ad-Aware 6.0 and got no hits.

I ran Spybot S&D 1.3 and got:
Error During Check!
XABOT (Ungultiger Datentyp fur ")

and 5 DSO Exploits.

I tried to fix the DSO Exploits and they would come back everytime I scanned with Spybot S&D.  I read that this was a bug and that I should either adjust Spybot to ignore the DSOs in the security tab or fake the registry so Spybot doesn't see them.  I chose to let Spybot ignore them since I didn't want to deal with regedit.  

I ran Hijack This 1.97.7  in normal mode, the ROs and R1s you see in the log file below did not delete, and IE booted with D:\WINDOWS\secure.html as it's startup page.

When I ran HJT in safe mode, the ROs and R1s did delete, and IE booted with www.yahoo.com as it's startup page.

But as soon as I rebooted in normal mode, the R0s and R1s reappeared.

BTW, I have Windows 98 (factory-loaded from Sony on a VAIO) on the C volume and boot from D using XP.

I am very frustrated and just want to get rid of this nasty bug.  Please find my HTJ log below.  Can someone help me please?Thanks,
Darrell


Logfile of HijackThis v1.97.7
Scan saved at 11:07:45 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\WINDOWS\wanmpsvc.exe
D:\WINDOWS\system32\fxssvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\WLANSTA.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\The Weather Channel\The Weather Channel.exe
D:\Program Files\Express ClickYes\ClickYes.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\smtaqmn.exe
D:\Program Files\eNetBot\eNetBot Mail\enetbot.exe
D:\Program Files\Handspring\GoSync.exe
D:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
D:\Program Files\Handspring\HOTSYNC.EXE
D:\Documents and Settings\Darrell\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = D:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = D:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = D:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = D:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {69FA6A0B-E130-2CB0-8727-60550FA27A3E} - D:\WINDOWS\System32\ygkst.dll
O2 - BHO: (no name) - {9CB29894-AA3C-4262-8CB3-29C3BBBC3A07} - D:\WINDOWS\1090380940.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System32] D:\WINDOWS\system.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] D:\Program Files\The Weather Channel\The Weather Channel.exe
O4 - HKCU\..\Run: [Express ClickYes] D:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [Aeom] D:\Documents and Settings\Darrell\Application Data\oosp.exe
O4 - HKCU\..\Run: [Bbzd] D:\WINDOWS\System32\smtaqmn.exe
O4 - HKCU\..\Run: [X-Cleaner Freeware] "D:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = D:\Program Files\Quicken\bagent.exe
O4 - Global Startup: ItsDeductiblePopUp.lnk = D:\Program Files\ItsDeductible\ItsDeductible.exe
O4 - Global Startup: eNetBot Mail.lnk = D:\Program Files\eNetBot\eNetBot Mail\enetbot.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\Quicken\billmind.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = D:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: GoSync v1.0.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
Start Free Trial
[+][-]07.23.2004 at 06:28AM PDT, ID: 11621087

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: Networking Security Vulnerabilities
Sign Up Now!
Solution Provided By: sunray_2003
Participating Experts: 3
Solution Grade: A
 
 
[+][-]07.23.2004 at 06:30AM PDT, ID: 11621095

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.23.2004 at 06:47AM PDT, ID: 11621274

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.23.2004 at 06:49AM PDT, ID: 11621285

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.23.2004 at 07:59AM PDT, ID: 11622046

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.23.2004 at 08:11AM PDT, ID: 11622196

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.23.2004 at 08:28AM PDT, ID: 11622377

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.23.2004 at 09:20AM PDT, ID: 11622933

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.26.2004 at 01:08PM PDT, ID: 11641108

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 7-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]09.09.2004 at 09:58AM PDT, ID: 12018855

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 7-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]09.13.2004 at 06:07PM PDT, ID: 12050347

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 7-day free trial to view this Administrative Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32