Pest - browser hijacked

[mb26]

My browser has been taken over by this nasty thing...
whenever you type an address into IE it searches what you type at its own (porn related) search page thing.. the only way i managed even to get here was by creating a short-cut to the site and opening that.. it hijacks the home page aswell (pretty much everything it can) and a while back it loaded itself in the window of whatever you were looking at (so u have to press back to get to what you were viewing).. it revolves around myexexex.com ..

my hijack this log; [i have tried checking all with referance to myexexex.com and file://c:/spad/start.html ; and then clicking fix selected.. but then i scan again and they are still there, and the problem hasn't changed?? - i dont mind editing the registry if it can be fixed that way?]

Logfile of HijackThis v1.97.7
Scan saved at 01:27:11, on 02/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROANGELO\MUAMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\PROGRAM FILES\D-LINK\AIRPLUS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MsIE6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACROBAT READER\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] NOT Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Muagmr (icons)] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [IrMon] NOT irmon.exe
O4 - HKLM\..\Run: [DataLayer] NOT C:\Program Files\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [CloneCDTray] NOT "C:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [zSPGuard] cNOT:\program files\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [MF] C:NOT\Program Files\MAGIC\tb.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [NOD32kernel] C:\Program Files\Eset\nod32krn.exe
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link\AirPlus.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - WWW Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...871.6285648148
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab


my IE says i have IE 6.0 aswell, rather than 5.5 as hijack this reports..

in the folder 'c:\spad' it has a file called 'problems.html' which supposedly shows you how to remove it by going to tool>internet options>programs>reset web settings.. but i did that and its still not gone

[mb26]

also.. i'd like to add that the computer is very slow right now.. movement from the cursor is jerky (slow response).

also, system has been cleaned v. recently with spybot and adaware so its clean right now as far as they are concerned

[ghost2003]

remove all the R1's and R0's (exept the first one, I think its ok)

O13 - DefaultPrefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - WWW Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

[mb26]

Quote:

[i have tried checking all with referance to myexexex.com and file://c:/spad/start.html ; and then clicking fix selected.. but then i scan again and they are still there, and the problem hasn't changed??

[ghost2003]

oh...sorry

[Lobos]

hi mb26

CAn you please download

http://www.zerosrealm.com/downloads/pv.zip

Unzip to folder

Make sure you are online and have one explorer windows open (like startpage)

Then doubleclick runme9x.bat , choose option 2 and post the log here


Lobos

[mb26]

it was just called runme.bat no 9x but that doesn't matter i expect.. i have changed the start page by editing the HTML in the file so that it is blank, and set it to read only. still obviously all the worse problems however..


Module information for 'IEXPLORE.EXE'
MODULE BASE SIZE PATH
MSI.DLL ce30000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.2 Windows Installer
DOCPROP2.DLL 7cb70000 331776 C:\WINDOWS\SYSTEM\DOCPROP2.DLL 5.00.2136.1 DocProp2
AVIFIL32.DLL 7e460000 98304 C:\WINDOWS\SYSTEM\AVIFIL32.DLL 4.90.3000 Microsoft AVI File support library
MSACM32.DLL 7a1e0000 102400 C:\WINDOWS\SYSTEM\MSACM32.DLL 4.90.3000 Microsoft Audio Compression Manager
CRTDLL.DLL 7fb20000 180224 C:\WINDOWS\SYSTEM\CRTDLL.DLL 3.50 Microsoft C Runtime Library
MSVFW32.DLL 77ee0000 147456 C:\WINDOWS\SYSTEM\MSVFW32.DLL 4.90.3000 Microsoft Video for Windows DLL
WOW32.DLL bfdc0000 20480 C:\WINDOWS\SYSTEM\WOW32.DLL 4.90.3000 Win32 WOW32 core component
DCIMAN32.DLL 7d190000 24576 C:\WINDOWS\SYSTEM\DCIMAN32.DLL 4.90.3000 DCI Manager 1.00
PNGFILT.DLL 76d00000 57344 C:\WINDOWS\SYSTEM\PNGFILT.DLL 5.50.4134.100 IE PNG plugin image decoder
MSCORLD.DLL 79480000 98304 C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MSCORLD.DLL 1.1.4322.573 Microsoft Remote object loader
MSCORIE.DLL 79410000 86016 C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MSCORIE.DLL 1.1.4322.573 Microsoft .NET IE MIME Filter
MSVCR71.DLL b760000 352256 C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MSVCR71.DLL 7.10.3052.4 Microsoft® C Runtime Library
MSCOREE.DLL 79170000 155648 C:\WINDOWS\SYSTEM\MSCOREE.DLL 1.1.4322.573 Microsoft .NET Runtime Execution Engine
JAVACYPT.DLL 7c480000 192512 C:\WINDOWS\SYSTEM\JAVACYPT.DLL 5.00.3810 MS Crypt Dll for Java
MSAWT.DLL 7c380000 167936 C:\WINDOWS\SYSTEM\MSAWT.DLL 5.00.3810 Microsoft AWT Library for Java
JAVART.DLL 7c300000 417792 C:\WINDOWS\SYSTEM\JAVART.DLL 5.00.3810 Microsoft® Runtime Library for Java
DDRAWEX.DLL 7d140000 36864 C:\WINDOWS\SYSTEM\DDRAWEX.DLL 4.87.00.0700 Microsoft DirectDrawEx
DDRAW.DLL baaa0000 356352 C:\WINDOWS\SYSTEM\DDRAW.DLL 4.07.00.0700 Microsoft DirectDraw
MSJAVA.DLL 7c000000 958464 C:\WINDOWS\SYSTEM\MSJAVA.DLL 5.00.3810 Microsoft® VM
VMHELPER.DLL 7c520000 294912 C:\WINDOWS\SYSTEM\VMHELPER.DLL 5.00.3810 Microsoft® VM Helper Library
IMGUTIL.DLL 7b8c0000 40960 C:\WINDOWS\SYSTEM\IMGUTIL.DLL 5.50.4134.100 IE plugin image decoder support DLL
MSRATING.DLL 78810000 167936 C:\WINDOWS\SYSTEM\MSRATING.DLL 5.50.4134.100 Internet Ratings and Local User Management DLL
ACTXPRXY.DLL 7f0d0000 94208 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 5.50.4134.100 ActiveX Interface Marshaling Library
RNAUI.DLL 7f7e0000 159744 C:\WINDOWS\SYSTEM\RNAUI.DLL 4.90.3000 Dial-Up Networking User Interface
ADVPACK.DLL 715d0000 159744 C:\WINDOWS\SYSTEM\ADVPACK.DLL 5.50.4134.100 ADVPACK
MSIEFTP.DLL 79800000 266240 C:\WINDOWS\SYSTEM\MSIEFTP.DLL 5.50.4134.100 Microsoft Internet Explorer FTP Folder Shell Extension
INETCPLC.DLL 7b710000 73728 C:\WINDOWS\SYSTEM\INETCPLC.DLL 5.50.4134.100 Internet Control Panel
INETCPL.CPL 73110000 274432 C:\WINDOWS\SYSTEM\INETCPL.CPL 5.50.4134.100 Internet Control Panel
LINKINFO.DLL 7faa0000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.90.3000 Windows Volume Tracking
MSSHRUI.DLL 7f840000 94208 C:\WINDOWS\SYSTEM\MSSHRUI.DLL 4.90.3000 Shell extensions for sharing
CSSEQCHK.DLL 5f90000 90112 C:\WINDOWS\SYSTEM\CSSEQCHK.DLL 10.0.1008 CSSeqChk
KEYLIMIT.DLL 8000000 20480 C:\WINDOWS\SYSTEM\KEYLIMIT.DLL 5.00.2133.2 International Cryptographic Key Size Limits
RSAENH.DLL 7ca00000 110592 C:\WINDOWS\SYSTEM\RSAENH.DLL 5.00.2133.2 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
SCHANNEL.DLL 77400000 131072 C:\WINDOWS\SYSTEM\SCHANNEL.DLL 5.00.2133.2 TLS / SSL Security Provider
SHFOLDER.DLL 75f40000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 5.50.4134.100 Shell Folder Service
FLASH.OCX 55d0000 1732608 C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX 7,0,19,0 Macromedia Flash Player 7.0 r19
VBSCRIPT.DLL 6b600000 462848 C:\WINDOWS\SYSTEM\VBSCRIPT.DLL 5.6.0.7426 Microsoft (r) VBScript
MSHTMLED.DLL 79a40000 425984 C:\WINDOWS\SYSTEM\MSHTMLED.DLL 5.50.4134.100 Microsoft (R) HTML Editing Component
RNR20.DLL 766b0000 57344 C:\WINDOWS\SYSTEM\RNR20.DLL 4.90.3000 Windows Socket2 NameSpace DLL
SENSAPI.DLL 761e0000 20480 C:\WINDOWS\SYSTEM\SENSAPI.DLL 5.50.4134.100 SENS Connectivity API DLL
IPHLPAPI.DLL 7b610000 49152 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL 4.90.3000.2 IP Helper API
DHCPCSVC.DLL 7cee0000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
ICMP.DLL 7bbd0000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL 5.00.1454.1 ICMP DLL
RSVPSP.DLL 76560000 40960 C:\WINDOWS\SYSTEM\RSVPSP.DLL 4.90.2464.1 Microsoft Windows Rsvp 1.0 Service Provider
RAPILIB.DLL 76830000 28672 C:\WINDOWS\SYSTEM\RAPILIB.DLL 4.90.2464.1 RSVP Libary 1.0 DLL
MSAFD.DLL 79fb0000 40960 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.90.3000 Microsoft Windows Sockets 2.0 Service Provider
IMON.DLL 20b00000 188416 C:\WINDOWS\SYSTEM\IMON.DLL
WSOCK32.DLL 736d0000 36864 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.90.3000 BSD Socket API for Windows
MSWSOCK.DLL 77d70000 81920 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.90.3000 Microsoft WinSock Extension APIs
WS2_32.DLL 73710000 69632 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.90.3000 Windows Socket 2.0 32-Bit DLL
RASAPI32.DLL 7f7a0000 249856 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.90.3000 Dial-Up Networking Dynamic Linked Library
SECUR32.DLL 7f780000 69632 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.90.3000 Microsoft Win32 Security Services (Export Version)
SVRAPI.DLL 7f870000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.90.3000 32-bit common Server API library
MSNET32.DLL 7fa30000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.90.3000 Microsoft 32-bit Network API Library
MSPWL32.DLL 7fa70000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.90.3000 Password list management library
NETAPI32.DLL 7f8b0000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.90.3000 32-bit network API DLL
NETBIOS.DLL 7f750000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
WS2HELP.DLL 73700000 20480 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.90.3000 Windows Socket 2.0 Helper for Windows 98
NOKIAPHONEBROWSER.DLL 3860000 274432 C:\PROGRAM FILES\NOKIA PC SUITE 5\NOKIAPHONEBROWSER.DLL 5, 0, 0, 41 Nokia Phone Browser
MYDOCS.DLL 77b80000 81920 C:\WINDOWS\SYSTEM\MYDOCS.DLL 5.50.4134.100 My Documents Folder UI
WIASHEXT.DLL 742f0000 454656 C:\WINDOWS\SYSTEM\WIASHEXT.DLL 4.90.3000.1 Imaging Devices Shell Folder UI
STI.DLL 75910000 114688 C:\WINDOWS\SYSTEM\STI.DLL 4.90.3000.1 Still Image Devices client DLL
IPROP.DLL 7b5f0000 114688 C:\WINDOWS\SYSTEM\IPROP.DLL 4.00 OLE PropertySet Implementation
SETUPAPI.DLL 76140000 581632 C:\WINDOWS\SYSTEM\SETUPAPI.DLL 5.00.2195.1526 Windows Setup API
WINTRUST.DLL 741d0000 176128 C:\WINDOWS\SYSTEM\WINTRUST.DLL 5.131.2133.2 Microsoft Trust Verification APIs
IMAGEHLP.DLL 7b960000 143360 C:\WINDOWS\SYSTEM\IMAGEHLP.DLL 5.00.2178.1 Windows NT Image Helper
CRYPT32.DLL 7da90000 479232 C:\WINDOWS\SYSTEM\CRYPT32.DLL 5.131.2133.3 Crypto API32
MSASN1.DLL 79f80000 65536 C:\WINDOWS\SYSTEM\MSASN1.DLL 4.4.3420 Microsoft ASN.1 Encoder/Decoder
CABINET.DLL 7e0c0000 77824 C:\WINDOWS\SYSTEM\CABINET.DLL 5.00.2147.1 Microsoft® Cabinet File API
WINSPOOL.DRV 7fe40000 36864 C:\WINDOWS\SYSTEM\WINSPOOL.DRV 4.90.3000 Win32 WINSPOOL core component
MPR.DLL 7f160000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.90.3000 WIN32 Network Interface DLL
LZ32.DLL bfe40000 24576 C:\WINDOWS\SYSTEM\LZ32.DLL 4.90.3000 Win32 LZ32 core component
CFGMGR32.DLL 7f720000 40960 C:\WINDOWS\SYSTEM\CFGMGR32.DLL 4.90.3000 Configuration Manager Win32 Interface
NTDLL.DLL bfe70000 20480 C:\WINDOWS\SYSTEM\NTDLL.DLL 4.90.3000 Win32 NTDLL core component
WINMM.DLL bfdd0000 65536 C:\WINDOWS\SYSTEM\WINMM.DLL 4.90.3000 System APIs for Multimedia
COMDLG32.DLL 7fe00000 208896 C:\WINDOWS\SYSTEM\COMDLG32.DLL 5.50.4134.100 Common Dialogs DLL
WIASTATD.DLL 742e0000 24576 C:\WINDOWS\SYSTEM\WIASTATD.DLL 4.90.3000.1 WIA Status Dialog
JSCRIPT.DLL 6b700000 589824 C:\WINDOWS\SYSTEM\JSCRIPT.DLL 5.6.0.8513 Microsoft (r) JScript
IMM32.DLL bfe00000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL 4.90.3000 Win32 IMM32 core component
MSLS31.DLL 79050000 163840 C:\WINDOWS\SYSTEM\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
MSHTML.DLL 7f3c0000 2682880 C:\WINDOWS\SYSTEM\MSHTML.DLL 5.50.4134.100 Microsoft (R) HTML Viewer
MLANG.DLL 7a860000 557056 C:\WINDOWS\SYSTEM\MLANG.DLL 5.50.4134.100 Multi Language Support DLL
SHDOCLC.DLL 76070000 401408 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 5.50.4134.100 Shell Doc Object and Control Library
CHANGES_HOMEPAGE.DLL 22c0000 61440 C:\WINDOWS\CHANGES_HOMEPAGE.DLL
CRT32_V2.DLL 17a0000 69632 C:\WINDOWS\SYSTEM\CRT32_V2.DLL
URLMON.DLL 75160000 471040 C:\WINDOWS\SYSTEM\URLMON.DLL 5.50.4134.100 OLE32 Extensions for Win32
SDHELPER.DLL 10c0000 765952 C:\PROGRAM FILES\SPYBOT\SDHELPER.DLL 1, 3, 0, 12 Bad download blocker
OLEPRO32.DLL 77300000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4515
VERSION.DLL bfe50000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.90.3000 Win32 VERSION core component
ACROIEHELPER.OCX 10000000 32768 C:\PROGRAM FILES\ACROBAT READER\READER\ACTIVEX\ACROIEHELPER.OCX 1, 0, 0, 1 AcroIEHelper Module
OLEAUT32.DLL 7fe80000 610304 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4515
WININET.DLL 74210000 495616 C:\WINDOWS\SYSTEM\WININET.DLL 5.50.4134.100 Internet Extensions for Win32
TAPI32.DLL 7f880000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.90.3000 Microsoft® Windows(TM) Telephony API Client DLL
RPCRT4.DLL 7fab0000 344064 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.3335 Remote Procedure Call DLL
BROWSELC.DLL 7e0f0000 45056 C:\WINDOWS\SYSTEM\BROWSELC.DLL 5.50.4134.100 Shell Browser UI Library
BROWSEUI.DLL 7f650000 823296 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 5.50.4134.100 Shell Browser UI Library
OLE32.DLL 7ff20000 794624 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.3328 Microsoft OLE for Windows and Windows NT
SHDOCVW.DLL 75f50000 1159168 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 5.50.4134.100 Shell Doc Object and Control Library
SHELL32.DLL 7fbd0000 2285568 C:\WINDOWS\SYSTEM\SHELL32.DLL 5.50.4134.100 Windows Shell Common Dll
COMCTL32.DLL bfe80000 581632 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.8637.0 Microsoft (R) C Runtime Library
IEXPLORE.EXE 400000 73728 C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE 5.50.4134.100 Internet Explorer
SHLWAPI.DLL 63180000 315392 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 5.50.4134.100 Shell Light-weight Utility Library
USER32.DLL bff40000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.90.3000 Win32 USER32 core component
GDI32.DLL bff10000 172032 C:\WINDOWS\SYSTEM\GDI32.DLL 4.90.3000 Win32 GDI core component
ADVAPI32.DLL bfe60000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.90.3000 Win32 ADVAPI32 core component
KERNEL32.DLL bff60000 536576 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.90.3000 Win32 Kernel core component

[Lobos]

ok i think you have a new version of this variant

the files im looking for is not there ill be back

i should have an answer for you later

[mb26]

'a new version of this variant' hmm thanks lobos nice and specific i'll await the solution eagerly

[Lobos]

Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about :blank


O13 - DefaultPrefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - WWW Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=




-----------------------------------------------------------------------------------------------------------------------------------





Then download the file I attached and save it as spad.reg. Doubleclick it and confirm you want to merge it with the registry.

Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.


reboot into safe mode
How to boot into safe mode

delete

c:\spad <= entire folder
C:\WINDOWS\CHANGES_HOMEPAGE.DLL

these may not bethere but look for them and delete them too

C:\windows\system\HPCMDTY.DLL
c_10230.dll

[mb26]

ok did all that.. made no difference (except messed up all my icons placement on the desktop i'd just sorted out).. i mean it got rid of the start page but i had delt with that already.

if i type 'http://' before the rest of an address then i can get it to come up without bringing up this myexexex.com page up.. but its still not fixed.

not sure where c_10230.dll was meant to be but it wasn't in C:\ or windows or windows\system. there was no HPCMDTY.DLL either FYI.

there must be something stopping changes to the registry refering to the myexexex.com things..? cuz (as i said) when i scan with HT and press 'fix', they're still there when i scan right again after.. and i tried deleting them from the reg also and they came back..

[kittyfire]

In IE... go to tools, internet options, advanced and uncheck the entry that says, "Enable 3rd party browswer extensions." If it won't let you do it in IE, then do it in the control panel and if it won't open your control panel, do it in safe mode. And you might want to try removing some of those things in safe mode, too, because if they're loaded when you're trying to remove them they're just going to put themselves back every time. They still may in safe mode, but you have a higher chance of it working if you do it in safe mode. Or boot up to a dos prompt and delete'em.

[john spruiell]

I have developed the same problem with "myexexex". Is there a solution?

[pam123]

ME, like XP, has System Restore, turn it off till you get everything cleared.

[mb26]

john spruiell; so far i haven't found a solution.. but a bit of a work around until i know how to fix it properly.. you can delete the folder C:\spad and change the home page back to whatever you want..
also make sure to type http:// infront of everything in IE then you wont get to the search page..


kittyfire; i did delete them in safe mode, as lobos instructed.
i can open up the internet options> advanced thing in IE.. there is no 'Enable 3rd party browswer extensions' however.. but there iss a box with no description by it as the first box under; multimedia (checked), security (unchecked) and browsing (checked).
is this the same for you john spruiell?

pam123, one of my hard drives has less than 200mb free so its off anyway

[kittyfire]

mb26, I just saw you're running the 5.5 so that's why that option isn't there. If you can get your hands on a CD from an internet provider and upgrade the IE to 6 then that option should be in there for you. Once you get control back of the browser, you should be able to get the rest in line.

[mb26]

no i'm running 6.0 but it *says* v5.5 on hijack this. ('my IE says i have IE 6.0 aswell, rather than 5.5 as hijack this reports..')

[kittyfire]

Should be under browsing in version 6. It's a relatively new option. Anyone with XP should have it but anyone who has kept IE updated and patched should have it, too. When you go to Help and About, what all does the version say? Like mine says 6.0.2800.1106.xpsp2.030422-1633

[mb26]

6.0.2600.0000IS

the fact that it has check boxes with no writing by them makes me suspect that one of these may be the box i want? and the thing is altering it so i can't see the option.

[mb26]

atlast!.. good ol' adaware...
i updated it again and ran it last night (i do update it every time i use it but this must have came in an update since i used it last)... and anyway it found it and fixed it.. hijack this was missing one registry value.. refering to http://static.flingstone.com/cab/98me/cdtincbridge.cab .. hidden somewhere obscure in the reg.. anyway i still have boxes in the advanced part of the internet options w/ nothing beside them.. i'll attach a screenshot to show u what i mean..
had to change a few registry entries which hopefully they'll stay to what i've set em now... i expect running hijack this would have done the same if i ran it after fixing w/ adaware..
anyway is there anything else i can do to stop this happening again? i run a firewall and AV and updated spybot & adaware.

[Panama Red]

I think morriswindgate posted this as a solution for a similar problem I was having with a customers laptop and a highjacker named "about:blank". It seems to have worked and is designed to prevent reinfection from hijackers.

http://www.pjwalczak.com/spguard/index.php

[Lobos]

Also try spyware guard and spyware blaster
spyware blaster will block spyware from comming in when you surf the net(compatible with IE, mozilla and firefox) and spyware guard is a resident scanner.




Read here How did I get infected in the first place