Jump to content


Photo

Persistent default start page + BHO


  • Please log in to reply
5 replies to this topic

#1 SimonGjede

SimonGjede

    Member

  • New Member
  • Pip
  • 4 posts

Posted 08 July 2004 - 08:54 AM

Oy!

When using IE, I get a harddrive adress as the default start page "warning, we know what you are doing blah, blah blah" - cannot change that. When typing in an adress, I'm taken to this porn page and my toolbars - both above and below dissapear! I did both Spybot, an antiviruscheck and followed Mike Healans suggestions to work with the HT-log by myself.
Since none of that worked, I could really use a helping hand!

Here is my HT-log:

Logfile of HijackThis v1.97.7
Scan saved at 15:45:15, on 08-07-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Programmer\Logitech\iTouch\iTouch.exe
G:\PROGRA~1\MICROS~4\Mouse\point32.exe
G:\Programmer\QuickTime\qttask.exe
G:\Programmer\AceGain\LiveUpdate\LiveUpdate.exe
G:\Programmer\iTunes\iTunesHelper.exe
G:\Programmer\Spybot\TeaTimer.exe
G:\Programmer\Motorola\A920 Desktop Suite\ConnMngmntBox.exe
G:\Programmer\Motorola\A920 Desktop Suite\ECTaskScheduler.exe
G:\Programmer\EZ Armor\eTrust EZ Firewall\ca.exe
G:\Programmer\Nikon\NkView6\NkvMon.exe
G:\Programmer\BHODemon\BHODemon.exe
G:\WINDOWS\System32\rundll32.exe
G:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe
G:\PROGRA~1\Motorola\A920DE~1\Elogerr.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
G:\Programmer\AceGain\LiveUpdate\aceagent.exe
G:\WINDOWS\System32\devldr32.exe
G:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
G:\WINDOWS\system32\gearsec.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\PROGRA~1\Motorola\A920DE~1\BROADC~1.EXE
G:\PROGRA~1\Motorola\A920DE~1\SCRFS.exe
G:\Programmer\iPod\bin\iPodService.exe
G:\Programmer\MSN\MSNCoreFiles\MSN6.EXE
G:\Programmer\MSN Messenger\msnmsgr.exe
G:\Programmer\Hijackthis\HijackThis.exe
G:\WINDOWS\explorer.exe
G:\PROGRA~1\DAP\DAP.EXE
G:\Programmer\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find.opasia.dk/msie_google.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = G:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = G:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = G:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = G:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - G:\Programmer\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Programmer\Spybot\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] G:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroCheck] G:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Disc Detector] G:\Creative\ShareDLL\ctnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] G:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [TkBellExe] "G:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MessengerPlus2] "G:\Programmer\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AceGain LiveUpdate] G:\Programmer\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] G:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [System Service] G:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [vjayceodrh] G:\WINDOWS\System32\bpymur.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpyKiller] G:\Programmer\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Programmer\Spybot\TeaTimer.exe
O4 - Startup: BHODemon 2.0.lnk = G:\Programmer\BHODemon\BHODemon.exe
O4 - Global Startup: A920 Connection Manager.lnk = ?
O4 - Global Startup: A920 Task Scheduler.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = G:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: EZ Firewall.lnk = G:\Programmer\EZ Armor\eTrust EZ Firewall\ca.exe
O4 - Global Startup: NkvMon.exe.lnk = G:\Programmer\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Download with &DAP - G:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.opasia.dk/start
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} -
O16 - DPF: {11111111-1111-1111-1111-111111111157} -
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab

Thank you for taking the time!

Simon

#2 Schadenfroh

Schadenfroh

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 08 July 2004 - 10:01 AM

SimonGjede, check out my sig and follow my guide for removing spyware, CWShredder or adaware might fix your problems. The freeware Download Accelarator Plus is classified as spyware (or at least it used to be)

also, remove these suspecious ones
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find.opasia.dk/msie_google.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = G:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = G:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = G:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = G:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - G:\Programmer\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O8 - Extra context menu item: &Download with &DAP - G:\PROGRA~1\DAP\dapextie.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.opasia.dk/start
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} -
O16 - DPF: {11111111-1111-1111-1111-111111111157} -
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} -

suspecious, but not sure of this one (that random file name scares me)
O4 - HKLM\..\Run: [vjayceodrh] G:\WINDOWS\System32\bpymur.exe

Edited by Schadenfroh, 08 July 2004 - 10:04 AM.


#3 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 08 July 2004 - 02:58 PM

In addition to those posted above, also fix these entries.

O4 - HKLM\..\Run: [System Service] G:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [vjayceodrh] G:\WINDOWS\System32\bpymur.exe

Reboot, and delete the files

G:\WINDOWS\System32\msrexe.exe
G:\WINDOWS\System32\bpymur.exe

Download Accelerator plus isOK in itself, but it is a carrier! Best to remove it really.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#4 SimonGjede

SimonGjede

    Member

  • New Member
  • Pip
  • 4 posts

Posted 09 July 2004 - 11:35 AM

Thank you for your swift replies.

I use the Housecall Online Virus Scan - would that be enough before I proceed with the other steps?

I cannot find CWSmartkiller - Spybot S&D homepage doesn't feature it anymore - any suggestions as to where I can find them?

Spysweeper wouldn't run in safemode - can I do it afterwards?

I tried your suggestions with the online scan and without CWSmartkiller and Spysweeper and everything worked out fine the first time I started my computer, but since then Spybot S&D's Teatimer tells me that the computer wants to change start page settings back to the 'secure.html' and run msrexe.exe and bpymur.exe at startup (I, of course, tell Teatimer to block this change...)

#5 SimonGjede

SimonGjede

    Member

  • New Member
  • Pip
  • 4 posts

Posted 09 July 2004 - 12:01 PM

I should also give you the new HT log:

Logfile of HijackThis v1.97.7
Scan saved at 19:01:22, on 09-07-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
G:\WINDOWS\system32\gearsec.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\WINDOWS\Explorer.EXE
G:\Programmer\Logitech\iTouch\iTouch.exe
G:\PROGRA~1\MICROS~4\Mouse\point32.exe
G:\Programmer\QuickTime\qttask.exe
G:\Programmer\AceGain\LiveUpdate\LiveUpdate.exe
G:\Programmer\iTunes\iTunesHelper.exe
G:\Programmer\Spybot\TeaTimer.exe
G:\Programmer\Motorola\A920 Desktop Suite\ConnMngmntBox.exe
G:\Programmer\Motorola\A920 Desktop Suite\ECTaskScheduler.exe
G:\Programmer\EZ Armor\eTrust EZ Firewall\ca.exe
G:\Programmer\Nikon\NkView6\NkvMon.exe
G:\Programmer\BHODemon\BHODemon.exe
G:\WINDOWS\System32\rundll32.exe
G:\PROGRA~1\Motorola\A920DE~1\Elogerr.exe
G:\Programmer\AceGain\LiveUpdate\aceagent.exe
G:\Programmer\iPod\bin\iPodService.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
G:\WINDOWS\System32\devldr32.exe
G:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe
G:\PROGRA~1\Motorola\A920DE~1\BROADC~1.EXE
G:\PROGRA~1\Motorola\A920DE~1\SCRFS.exe
G:\Programmer\MSN\MSNCoreFiles\MSN6.EXE
G:\Programmer\MSN Messenger\msnmsgr.exe
G:\Programmer\Hijackthis\HijackThis.exe
G:\Programmer\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Programmer\Spybot\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] G:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroCheck] G:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Disc Detector] G:\Creative\ShareDLL\ctnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] G:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [TkBellExe] "G:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MessengerPlus2] "G:\Programmer\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AceGain LiveUpdate] G:\Programmer\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] G:\Programmer\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [SpyKiller] G:\Programmer\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Programmer\Spybot\TeaTimer.exe
O4 - Startup: BHODemon 2.0.lnk = G:\Programmer\BHODemon\BHODemon.exe
O4 - Global Startup: A920 Connection Manager.lnk = ?
O4 - Global Startup: A920 Task Scheduler.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = G:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: EZ Firewall.lnk = G:\Programmer\EZ Armor\eTrust EZ Firewall\ca.exe
O4 - Global Startup: NkvMon.exe.lnk = G:\Programmer\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} -
O16 - DPF: {11111111-1111-1111-1111-111111111157} -
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandon...cabs/cssweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab

#6 SimonGjede

SimonGjede

    Member

  • New Member
  • Pip
  • 4 posts

Posted 09 July 2004 - 12:10 PM

In the process list in the HT log; is there any diference between system32 and System32? I quite sure any svchost that doesn't have the correct full path would be a virus?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button