msn.com

msn.com keeps hijacking my start page.
I have tried everything I know how to try to find what is happening.

MY hijack this log:
(I have taken out things I know are ok like my zone alarm etc.)

Logfile of HijackThis v1.97.7
Scan saved at 6:27:19 PM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Utilities\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDA268C1-477B-40BD-B202-3E6FEE9328F8}: NameServer = 207.69.188.187 207.69.188.186

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{FDA268C1-477B-40BD-B202-3E6FEE9328F8}: NameServer = 207.69.188.187 207.69.188.186

Nuke it.

If that doesn't work, post the contents of your hosts file.

 

I'm thinking this might need to go as well:

O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB

Next question. Any clue why you are using a proxy??

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

Anything like Ghost Surf installed?

 

Adryn, that's Earthlink. I always get a line like that in my HJT log referencing my ISP as well.


Vonnie, is Earthlink your ISP?

 

Really?

According to Hijackthis tutorials, anything loading into 017 are domain hijackers.

That would explain why she is going through a proxy, too, if she is on Earthlink.

 

Merijn says here --> http://www.spywareinfo.com/~merijn/htlogtutorial.html
RE the 017s:

When in doubt I usually run a whois on the IPs just to check.

 

Roger that.

 

I don't like the looks of this:

O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binari...tia32_EN_XP.cab

 

Its Housecall, I think.


a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

 

Housecall is 3 lines down from that line.


(I'm also wondering about that proxy line.)

 

We've had a lot of people from Earthlink have proxies set and modified winsocks.

Its the spam or popup blocker they use, I always thought. Maybe not.

Is it called Surf Monkey?

 

It might not be legit, but I just lifted this from the inf inside the cab file at that URL:


ad_url=http://www.antivirus.com/housecall/ad/0001.html
home_url=http://www.antivirus.com
virus_encyclopedia=http://www.antivirus.com/vinfo
mail_to=webmaster@trendmicro.com

 

Sounds logical to me.

I think Surf Monkey is a kids' browser with built-in parental controls.

 

Gotcha.

 

From an ini in the cab file:

Server.1=http://activeupdate.trendmicro.com/activeupdate

Its either a clever piece of software or the real deal, if I'm not mistaken

 

Maybe it's OK then.

Seems odd that Housecall would install 2 different ActiveX controls, it only installed one on my machine, but then again I haven't run it in awhile.

 

EXCELLENT, thats put me onto something I was having troubles with (panda anitviris problem when unistalling) although not intentional you have helped me out of a bind, cheers Adrynalyne (for some reason I overlooked it)

 

Vonnie, is your home page set to "blank"? If so, there may be an issue with that and Ad-aware. Found this on another forum here: http://www.pcbanter.net/t517577.html

 

Er..you are welcome, LOL.

 

And for good reason, those hijacker writers are getting sneakier all the time. Just googling "about:blank hijack" gives tons of hits.

 

Ok this seems to be my prob.
I do have it set to blank.
I run Ad Aware and then open new browser and msn.com starts up.

Now to figure out how to fix it as my mind isnt working right now lol.
Thanks for the help.

 

this thread here seems to be discussing the same topic.

http://www.majorgeeks.com/vb/showthread.php?t=33360

 

Thanks Kodo. I dont know how i missed that one. It worked