• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
SimonGjede

Persistent default start page + BHO

6 posts in this topic

Oy!

 

When using IE, I get a harddrive adress as the default start page "warning, we know what you are doing blah, blah blah" - cannot change that. When typing in an adress, I'm taken to this porn page and my toolbars - both above and below dissapear! I did both Spybot, an antiviruscheck and followed Mike Healans suggestions to work with the HT-log by myself.

Since none of that worked, I could really use a helping hand!

 

Here is my HT-log:

 

Logfile of HijackThis v1.97.7

Scan saved at 15:45:15, on 08-07-2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

G:\WINDOWS\System32\smss.exe

G:\WINDOWS\system32\winlogon.exe

G:\WINDOWS\system32\services.exe

G:\WINDOWS\system32\lsass.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\system32\spoolsv.exe

G:\Programmer\Logitech\iTouch\iTouch.exe

G:\PROGRA~1\MICROS~4\Mouse\point32.exe

G:\Programmer\QuickTime\qttask.exe

G:\Programmer\AceGain\LiveUpdate\LiveUpdate.exe

G:\Programmer\iTunes\iTunesHelper.exe

G:\Programmer\Spybot\TeaTimer.exe

G:\Programmer\Motorola\A920 Desktop Suite\ConnMngmntBox.exe

G:\Programmer\Motorola\A920 Desktop Suite\ECTaskScheduler.exe

G:\Programmer\EZ Armor\eTrust EZ Firewall\ca.exe

G:\Programmer\Nikon\NkView6\NkvMon.exe

G:\Programmer\BHODemon\BHODemon.exe

G:\WINDOWS\System32\rundll32.exe

G:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe

G:\PROGRA~1\Motorola\A920DE~1\Elogerr.exe

G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

G:\Programmer\AceGain\LiveUpdate\aceagent.exe

G:\WINDOWS\System32\devldr32.exe

G:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe

G:\WINDOWS\system32\gearsec.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\system32\ZoneLabs\vsmon.exe

G:\PROGRA~1\Motorola\A920DE~1\BROADC~1.EXE

G:\PROGRA~1\Motorola\A920DE~1\SCRFS.exe

G:\Programmer\iPod\bin\iPodService.exe

G:\Programmer\MSN\MSNCoreFiles\MSN6.EXE

G:\Programmer\MSN Messenger\msnmsgr.exe

G:\Programmer\Hijackthis\HijackThis.exe

G:\WINDOWS\explorer.exe

G:\PROGRA~1\DAP\DAP.EXE

G:\Programmer\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find.opasia.dk/msie_google.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = G:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = G:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = G:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = G:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - G:\Programmer\DAP\DAPIEBar.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Programmer\Spybot\SDHelper.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\system32\msdxm.ocx

O4 - HKLM\..\Run: [zBrowser Launcher] G:\Programmer\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [NeroCheck] G:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [Disc Detector] G:\Creative\ShareDLL\ctnotify.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AudioHQ] G:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [TkBellExe] "G:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [MessengerPlus2] "G:\Programmer\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [QuickTime Task] "G:\Programmer\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AceGain LiveUpdate] G:\Programmer\AceGain\LiveUpdate\LiveUpdate.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iTunesHelper] G:\Programmer\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [system Service] G:\WINDOWS\System32\msrexe.exe

O4 - HKLM\..\Run: [vjayceodrh] G:\WINDOWS\System32\bpymur.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [spyKiller] G:\Programmer\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [spybotSD TeaTimer] G:\Programmer\Spybot\TeaTimer.exe

O4 - Startup: BHODemon 2.0.lnk = G:\Programmer\BHODemon\BHODemon.exe

O4 - Global Startup: A920 Connection Manager.lnk = ?

O4 - Global Startup: A920 Task Scheduler.lnk = ?

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = G:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: EZ Firewall.lnk = G:\Programmer\EZ Armor\eTrust EZ Firewall\ca.exe

O4 - Global Startup: NkvMon.exe.lnk = G:\Programmer\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: &Download with &DAP - G:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.opasia.dk/start

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.skoobidoo.com

O16 - DPF: {10000000-1000-0000-1000-000000000000} -

O16 - DPF: {11111111-1111-1111-1111-111111111157} -

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} -

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

 

Thank you for taking the time!

 

Simon

Share this post


Link to post
Share on other sites

SimonGjede, check out my sig and follow my guide for removing spyware, CWShredder or adaware might fix your problems. The freeware Download Accelarator Plus is classified as spyware (or at least it used to be)

 

also, remove these suspecious ones

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find.opasia.dk/msie_google.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = G:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = G:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = G:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = G:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - G:\Programmer\DAP\DAPIEBar.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O8 - Extra context menu item: &Download with &DAP - G:\PROGRA~1\DAP\dapextie.htm

O14 - IERESET.INF: START_PAGE_URL=http://www.opasia.dk/start

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.skoobidoo.com

O16 - DPF: {10000000-1000-0000-1000-000000000000} -

O16 - DPF: {11111111-1111-1111-1111-111111111157} -

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} -

 

suspecious, but not sure of this one (that random file name scares me)

O4 - HKLM\..\Run: [vjayceodrh] G:\WINDOWS\System32\bpymur.exe

Edited by Schadenfroh

Share this post


Link to post
Share on other sites

In addition to those posted above, also fix these entries.

O4 - HKLM\..\Run: [system Service] G:\WINDOWS\System32\msrexe.exe

O4 - HKLM\..\Run: [vjayceodrh] G:\WINDOWS\System32\bpymur.exe

Reboot, and delete the files

 

G:\WINDOWS\System32\msrexe.exe

G:\WINDOWS\System32\bpymur.exe

 

Download Accelerator plus isOK in itself, but it is a carrier! Best to remove it really.

Share this post


Link to post
Share on other sites

Thank you for your swift replies.

 

I use the Housecall Online Virus Scan - would that be enough before I proceed with the other steps?

 

I cannot find CWSmartkiller - Spybot S&D homepage doesn't feature it anymore - any suggestions as to where I can find them?

 

Spysweeper wouldn't run in safemode - can I do it afterwards?

 

I tried your suggestions with the online scan and without CWSmartkiller and Spysweeper and everything worked out fine the first time I started my computer, but since then Spybot S&D's Teatimer tells me that the computer wants to change start page settings back to the 'secure.html' and run msrexe.exe and bpymur.exe at startup (I, of course, tell Teatimer to block this change...)

Share this post


Link to post
Share on other sites

I should also give you the new HT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 19:01:22, on 09-07-2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

G:\WINDOWS\System32\smss.exe

G:\WINDOWS\system32\winlogon.exe

G:\WINDOWS\system32\services.exe

G:\WINDOWS\system32\lsass.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\system32\spoolsv.exe

G:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe

G:\WINDOWS\system32\gearsec.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\system32\ZoneLabs\vsmon.exe

G:\WINDOWS\Explorer.EXE

G:\Programmer\Logitech\iTouch\iTouch.exe

G:\PROGRA~1\MICROS~4\Mouse\point32.exe

G:\Programmer\QuickTime\qttask.exe

G:\Programmer\AceGain\LiveUpdate\LiveUpdate.exe

G:\Programmer\iTunes\iTunesHelper.exe

G:\Programmer\Spybot\TeaTimer.exe

G:\Programmer\Motorola\A920 Desktop Suite\ConnMngmntBox.exe

G:\Programmer\Motorola\A920 Desktop Suite\ECTaskScheduler.exe

G:\Programmer\EZ Armor\eTrust EZ Firewall\ca.exe

G:\Programmer\Nikon\NkView6\NkvMon.exe

G:\Programmer\BHODemon\BHODemon.exe

G:\WINDOWS\System32\rundll32.exe

G:\PROGRA~1\Motorola\A920DE~1\Elogerr.exe

G:\Programmer\AceGain\LiveUpdate\aceagent.exe

G:\Programmer\iPod\bin\iPodService.exe

G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

G:\WINDOWS\System32\devldr32.exe

G:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe

G:\PROGRA~1\Motorola\A920DE~1\BROADC~1.EXE

G:\PROGRA~1\Motorola\A920DE~1\SCRFS.exe

G:\Programmer\MSN\MSNCoreFiles\MSN6.EXE

G:\Programmer\MSN Messenger\msnmsgr.exe

G:\Programmer\Hijackthis\HijackThis.exe

G:\Programmer\Internet Explorer\IEXPLORE.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Programmer\Spybot\SDHelper.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\system32\msdxm.ocx

O4 - HKLM\..\Run: [zBrowser Launcher] G:\Programmer\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [NeroCheck] G:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [Disc Detector] G:\Creative\ShareDLL\ctnotify.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AudioHQ] G:\Programmer\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [TkBellExe] "G:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [MessengerPlus2] "G:\Programmer\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [QuickTime Task] "G:\Programmer\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AceGain LiveUpdate] G:\Programmer\AceGain\LiveUpdate\LiveUpdate.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iTunesHelper] G:\Programmer\iTunes\iTunesHelper.exe

O4 - HKCU\..\Run: [spyKiller] G:\Programmer\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [spybotSD TeaTimer] G:\Programmer\Spybot\TeaTimer.exe

O4 - Startup: BHODemon 2.0.lnk = G:\Programmer\BHODemon\BHODemon.exe

O4 - Global Startup: A920 Connection Manager.lnk = ?

O4 - Global Startup: A920 Task Scheduler.lnk = ?

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = G:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: EZ Firewall.lnk = G:\Programmer\EZ Armor\eTrust EZ Firewall\ca.exe

O4 - Global Startup: NkvMon.exe.lnk = G:\Programmer\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {10000000-1000-0000-1000-000000000000} -

O16 - DPF: {11111111-1111-1111-1111-111111111157} -

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} -

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

Share this post


Link to post
Share on other sites

In the process list in the HT log; is there any diference between system32 and System32? I quite sure any svchost that doesn't have the correct full path would be a virus?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0