1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] Home page Hijacked by limon-finder ...Please Help

Discussion in 'Virus & Other Malware Removal' started by Marineboy65, Sep 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Marineboy65

    Marineboy65 Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    3
    Hi Everyone,

    I'm Desperate. I somehow managed to pick up a Trojan virus about a week ago, which AVG detected and removed. But ever since my home page has been changing to http://limon-finder.com/search.php , and if i let the page load completely, DAP tries downloading a couple of exe files...gdnau1350.exe and rdgau320.exe

    Iv'e performed scans with AVG, Adaware and Spybot, each time making sure i had the latest updates and deleted/fixed everything they find. Iv'e then run Hijackthis and deleted all of the obvious entries, ie, anything that mentions limon-finder, but they keep coming back when I reboot.

    I would much appreciate any advice anyone can give me.

    Hijack this log below....

    Logfile of HijackThis v1.97.7
    Scan saved at 5:03:08 PM, on 9/09/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\GEMPRO\SYSTRAYFIND.EXE
    C:\WINDOWS\SYSTEM\GSICON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\BROWSER HIJACK BLASTER\BHBLASTER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\DOWNLOADS\SOFTWARE DOWNLOADS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://limon-finder.com/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://limon-finder.com/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://limon-finder.com/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://limon-finder.com/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://limon-finder.com/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://limon-finder.com/search.php
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SysTrayFind] C:\GemPro\SysTrayFind.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\PROGRAM FILES\GOZILLA\GO.EXE" /FIXRAS
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://uroam.hatch.com.au/vdesk/cachecleaner.cab
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Your problem lies just a bit farther down in the HJT log:

    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe

    This indicates a an infection that might be one of several things. Do an online scan and see if anything is found, record well what files if any are found, cleaned, non cleanable, deleted.

    Set the AUTOCLEAN button. This scanner takes a while to load but is very good at detecting trojans, etc.

    It may or may not be able to clean the problem.

    We like to have people showing any possible virus, worm etc do an online scan because where there is or was one, there can be more.

    http://housecall.antivirus.com/housecall/start_corp.asp

    When the ActiveX control finishes loading the SCAN button will darken> set the My Computer for scanning, and uncheck the CDROM drive and floppy drive, just scan the rest of the computer.

    Post a new HJT log when done.
     
  3. Marineboy65

    Marineboy65 Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    3
    Hi Byteman,

    Thanks for your suggestion. I ran the online scan and it found nothing.

    Latest HJT log follows.....Thanks again :)

    Logfile of HijackThis v1.97.7
    Scan saved at 7:35:50 PM, on 10/09/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\GEMPRO\SYSTRAYFIND.EXE
    C:\WINDOWS\SYSTEM\GSICON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\DAP\DAP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\DESKTOP\DOWNLOADS\SOFTWARE DOWNLOADS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://limon-finder.com/search.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://limon-finder.com/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://limon-finder.com/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://limon-finder.com/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://limon-finder.com/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://limon-finder.com/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://limon-finder.com/search.php
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SysTrayFind] C:\GemPro\SysTrayFind.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\PROGRAM FILES\GOZILLA\GO.EXE" /FIXRAS
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://uroam.hatch.com.au/vdesk/cachecleaner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Sorry for the delay in getting back to you.
    You may want to use the "Thread Tools" button at top of page where your first posting is, there is a "Printable Version" button that will print text-only pages for you, or you can save the instructions here on your computer as a text file on the desktop so you can refer to it easily.

    First: create a new folder inside the C:\WINDOWS\DESKTOP\DOWNLOADS\SOFTWARE DOWNLOADS folder, name it HJT.

    You can get a newer version of Hijackthis.exe at the site below, and simply delete the v1.97 copy or leave it, download the newer copy to the HJT folder.

    Download CWShredder.exe, to a folder you make, in the same Desktop\Software Downloads folder, name it CWS.

    >>>>>Do NOT run cwshredder.exe yet.<<<<<<

    http://www.lurkhere.com/~nicefiles/


    Open Windows Explorer> at the top of the window, open View> then Folder Options> then View again> and make sure you put a dot into "Show all Files" and UNcheck "hide extensions for known file types" and click OK.

    You must be disconnected from the Internet- good way is to remove any Network cable from the cable modem or back of computer, or telephone line from your modem or wall jack> no browser windows open, No Internet explorer open, nothing but Hijackthis.

    Start Hijackthis from it's folder (version 1.98.2) and when it finishes scanning, fix the following items by putting a check into each item listed:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://limon-finder.com/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://limon-finder.com/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://limon-finder.com/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://limon-finder.com/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://limon-finder.com/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://limon-finder.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://limon-finder.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://limon-finder.com/search.php

    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe


    Find the file at the end of this line: C:\WINDOWS\SYSTEM\winupd.exe <---this file, and highlight it and click Delete.

    Run Disk Cleanup and get rid of all temp, Temporary Internet Files, and empty the Recycle Bin, giving that plenty of time to empty.


    Next: Boot to Safe Mode, by tapping the F8 key several times when the computer starts up. Give it time to reach Safe Mode. Windows works the same only it looks funny, that is normal.


    Run Hijackthis again, and if any items from the first run appear, fix them in Safe Mode.

    Then run CWShredder.exe and let it remove what it finds, if anything.


    Also> use the Find>Files or Folders from Start button, and look IN C: drive for these files: they probably will not be found, but look anyway!

    C:\WINDOWS\SYSTEM\winupd.exe

    gdnau1350.exe and rdgau320.exe

    Or, search folders for them manually if you noted the folder that they would be downloaded to such as your Software Downloads folder> you are using a download manager so they should be in that default folder. Run the download manager if the folders are not searchable without the program running.

    Find those files and delete them and again empty the Bin.

    Reboot and run AdAware, ((have it check for updates)), and see if it removes anything.

    If you have SpyBot Search and Destroy, run that as well.
    Reboot, and post a new Hijackthis logfile.
     
  5. Marineboy65

    Marineboy65 Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    3
    Thanks ever so much Byteman,

    I followed your instructions and......problem solved :)

    Advice like that is well worth money, so Iv'e made a small donation toward the tech guy web site.

    Latest HJT log follows for your information ..... Thanks again :)

    Logfile of HijackThis v1.97.7
    Scan saved at 9:42:55 AM, on 11/09/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\GEMPRO\SYSTRAYFIND.EXE
    C:\WINDOWS\SYSTEM\GSICON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\MY DOCUMENTS\SOFTWARE\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.comsec.com.au/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SysTrayFind] C:\GemPro\SysTrayFind.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\PROGRAM FILES\GOZILLA\GO.EXE" /FIXRAS
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://uroam.hatch.com.au/vdesk/cachecleaner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, On behalf of the Administrator Mike C.,and from all us TSGer's , thank you for any donation you make!

    You wouldn't believe how much this site has improved my life and my computers :D so, I can heartily agree with you-- (y)
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [Solved] Home page
  1. ated19
    Replies:
    4
    Views:
    680
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271951

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice