1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Start page in explorer has bogus web page

Discussion in 'Virus & Other Malware Removal' started by skzip, Jul 19, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. skzip

    skzip Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    19
    Please can you tell me how to get rid of this web page it is deep in my registry and I can't remove it. It is in R0 called www.leeman-automatisering.nl/startpagina
    Ihave tried hijack this and adware professional.


    Logfile of HijackThis v1.97.2
    Scan saved at 00:09:22, on 20/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    G:\WINDOWS\System32\smss.exe
    G:\WINDOWS\system32\winlogon.exe
    G:\WINDOWS\system32\services.exe
    G:\WINDOWS\system32\lsass.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\svchost.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\Explorer.EXE
    G:\WINDOWS\system32\spoolsv.exe
    G:\WINDOWS\ehome\ehtray.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    G:\Program Files\Zoom\PCI ADSL\CnxDslTb.exe
    G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    G:\WINDOWS\system32\rundll32.exe
    G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    G:\WINDOWS\system32\tbctray.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    G:\Program Files\Messenger\msmsgs.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    G:\WINDOWS\system32\cisvc.exe
    G:\WINDOWS\eHome\ehRecvr.exe
    G:\WINDOWS\eHome\ehSched.exe
    G:\WINDOWS\system32\inetsrv\inetinfo.exe
    G:\WINDOWS\System32\snmp.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\ups.exe
    G:\WINDOWS\system32\ZoneLabs\vsmon.exe
    G:\WINDOWS\system32\mqsvc.exe
    G:\WINDOWS\system32\mqtgsvc.exe
    G:\WINDOWS\system32\dllhost.exe
    G:\WINDOWS\eHome\ehmsas.exe
    G:\WINDOWS\system32\cidaemon.exe
    G:\Documents and Settings\Steve\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.leeman-automatisering.nl/startpagina
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=34487
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [ehTray] G:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [CnxDslTaskBar] G:\Program Files\Zoom\PCI ADSL\CnxDslTb.exe
    O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [ATIMACE] MACE.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [TraySantaCruz] G:\WINDOWS\system32\tbctray.exe
    O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC4795-3214-4D93-A9F2-CB4EDF0E4F16}: NameServer = 80.225.255.177 80.225.255.185
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download HJT again from this link: Hijackthis and post another log.
     
  3. skzip

    skzip Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    19
    Thanks Cybertech hope this is what you want mate





    Logfile of HijackThis v1.97.2
    Scan saved at 17:18:22, on 25/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    G:\WINDOWS\System32\smss.exe
    G:\WINDOWS\system32\winlogon.exe
    G:\WINDOWS\system32\services.exe
    G:\WINDOWS\system32\lsass.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\svchost.exe
    G:\WINDOWS\system32\spoolsv.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\Explorer.EXE
    G:\WINDOWS\ehome\ehtray.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    G:\Program Files\Zoom\PCI ADSL\CnxDslTb.exe
    G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    G:\WINDOWS\system32\rundll32.exe
    G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    G:\WINDOWS\system32\tbctray.exe
    G:\Program Files\Messenger\msmsgs.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    G:\WINDOWS\system32\cisvc.exe
    G:\WINDOWS\eHome\ehRecvr.exe
    G:\WINDOWS\eHome\ehSched.exe
    G:\WINDOWS\system32\inetsrv\inetinfo.exe
    G:\WINDOWS\System32\snmp.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\ups.exe
    G:\WINDOWS\system32\ZoneLabs\vsmon.exe
    G:\WINDOWS\system32\mqsvc.exe
    G:\WINDOWS\system32\mqtgsvc.exe
    G:\WINDOWS\system32\dllhost.exe
    G:\WINDOWS\eHome\ehmsas.exe
    G:\WINDOWS\system32\cidaemon.exe
    G:\Program Files\Internet Explorer\iexplore.exe
    G:\Documents and Settings\Steve\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.leeman-automatisering.nl/startpagina[/COLOR]
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=34487
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [ehTray] G:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [CnxDslTaskBar] G:\Program Files\Zoom\PCI ADSL\CnxDslTb.exe
    O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [ATIMACE] MACE.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [TraySantaCruz] G:\WINDOWS\system32\tbctray.exe
    O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC4795-3214-4D93-A9F2-CB4EDF0E4F16}: NameServer = 80.225.255.177 80.225.255.185
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    The version of HJT you are using is very old. Please download the current version and post your log with that.
     
  5. skzip

    skzip Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    19
    Sorry cybertech new version downloaded scaned and posted as requested.


    Logfile of HijackThis v1.99.1
    Scan saved at 02:18:41, on 26/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    G:\WINDOWS\System32\smss.exe
    G:\WINDOWS\system32\winlogon.exe
    G:\WINDOWS\system32\services.exe
    G:\WINDOWS\system32\lsass.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\svchost.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\Explorer.EXE
    G:\WINDOWS\system32\spoolsv.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    G:\WINDOWS\ehome\ehtray.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    G:\Program Files\Zoom\PCI ADSL\CnxDslTb.exe
    G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    G:\WINDOWS\system32\rundll32.exe
    G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    G:\WINDOWS\system32\tbctray.exe
    G:\Program Files\Messenger\msmsgs.exe
    G:\WINDOWS\system32\cisvc.exe
    G:\WINDOWS\eHome\ehRecvr.exe
    G:\WINDOWS\eHome\ehSched.exe
    G:\WINDOWS\system32\inetsrv\inetinfo.exe
    G:\WINDOWS\System32\snmp.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\ups.exe
    G:\WINDOWS\system32\ZoneLabs\vsmon.exe
    G:\WINDOWS\system32\mqsvc.exe
    G:\WINDOWS\system32\mqtgsvc.exe
    G:\WINDOWS\system32\dllhost.exe
    G:\WINDOWS\eHome\ehmsas.exe
    G:\Program Files\Internet Explorer\iexplore.exe
    G:\WINDOWS\system32\cidaemon.exe
    G:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.leeman-automatisering.nl/startpagina
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=34487
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [ehTray] G:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [CnxDslTaskBar] G:\Program Files\Zoom\PCI ADSL\CnxDslTb.exe
    O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [ATIMACE] MACE.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [TraySantaCruz] G:\WINDOWS\system32\tbctray.exe
    O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC4795-3214-4D93-A9F2-CB4EDF0E4F16}: NameServer = 80.225.255.177 80.225.255.185
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.leeman-automatisering.nl/startpagina

    Close all applications and browser windows before you click "fix checked".



    Does this belong to your ISP?
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC4795-3214-4D93-A9F2-CB4EDF0E4F16}: NameServer = 80.225.255.177 80.225.255.185
     
  7. skzip

    skzip Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    19
    I have done this and it will not remove it, I have also tried to manually delete it from the registry and it tells me access denied. As to the other registry value I think it part to do with when I had another computer networked with this one.
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts.
    You will be asked to reboot your computer; please do so.
    Your system may take longer than usual to load; this is normal.
    Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
     
  9. skzip

    skzip Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    19
    Thanks cybertech it got rid of the foreign start page and now comes up with MSN but the only thing is it won't let me change it?




    Logfile of HijackThis v1.99.1
    Scan saved at 05:17:49, on 27/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    G:\WINDOWS\System32\smss.exe
    G:\WINDOWS\system32\winlogon.exe
    G:\WINDOWS\system32\services.exe
    G:\WINDOWS\system32\lsass.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\svchost.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\Explorer.EXE
    G:\WINDOWS\system32\spoolsv.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    G:\WINDOWS\system32\cisvc.exe
    G:\WINDOWS\eHome\ehRecvr.exe
    G:\WINDOWS\eHome\ehSched.exe
    G:\WINDOWS\system32\inetsrv\inetinfo.exe
    G:\WINDOWS\System32\snmp.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\ups.exe
    G:\WINDOWS\system32\ZoneLabs\vsmon.exe
    G:\WINDOWS\system32\mqsvc.exe
    G:\WINDOWS\system32\mqtgsvc.exe
    G:\WINDOWS\system32\dllhost.exe
    G:\WINDOWS\ehome\ehtray.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    G:\Program Files\Zoom\PCI ADSL\CnxDslTb.exe
    G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    G:\WINDOWS\system32\rundll32.exe
    G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    G:\WINDOWS\system32\tbctray.exe
    G:\WINDOWS\eHome\ehmsas.exe
    G:\Program Files\Messenger\msmsgs.exe
    G:\WINDOWS\system32\cidaemon.exe
    G:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=34487
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [ehTray] G:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [CnxDslTaskBar] G:\Program Files\Zoom\PCI ADSL\CnxDslTb.exe
    O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [ATIMACE] MACE.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [TraySantaCruz] G:\WINDOWS\system32\tbctray.exe
    O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC4795-3214-4D93-A9F2-CB4EDF0E4F16}: NameServer = 80.225.255.177 80.225.255.185
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe




    Fixit file



    Fixwareout ver 1.003
    Last edited 07/1/2006
    Post this report in the forums please

    Reg Entries that were deleted
    ...

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    ...

    PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    Example ipsec6.exe is legitimate

    »»»»» Search by size and names...

    »»»»» Misc files

    »»»»» Checking for older varients covered by the Rem3 tool

    »»»»»
    Search five digit cs, dm and jb files
    This WILL/CAN also list Legit Files, Submit them at Virustotal
    Other suspects
    Directory of G:\WINDOWS\system32
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
     
  11. skzip

    skzip Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    19
    No I don't think it does. I think it was to do with a computer I had networked to this one.
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC4795-3214-4D93-A9F2-CB4EDF0E4F16}: NameServer = 80.225.255.177 80.225.255.185

    Close all applications and browser windows before you click "fix checked".

    After you have fixed that and rebooted post your log again and let me know if you are having problems.
     
  13. skzip

    skzip Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    19
    I have done as you said and it doesn't seem to have had any effect on the system at all but I still can't get my home page to what I want.





    Logfile of HijackThis v1.99.1
    Scan saved at 19:59:29, on 30/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    G:\WINDOWS\System32\smss.exe
    G:\WINDOWS\system32\winlogon.exe
    G:\WINDOWS\system32\services.exe
    G:\WINDOWS\system32\lsass.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\svchost.exe
    G:\WINDOWS\system32\Ati2evxx.exe
    G:\WINDOWS\Explorer.EXE
    G:\WINDOWS\system32\spoolsv.exe
    G:\WINDOWS\ehome\ehtray.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    G:\Program Files\Zoom\PCI ADSL\CnxDslTb.exe
    G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    G:\WINDOWS\system32\rundll32.exe
    G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    G:\WINDOWS\system32\tbctray.exe
    G:\Program Files\Messenger\msmsgs.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    G:\WINDOWS\system32\cisvc.exe
    G:\WINDOWS\eHome\ehRecvr.exe
    G:\WINDOWS\eHome\ehSched.exe
    G:\WINDOWS\system32\inetsrv\inetinfo.exe
    G:\WINDOWS\System32\snmp.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\ups.exe
    G:\WINDOWS\system32\ZoneLabs\vsmon.exe
    G:\WINDOWS\system32\mqsvc.exe
    G:\WINDOWS\system32\mqtgsvc.exe
    G:\WINDOWS\system32\dllhost.exe
    G:\WINDOWS\eHome\ehmsas.exe
    G:\WINDOWS\system32\cidaemon.exe
    G:\Program Files\ABC\abc.exe
    G:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=34487
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ehTray] G:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [CnxDslTaskBar] G:\Program Files\Zoom\PCI ADSL\CnxDslTb.exe
    O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [ATIMACE] MACE.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TraySantaCruz] G:\WINDOWS\system32\tbctray.exe
    O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://g:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://g:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://g:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://g:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://g:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://g:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC4795-3214-4D93-A9F2-CB4EDF0E4F16}: NameServer = 80.225.254.178 80.225.254.186
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Print out these instructions or copy them to notepad so they will be available to you in safe mode.



    Restart in Safe Mode.
    Click here to see how.



    Run HJT again and put a check in the following:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDC4795-3214-4D93-A9F2-CB4EDF0E4F16}: NameServer = 80.225.254.178 80.225.254.186

    Close all applications and browser windows before you click "fix checked".


    * Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .

    CAUTION!: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you proceed to make the following changes or you may lose your internet connection. If you are sure you do not need a specific DNS address here, you may proceed.

    • Double-click the Network Connections icon
    • Right-click the Local Area Connection icon and select Properties.
    • Hilight Internet Protocol (TCP/IP) and click the Properties button.
    • Be sure Obtain DNS server address automatically is selected.
    • OK your way out.


    * Go to Start > Run and type in cmd
    • Click OK.
    • This will open a command prompt.
    • Type the following line in the command window:

      ipconfig /flushdns

    • Hit Enter
    • Exit the command window


    Post a new HJT log after you are rebooted to normal mode.
     
  15. skzip

    skzip Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    19
    done what you said and I still cannot change my home page it is still stuck on msn.com below is the latest hijack this log


    Logfile of HijackThis v1.99.1
    Scan saved at 19:11:46, on 31/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    G:\WINDOWS\System32\smss.exe
    G:\WINDOWS\system32\winlogon.exe
    G:\WINDOWS\system32\services.exe
    G:\WINDOWS\system32\lsass.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\Explorer.EXE
    G:\Program Files\Hijackthis\HijackThis.exe
    G:\WINDOWS\system32\notepad.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ehTray] G:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [CnxDslTaskBar] G:\Program Files\Zoom\PCI ADSL\CnxDslTb.exe
    O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [ATIMACE] MACE.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TraySantaCruz] G:\WINDOWS\system32\tbctray.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/484614

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice