• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Wicka

Unwanted browser

4 posts in this topic

I have read the FAQ section before posting this topic.

Each time I start my computer it resets my IE browser to an unwanted site: - http://morefinders.com.

I have downloaded, updated and run CWShredder, Spybot S&D, AdAware & HiJackThis. These programs fix the problem until the next reboot. I have attached the HiJackThis log for perusal. Thanks. Wicka

 

HiJackThis before fixing.

Logfile of HijackThis v1.97.7

Scan saved at 4:39:20 PM, on 29/06/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS.000\SYSTEM\KERNEL32.DLL

C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE

C:\WINDOWS.000\SYSTEM\MPREXE.EXE

C:\WINDOWS.000\SYSTEM\mmtask.tsk

C:\WINDOWS.000\SYSTEM\MSTASK.EXE

C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS.000\EXPLORER.EXE

C:\WINDOWS.000\TASKMON.EXE

C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE

C:\WINDOWS.000\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE

C:\WINDOWS.000\SYSTEM\VETMSG9X.EXE

C:\VET\VETTRAY.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\PROGRAM FILES\SYMANTEC\WINFAX\WFXCTL32.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE

C:\WINDOWS.000\SYSTEM\WMIEXE.EXE

C:\WINDOWS.000\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\SYMANTEC\WINFAX\WFXMOD32.EXE

C:\WINDOWS.000\START MENU\PROGRAMS\PC PROTECTION\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://morefinders.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://morefinders.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ninemsn.com.au

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.ninemsn.com.au

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.ninemsn.com.au

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ninemsn.com.au/

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS.000\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS.000\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS.000\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS.000\System\VetMsg9x.exe

O4 - HKLM\..\Run: [VetTray] C:\VET\VETTRAY.EXE

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [scvhost] C:\WINDOWS.000\SYSTEM\scvhost.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7993.6077314815

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

HiJackThis after fixing

Logfile of HijackThis v1.97.7

Scan saved at 10:56:59 AM, on 29/06/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS.000\SYSTEM\KERNEL32.DLL

C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE

C:\WINDOWS.000\SYSTEM\MPREXE.EXE

C:\WINDOWS.000\SYSTEM\mmtask.tsk

C:\WINDOWS.000\SYSTEM\MSTASK.EXE

C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS.000\EXPLORER.EXE

C:\WINDOWS.000\TASKMON.EXE

C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE

C:\WINDOWS.000\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE

C:\WINDOWS.000\SYSTEM\VETMSG9X.EXE

C:\VET\VETTRAY.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\PROGRAM FILES\SYMANTEC\WINFAX\WFXCTL32.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE

C:\WINDOWS.000\SYSTEM\WMIEXE.EXE

C:\WINDOWS.000\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\SYMANTEC\WINFAX\WFXMOD32.EXE

C:\WINDOWS.000\START MENU\PROGRAMS\PC PROTECTION\HIJACKTHIS.EXE

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ninemsn.com.au

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.ninemsn.com.au

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.ninemsn.com.au

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ninemsn.com.au/

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS.000\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS.000\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS.000\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS.000\System\VetMsg9x.exe

O4 - HKLM\..\Run: [VetTray] C:\VET\VETTRAY.EXE

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [scvhost] C:\WINDOWS.000\SYSTEM\scvhost.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7993.6077314815

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

CWShredder before and after scan & fix.

 

CWShredder v1.59.1 scan only report

Please understand that a CWShredder 'Scan only' report

might not be sufficient to troubleshoot an infected system.

You can use HijackThis for that:

http://www.merijn.org/files/hijackthis.zip

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

 

Windows 98 (4.10.2222 A)

Windows dir: C:\WINDOWS.000

Windows system dir: C:\WINDOWS.000\SYSTEM

AppData folder: C:\WINDOWS.000\Application Data

Username: Warrick

 

Infected Registry value:

HKCU\Software\Microsoft\Internet Explorer,Search

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKCU\Software\Microsoft\Internet Explorer,SearchURL

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKLM\Software\Microsoft\Internet Explorer,Search

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKLM\Software\Microsoft\Internet Explorer,SearchURL

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank

Infected data: http://morefinders.com

Infected Registry value:

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKLM\Software\Microsoft\Internet Explorer\Main,Search Page

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank

Infected data: http://morefinders.com

Infected Registry value:

HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

Infected data: http://morefinders.com/search.html

Infected Registry value:

HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

Infected data: http://morefinders.com/search.html

Found Hosts file: C:\WINDOWS.000\hosts (27348 bytes, R)

Found Win.ini file: C:\WINDOWS.000\win.ini (7992 bytes, A)

Found line in Win.ini: load=

Found line in Win.ini: run=hpfsched

Found System.ini file: C:\WINDOWS.000\system.ini (2125 bytes, A)

Found line in System.ini: shell=Explorer.exe

 

- END OF REPORT -

 

Message after scan & fix.

Done!

Removed from your system:

- 16 infected IE registry values

hijackthiscopy.txt

Edited by Wicka

Share this post


Link to post
Share on other sites

Could you insert the log via copy-and-paste instead of including the log as an attachment? It makes things easier for the experts here. Thanks.

 

-- LB

Share this post


Link to post
Share on other sites

Wicka, i had a look through your HiJackThis log file and i can not see anything that would cause your browser to redirect to a different website. All seems fine.

Wicka, is this log file created after or before you use CWShredder, Spybot S&D, AdAware? If you want more help post a log file after you reboot and after you have cleaned it so i can a closer look.

 

ps. after you use CWShredder, Spybot S&D and AdAware etc... goto Windows Update Site and install all the patches for internet explorer because it is no use just cleaning your computer, and not fixing the exploits used to infect your computer in the first place.

 

Jack

Share this post


Link to post
Share on other sites

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0