Question

IE has been hijacked to D:\WINDOWS\secure.html - can't delete offending registers with Spybot S&D

Asked by: ddemakes

Hi,
I have a tenacious little virus, bot, spy, worm, malware, ad thing that won't go away.  The symptom is that I can't change IE to start with any other URL but D:\WINDOWS\secure.html.  

I ran Ad-Aware 6.0 and got no hits.

I ran Spybot S&D 1.3 and got:
Error During Check!
XABOT (Ungultiger Datentyp fur ")

and 5 DSO Exploits.

I tried to fix the DSO Exploits and they would come back everytime I scanned with Spybot S&D.  I read that this was a bug and that I should either adjust Spybot to ignore the DSOs in the security tab or fake the registry so Spybot doesn't see them.  I chose to let Spybot ignore them since I didn't want to deal with regedit.  

I ran Hijack This 1.97.7  in normal mode, the ROs and R1s you see in the log file below did not delete, and IE booted with D:\WINDOWS\secure.html as it's startup page.

When I ran HJT in safe mode, the ROs and R1s did delete, and IE booted with www.yahoo.com as it's startup page.

But as soon as I rebooted in normal mode, the R0s and R1s reappeared.

BTW, I have Windows 98 (factory-loaded from Sony on a VAIO) on the C volume and boot from D using XP.

I am very frustrated and just want to get rid of this nasty bug.  Please find my HTJ log below.  Can someone help me please?Thanks,
Darrell


Logfile of HijackThis v1.97.7
Scan saved at 11:07:45 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\WINDOWS\wanmpsvc.exe
D:\WINDOWS\system32\fxssvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\WLANSTA.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\The Weather Channel\The Weather Channel.exe
D:\Program Files\Express ClickYes\ClickYes.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\smtaqmn.exe
D:\Program Files\eNetBot\eNetBot Mail\enetbot.exe
D:\Program Files\Handspring\GoSync.exe
D:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
D:\Program Files\Handspring\HOTSYNC.EXE
D:\Documents and Settings\Darrell\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = D:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = D:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = D:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = D:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {69FA6A0B-E130-2CB0-8727-60550FA27A3E} - D:\WINDOWS\System32\ygkst.dll
O2 - BHO: (no name) - {9CB29894-AA3C-4262-8CB3-29C3BBBC3A07} - D:\WINDOWS\1090380940.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System32] D:\WINDOWS\system.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] D:\Program Files\The Weather Channel\The Weather Channel.exe
O4 - HKCU\..\Run: [Express ClickYes] D:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [Aeom] D:\Documents and Settings\Darrell\Application Data\oosp.exe
O4 - HKCU\..\Run: [Bbzd] D:\WINDOWS\System32\smtaqmn.exe
O4 - HKCU\..\Run: [X-Cleaner Freeware] "D:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = D:\Program Files\Quicken\bagent.exe
O4 - Global Startup: ItsDeductiblePopUp.lnk = D:\Program Files\ItsDeductible\ItsDeductible.exe
O4 - Global Startup: eNetBot Mail.lnk = D:\Program Files\eNetBot\eNetBot Mail\enetbot.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\Quicken\billmind.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = D:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: GoSync v1.0.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-07-23 at 06:25:45ID21069043
Topic

Networking Security Vulnerabilities

Participating Experts
3
Points
500
Comments
11

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. hijack this
    can anyone give me any tips on the results of running hijack this , heres the list Logfile of HijackThis v1.97.7 Scan saved at 11:08:28 AM, on 4/21/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:...
  2. help with hijackthis
    hi - i am trying to clean a friends computer, because she wasnt able to log onto the internet anymore. her puter was completely overcome with spyware, adware, trojans. i have run adaware, spybot, shredder and it found hundreds. can someone please look at this log and tell me...
  3. Browser Hijacked! Help
    I have tried Ad-Aware, CWShredder, Spybot, Hijack this!, Updated Windows and Norton. It always seems to come back. Here is the log from Hijack This Logfile of HijackThis v1.97.7 Scan saved at 12:56:13 PM, on 7/19/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSI...
  4. Browser Hijacker
    Logfile of HijackThis v1.97.7 Scan saved at 12:26:41 PM, on 10/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\s...
  5. Hijack this and spybot
    Hi, Recently had a trojan virus on my system, im running windows xp. My virus scan detected it and deleted it but it keeps coming back. Ive run Hijack this, deleted the lines connected to the virus, and they keep coming back. Ran Spybot and the same happens i just cant shift...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: sunray_2003Posted on 2004-07-23 at 06:28:38ID: 11621087

have you attempted to remove these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = D:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = D:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = D:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = D:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\secure.html

O2 - BHO: (no name) - {69FA6A0B-E130-2CB0-8727-60550FA27A3E} - D:\WINDOWS\System32\ygkst.dll
O2 - BHO: (no name) - {9CB29894-AA3C-4262-8CB3-29C3BBBC3A07} - D:\WINDOWS\1090380940.dll
O4 - HKLM\..\Run: [System32] D:\WINDOWS\system.exe
O4 - HKCU\..\Run: [Bbzd] D:\WINDOWS\System32\smtaqmn.exe

 

by: sunray_2003Posted on 2004-07-23 at 06:30:00ID: 11621095

Few other comments that need to be done

a) Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except anti-virus.Reboot the machine and check if the webpage is still hijacked.
If not, then enable one at a time in the same startup tab and find the application or process that might cause this
at startup

b) Turn off system restore.

c) lock the homepage using Spybot

First go to IE --> tools --> Internet options and setup a homepage of your choice

Then what you can do is this.. Install spybot 1.3 : www.softpedia.com/public/cat/10/17/10-17-21.shtml
open it and update it
go to mode --> advanced mode
now on the bottom left navigation pane , you should see tools
click on it and go to "IE tweaks"
and check " lock IE startup page setting against user changes"
Close spybot

Open IE and check how it goes

d) Remove temporary internet files, folders and cookies
Also remove windows Temp files going to

1) Start --> run --> typein:  %systemroot%/temp
2) Start  --> run --> typein: %temp%

Reboot and check

SR

 

by: ddemakesPosted on 2004-07-23 at 06:47:34ID: 11621274

SR,

Thanks for the speedy reply.  I have tried to fix/delete the ROs and R1s you suggested above, but they didn't delete.  The O2s and the O4s did, (see latest log below.)  I will continue on with your second set of suggestions and reply once those are complete.

Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 9:39:12 AM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\WINDOWS\wanmpsvc.exe
D:\WINDOWS\system32\fxssvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\WLANSTA.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Express ClickYes\ClickYes.exe
D:\WINDOWS\System32\smtaqmn.exe
D:\Program Files\eNetBot\eNetBot Mail\enetbot.exe
D:\Program Files\Handspring\GoSync.exe
D:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
D:\Program Files\Handspring\HOTSYNC.EXE
D:\Documents and Settings\Darrell\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = D:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = D:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = D:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = D:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] D:\Program Files\The Weather Channel\The Weather Channel.exe
O4 - HKCU\..\Run: [Express ClickYes] D:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [Aeom] D:\Documents and Settings\Darrell\Application Data\oosp.exe
O4 - HKCU\..\Run: [X-Cleaner Freeware] "D:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = D:\Program Files\Quicken\bagent.exe
O4 - Global Startup: ItsDeductiblePopUp.lnk = D:\Program Files\ItsDeductible\ItsDeductible.exe
O4 - Global Startup: eNetBot Mail.lnk = D:\Program Files\eNetBot\eNetBot Mail\enetbot.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\Quicken\billmind.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = D:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: GoSync v1.0.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab

 

by: sunray_2003Posted on 2004-07-23 at 06:49:16ID: 11621285

ddemakes,

Try running this http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
if you have not already done

SR

 

by: ddemakesPosted on 2004-07-23 at 07:59:18ID: 11622046

Hi SR,

IE now opens to www.yahoo.com, my chosen start page.  But when I ran HJT, the D:\WINDOWS\secure.html URL is still asociated with some registers (see LOG 1 OF 2 below).

So I deleted R0s and R1s with the D:\WINDOWS\secure.html URL and they did delete (see LOG 2 OF 2 below).

I also unlocked Spybot "lock IE startup page setting against user changes."

Then I used CWShredder and it found CWS.Jksearch and deleted it.  I rebooted and ran it again just to make sure.  Nothing new was found.

I ran Spybot and got nothing back accept an error about XAbot that I can't seem to get past.  Any thoughts on that one?

Thanks

LOG 1 OF 2

Logfile of HijackThis v1.97.7
Scan saved at 10:10:17 AM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\WINDOWS\wanmpsvc.exe
D:\WINDOWS\system32\fxssvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\WLANSTA.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Express ClickYes\ClickYes.exe
D:\Program Files\The Weather Channel\The Weather Channel.exe
D:\Program Files\Handspring\GoSync.exe
D:\Program Files\eNetBot\eNetBot Mail\enetbot.exe
D:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
D:\Program Files\Handspring\HOTSYNC.EXE
D:\Documents and Settings\Darrell\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = D:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = D:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = D:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [X-Cleaner Freeware] "D:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] D:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [Desktop Weather 3] D:\Program Files\The Weather Channel\The Weather Channel.exe
O4 - HKCU\..\Run: [Aeom] D:\Documents and Settings\Darrell\Application Data\oosp.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = D:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ItsDeductiblePopUp.lnk = D:\Program Files\ItsDeductible\ItsDeductible.exe
O4 - Global Startup: GoSync v1.0.lnk = ?
O4 - Global Startup: eNetBot Mail.lnk = D:\Program Files\eNetBot\eNetBot Mail\enetbot.exe
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Billminder.lnk = D:\Program Files\Quicken\billmind.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = D:\Program Files\America Online 8.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab





LOG 2 OF 2

Logfile of HijackThis v1.97.7
Scan saved at 10:47:54 AM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\WINDOWS\wanmpsvc.exe
D:\WINDOWS\system32\fxssvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\WLANSTA.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Express ClickYes\ClickYes.exe
D:\Program Files\The Weather Channel\The Weather Channel.exe
D:\Program Files\Handspring\GoSync.exe
D:\Program Files\eNetBot\eNetBot Mail\enetbot.exe
D:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
D:\Program Files\Handspring\HOTSYNC.EXE
D:\Documents and Settings\Darrell\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\WINDOWS\Downloaded Program Files\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [X-Cleaner Freeware] "D:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] D:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [Desktop Weather 3] D:\Program Files\The Weather Channel\The Weather Channel.exe
O4 - HKCU\..\Run: [Aeom] D:\Documents and Settings\Darrell\Application Data\oosp.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = D:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ItsDeductiblePopUp.lnk = D:\Program Files\ItsDeductible\ItsDeductible.exe
O4 - Global Startup: GoSync v1.0.lnk = ?
O4 - Global Startup: eNetBot Mail.lnk = D:\Program Files\eNetBot\eNetBot Mail\enetbot.exe
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Billminder.lnk = D:\Program Files\Quicken\billmind.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = D:\Program Files\America Online 8.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - htp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) -
http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab


END

 

by: LRI41Posted on 2004-07-23 at 08:11:27ID: 11622196

Bugoff- New Tool To Prevent CWS & Other Hijacks by Merijn –hijackthis-cwshredder

A new app is available for download: BugOff. This disables a few exploits that are commonly used by browser hijackers to install themselves onto your system. In essence, it prevents such hijackers from ever installing, like SpywareBlaster.
There are no patches available from Microsoft for these exploits. Even if your system is fully up to date from WindowsUpdate you are vulnerable!
This app should be used by everyone that uses Internet Explorer to browse the web.





the program only needs to be run once, set all items to disabled


Download:


http://www.spywareinfo.com/~merijn/files/bugoff.zip


also mirrored the zip/exe files here:

http://radiosplace.com

 

by: ddemakesPosted on 2004-07-23 at 08:28:43ID: 11622377

LR141,

Is it true that this DSO Exploit I have are not malicious?  Does Bugoff turn them off or just change them so Spybot S&D doesn't see them?

Thanks,

 

by: LRI41Posted on 2004-07-23 at 09:20:38ID: 11622933

I have downloaded it but not installed it yet, as I have AdAware Pro. Spybot, Spyblaster and
Pest Patrol so so far I have not had MSIE hijacked, its locked but Merijn is the one who
programed Hi JacK This and CW Shredder and here is is home page :
which I read that it prevents these certain one from installing like Spyblaster does.

Merijn.org

http://www.spywareinfo.com/~merijn/

 

by: rossfingalPosted on 2004-07-26 at 13:08:40ID: 11641108

Hi!  ddemakes!

There is a new version of HijackThis out - can be downloaded from:
http://www.subratam.org/?page=removal
Or:
http://www.softpedia.com/public/cat/10/17/10-17-69.shtml

Whenever you see an executable running from certain places, it's usually a
sign of something questionable.
Note - this entry:
O4 - HKCU\..\Run: [Aeom] D:\Documents and Settings\Darrell\Application Data\oosp.exe
Check the properties on it, if you don't know what it is - it's probably a good idea to have HijackThis fix it.

Have HijackThis fix these:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
Reboot your computer and post a new HJT log here.
Good luck!
RF

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...