"Only The Best" Popup & Homepg Hijack

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Casey33626, Jun 14, 2004.

  1. Casey33626

    Casey33626 Private E-2

    Hi All;

    I've read through various threads on the same subjec but can't seem to kill this pesky hijack problem on my own. Thus, I registered here in hope of finding help.

    First, I'll post my hijack log file and await your help:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:21:20 PM, on 6/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\ntew.exe
    C:\WINDOWS\ietf.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Casey\My Documents\My Downloads\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mptst.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mptst.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mptst.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mptst.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mptst.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mptst.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {CB9A63C7-F8A0-BF83-FEB2-F1683B90588A} - C:\WINDOWS\system32\mslh.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [ntew.exe] C:\WINDOWS\ntew.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\DOCUME~1\Casey\APPLIC~1\msld\msld.dll,UpdateDll s
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://tampabay.mlxchange.com/Control/MultiSelectComboBox.cab
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://tampabay.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://tampabay.mlxchange.com/Control/IRCSharc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1272F493-D462-4064-BC4D-B76C72E5C137}: NameServer = 207.22.166.2,207.22.166.61
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1272F493-D462-4064-BC4D-B76C72E5C137}: NameServer = 207.22.166.2,207.22.166.61
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1272F493-D462-4064-BC4D-B76C72E5C137}: NameServer = 207.22.166.2,207.22.166.61
     
    Casey33626, Jun 14, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to MG's Casey,

    Before we go any further please do the below:

    Get DLLFIX.EXE from: http://tools.zerosrealm.com/dllfix.exe
    1) Save the file to your Desktop, double click dllfix.exe and follow the prompts. This will create a folder called dllfix on your desktop.
    2) Click on this folder and then double click on start.bat.
    3) Select option 1 Run Find-All to scan your PC. This will create a log file.
    4) Post this log back here before running any fixes.
     
    chaslang, Jun 15, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Two more things to look at using Control Panel, Add/Remove Programs:

    1) remove WinShow if you find it
    2) remove iefeatsl if you find it.
     
    chaslang, Jun 15, 2004
    #3
  4. Casey33626

    Casey33626 Private E-2

    Here's the results from the latest log:

    --==***@@@ FIND-ALL' VERSION MODIFIED -6/14 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Tue 06/15/2004
    05:56 PM

    System Info:
    Microsoft Windows XP [Version 5.1.2600]
    C: "" (6336:63BC) - FS:NTFS clusters:4k
    Total: 60 003 381 248 [56G] - Free: 50 697 121 792 [47G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS\notepad.exe
    *Media Player version :
    8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;



    Locked or 'Suspect' file(s) found...
    These may be other files that Dllfix doesnt target.
    If not file is listed than Dllfix may not Help.
    in this case please post the contents of Windows.txt to the appinit
    entry can be checked. You will find it in the dllfix folder after findall completes.


    Scanning for main Hijacker:


    Dllfix must have the Hijackerfiles in system32 to fix properly.
    If there are no protocal keys text/html and text/plain
    then dllfix may not work. This fix targets this type Hijack Entry.
    that keeps reoccuring with different filenames.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    = res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB9A63C7-F8A0-BF83-FEB2-F1683B90588A}]
    @=""

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    *Security settings for 'Windows' key:

    If error than registry may need to be restored from option 4.

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    
     
    Casey33626, Jun 15, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The DLL FIx log does not indicate any problems. Did you check Add/Remove programs for the programs I mentioned a few messages back?
     
    chaslang, Jun 15, 2004
    #5
  6. Casey33626

    Casey33626 Private E-2

    Yes, I looked for those two programs to add/remove but neither was listed. Like I said, this one has baffled me, too. But its damn well driving me crazy and I won't be happy again until its dead.


    Any and all help is appreciated.
    Casey
     
    Casey33626, Jun 15, 2004
    #6
  7. Casey33626

    Casey33626 Private E-2

    Arrrgh, my homepage gets hijacked after every reboot, popups still popping up and on some websites I'm on with my browser, it shows particular words hotlinked but the links go nowhere. Somehow my browser is creating these links internally because I know the links should not be on those pages (because I designed them).

    ((((H E L P!))))
     
    Casey33626, Jun 15, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Casey, Can you try the following:

    1) reboot and do not run anything at all
    2) bring up task manager (CTRL-ALT-DEL) and make note of all running processes
    3) now with task manager still running (you can minimize so you can see better), bring up 1 internet explorer session.
    4) check task manager to see what has been added. Is it only one, IEXPLORE.EXE? Or is something else there too?
     
    chaslang, Jun 15, 2004
    #8
  9. Casey33626

    Casey33626 Private E-2

    There's a bunch of processes running, but only one application.

    How bout I post my most recent Hijack This log? BRB...

    Logfile of HijackThis v1.97.7
    Scan saved at 11:14:50 PM, on 6/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\WINDOWS\ntew.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\netzf32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Casey\My Documents\My Downloads\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mptst.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tampabay.mlxchange.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mptst.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mptst.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mptst.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mptst.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {CB9A63C7-F8A0-BF83-FEB2-F1683B90588A} - C:\WINDOWS\system32\mslh.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [ntew.exe] C:\WINDOWS\ntew.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://tampabay.mlxchange.com/Control/MultiSelectComboBox.cab
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://tampabay.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://tampabay.mlxchange.com/Control/IRCSharc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1272F493-D462-4064-BC4D-B76C72E5C137}: NameServer = 207.22.166.2,207.22.166.61
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1272F493-D462-4064-BC4D-B76C72E5C137}: NameServer = 207.22.166.2,207.22.166.61
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1272F493-D462-4064-BC4D-B76C72E5C137}: NameServer = 207.22.166.2,207.22.166.61
     
    Casey33626, Jun 15, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Casey, I know it's tedious but what I asked was to compare two process lists before and while running internet explorer. We are looking for a process that runs so we can identify it.

    2) bring up task manager (CTRL-ALT-DEL) and make note of all running processes
    3) now with task manager still running (you can minimize so you can see better), bring up 1 internet explorer session.
    4) check task manager to see what has been added. Is it only one, IEXPLORE.EXE? Or is something else there too?
     
    chaslang, Jun 15, 2004
    #10
  11. Vash1123

    Vash1123 Private E-2

    I recently had the same problem. What was happening was, I would find and destroy one of the processes that were running a spyware progame just to have another one pop up. After doing this for about three hours. My homepage couldn't be changed from "Home Search", I had "Only The Best" pop-ups all over the place and my computer was lagging. After a few more hours, I broke down and formatted. Good luck.
     
    Vash1123, Jun 16, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Vash,

    Sorry to hear that you had to resort to format. But you better get yourself a good firewall, virus checker, spyware blocker, etc installed ASAP or you run the risk of getting it again. I don't know where people are getting this from but I have all the protection methods on my PCs and I never have problems with spyware, virus, ad-ware, etc. This does not mean I cannot have a problem in the future but I never run into any of the problems I am seeing people have. Also a word of caution, before installing anyone's software "ALWAYS" read the fine print and license info. Many problems begin by downloading and installing what I call "crapware".
     
    chaslang, Jun 16, 2004
    #12
  13. Casey33626

    Casey33626 Private E-2

    Only one ...now what? Awaiting orders...
     
    Casey33626, Jun 16, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Casey, your still missing the point of what I want you to do. I want you to compare two sets of process lists. One from before starting up iexplorer and one after. I'm looking to see if anything else runs in addition to iexlporer. I'll repeat my instructions with a little modification:

    1) reboot and do not run anything at all
    2) bring up task manager (CTRL-ALT-DEL) and make note of ALL running processes
    3) now with task manager still running (you can minimize so you can see better), bring up 1 internet explorer session.
    4) check task manager to see what has been added to the list of running processes. You would expect to only see iexplorer.exe added but is anything else added?
     
    chaslang, Jun 16, 2004
    #14
  15. Casey33626

    Casey33626 Private E-2

    Sorry, I wasn't clear enough. What I meant by "only one" was that only IE showed up in my process window. No other entry was indicated.
     
    Casey33626, Jun 17, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I posted this in another thread (DarkAngels):

    Since I do not have the problem, I cannot debug it first hand. So I have a suggestion for you guys that have the problem. First, if you do not already have a firewall program installed, get one (like ZoneAlarmFree or Sygate both available here on MG's) and set it up to show incoming and outgoing indications. Second, item to try that could help us find this piece of crap: Security Task Manager. Download it from http://www.neuber.com/taskmanager/download.html Check it out. Maybe we can find some process running that is suspicious. This is 30 day trial software use it quickly.

    If everyone having the problem can do this, we may find some common program that begins the mutation. I have a feeling something is attached to IE.
     
    chaslang, Jun 17, 2004
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds