1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Internet explorer 6 Sp1 homepage hijacked

Discussion in 'Virus & Other Malware Removal' started by PShawTx, Sep 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. PShawTx

    PShawTx Thread Starter

    Joined:
    Aug 29, 2004
    Messages:
    7
    My I E explorer 6 sp1 home page has been hijacked. I keeps resetting to blank. It won't stay where I set the home page.

    Below is the Hijack this log. Can anyone help me?

    Logfile of HijackThis v1.98.2
    Scan saved at 8:55:49 PM, on 8/29/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSIM.EXE
    C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\WINDOWS\SYSTEM\ILSH.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\EXEC\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {857427CD-5085-3485-2B29-D7C1854F5F96} - C:\WINDOWS\SYSKT.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [vsys.exe] C:\WINDOWS\system\vsys.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Tray Temperature] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHERBUG.EXE 1
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SYSIM.EXE] C:\WINDOWS\SYSIM.EXE
    O4 - HKCU\..\Run: [Popup Defender] C:\PROGRAM FILES\POPUP DEFENDER\KILLIT.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [Tgar] C:\WINDOWS\SYSTEM\ilsh.exe
    O4 - HKCU\..\Run: [Pop up Blocker] "C:\PROGRAM FILES\POP UP BLOCKER\PD.EXE" Minimize
    O4 - Startup: Screen Shot 2.0.lnk = C:\Program Files\Parsons Technology\Screen Shot 2.0\Sshot2.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Start GetRight.lnk = C:\Program Files\GetRight\getright.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra button: PD - {977D6E80-F941-11D8-89C8-444553540000} - C:\PROGRAM FILES\POP UP BLOCKER\PD.EXE
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://myauctiontrainerevents.webex.com/client/v_os35client/webex/ieatgpc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/14c75d84e0c313815a03/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.008i.com//x//f//37794/msits.exe
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing)
     
  2. MysticEyes

    MysticEyes Banned

    Joined:
    Mar 30, 2002
    Messages:
    4,825
    Is this something you use/installed?

    O15 - Trusted Zone: *.xxxtoolbar.com
     
  3. telecom69

    telecom69 Gone but never forgotten

    Joined:
    Oct 12, 2001
    Messages:
    9,807
    Firstly you are infected with about:blank,that is what is causing your problem,so go here and download this shredder http://www.soft32.com/download-CWShredder-19014-5.html dont set it to scan but to FIX ........

    Next put a tick by these and after closing all open windows have hijack FIX them

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\fdaso.dll/sp.html#37794
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [Tray Temperature] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHERBUG.EXE 1
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    Can you vouch for all those trusted sites? if not click them too .......

    Post back a modified log ........
     
  4. PShawTx

    PShawTx Thread Starter

    Joined:
    Aug 29, 2004
    Messages:
    7
    O15 - Trusted Zone: *.xxxtoolbar.com.

    No this is not something I installed or use. I have no idea what it is.
     
  5. Triple6

    Triple6 Moderator

    Joined:
    Dec 26, 2002
    Messages:
    52,935
    First Name:
    Rob
    Try this:

    First download Adaware SE, http://www.lavasoft.de/support/download/ , and update and run it. Once the scan is done fix all problems found. Then download and run Spybot: Search and Destroy 1.3, http://www.safer-networking.org/en/download/index.html , update and scan with it as well. Remove all problems. Reboot and run the scan again if either program requests it. Also download and run CWShredder, http://www.softpedia.com/public/cat/10/17/10-17-150.shtml , have it fix any problems it finds. Then reboot the computer, connect to the internet, open Internet Explorer and browse for a little.

    Now create a new folder on your desktop by right-clicking on the Desktop and selecting to create a new folder calling it REMOVAL. This is where you want to save all the following utilities and their logs.

    Download AboutBuster 3.0 from here and save it in the REMOVAL folder:
    http://www.spychecker.com/program/aboutbuster.html Don’t run it yet.

    Download Hijackthis, http://www.spychecker.com/program/hijackthis.html , and save it to the REMOVAL folder. You will need Winzip or another compression utility to uncompress these files so install one if you do not already have one.

    Now we need to make sure Windows is set not to hide any files. To do this open My Computer, go to Tools and then Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and uncheck "hide extensions for known file types". Now click "Apply to all folders". Click "Apply" then "OK".

    Next go to Start and then Run and type "Services.msc" (without the quotes) and then press Ok.

    Scroll down and find the service called "NETWORK SECURITY SERVICE ". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

    Now you must reboot your computer to Safe Mode. Here’s how:
    http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

    Scan with HijackThis, it needs to be uncompressed into the REMOVAL FOLDER first before running, and put checks next to all the following similar R1 lines, then click "Fix Checked"


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\random characters.dll/sp.html#random numbers
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\random characters.dll/sp.html#random numbers
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ random characters.dll/sp.html#random numbers
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\random characters.dll/sp.html#random numbers
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\random characters.dll/sp.html#random numbers
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\random characters.dll/sp.html#random numbers
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\random characters.dll/sp.html#random numbers
    R3 - Default URLSearchHook is missing

    Now we need to run the AboutBuster tool. The program will need to do two scans. Make note of any files not fixed after the second scan. These will need to be deleted manually later.

    Now go to Start, Program Files, Accessories, System Tools, and run Disk Cleanup and clean all the options available. Then go to My Computer, C: Drive, Windows, Temp, and delete all files in this TEMP folder.

    Run Adaware and Spybot again to see if there are any new problems that need to be fixed.

    Now go to Control Panel, Internet Options, and click the Security tab. Set the all Security Zones to the Default Level and click OK.

    Reboot to normal mode, scan again with HijackThis and post a new log here.

    It might be useful to save this or print it so you can access it without going online.
     
  6. Triple6

    Triple6 Moderator

    Joined:
    Dec 26, 2002
    Messages:
    52,935
    First Name:
    Rob
    In addition while in Safe Mode fix these with Hijackthis if the still exist after the scans:
    O2 - BHO: Class - {857427CD-5085-3485-2B29-D7C1854F5F96} - C:\WINDOWS\SYSKT.DLL
    O4 - HKLM\..\Run: [vsys.exe] C:\WINDOWS\system\vsys.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [SYSIM.EXE] C:\WINDOWS\SYSIM.EXE
    O4 - HKCU\..\Run: [Tgar] C:\WINDOWS\SYSTEM\ilsh.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.008i.com//x//f//37794/msits.exe
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing)

    And delete the following if they still exist:
    C:\WINDOWS\SYSKT.DLL
    C:\WINDOWS\system\vsys.exe
    C:\WINDOWS\SYSIM.EXE
    C:\WINDOWS\SYSTEM\ilsh.exe

    http://www.sophos.com/virusinfo/analyses/trojporpera.html

    Also do an online Virus Scan at housecall.trendmicro.com after completing all the above steps.
     
  7. PShawTx

    PShawTx Thread Starter

    Joined:
    Aug 29, 2004
    Messages:
    7
    telecom69

    Here is the modified log

    Logfile of HijackThis v1.98.2
    Scan saved at 2:54:48 PM, on 9/6/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSIM.EXE
    C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHERBUG.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\PROGRAM FILES\POPUP DEFENDER\KILLIT.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\ILSH.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACRORD32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\EXEC\HIJACK THIS\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE

    O2 - BHO: Class - {857427CD-5085-3485-2B29-D7C1854F5F96} - C:\WINDOWS\SYSKT.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [vsys.exe] C:\WINDOWS\system\vsys.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SYSIM.EXE] C:\WINDOWS\SYSIM.EXE
    O4 - HKCU\..\Run: [Popup Defender] C:\PROGRAM FILES\POPUP DEFENDER\KILLIT.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [Tgar] C:\WINDOWS\SYSTEM\ilsh.exe
    O4 - HKCU\..\Run: [Pop up Blocker] "C:\PROGRAM FILES\POP UP BLOCKER\PD.EXE" Minimize
    O4 - Startup: Screen Shot 2.0.lnk = C:\Program Files\Parsons Technology\Screen Shot 2.0\Sshot2.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Start GetRight.lnk = C:\Program Files\GetRight\getright.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra button: PD - {977D6E80-F941-11D8-89C8-444553540000} - C:\PROGRAM FILES\POP UP BLOCKER\PD.EXE
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://myauctiontrainerevents.webex.com/client/v_os35client/webex/ieatgpc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/14c75d84e0c313815a03/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing)
     
  8. PShawTx

    PShawTx Thread Starter

    Joined:
    Aug 29, 2004
    Messages:
    7
    telecom69

    I did like your post said but it did not work. Those lines that hijack this fixed came back. The shredder did not get rid of what ever is causing the problem.
     
  9. telecom69

    telecom69 Gone but never forgotten

    Joined:
    Oct 12, 2001
    Messages:
    9,807
    OK read the posts above posted by Triple6 and do as instructed ........
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270609

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice