Jump to content


  • Please log in to reply
8 replies to this topic

#1 Guest_Amateur_*

  • Guests

Posted 12 July 2004 - 06:12 PM

Everytime I start up Internet Explorer, I see this page:
Posted Image

And when I click on one of the links at the bottom of the page, I am taken to this website:
Posted Image

Norton Systemworks 2004 detected a virus but it would not give me the option to clean it or delete it and the window would not go away after I pressed OK. I had to uninstall Norton in order to continue using the computer.

I then went to TrendMicro.com and used their free online virus scan and it detected a trojan and removed it but it did not get rid of the blue webpage.

The spyware or whatever it is, will not let me visit website like yahoo or google or any search engine website for that matter. I can visit any website so long as I know the address.

If anyone could help it would be greatly appreciated. I can perform a clean install of WindowsXP but I would rather not. Thanks.

Here is my HijackThis log:

ogfile of HijackThis v1.98.0
Scan saved at 6:31:50 PM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim Renberg\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/WINDOWS/secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O21 - SSODL: System - {58F27183-FE6E-41DD-9E0F-B04D118A5449} - C:\WINDOWS\system32\system32.dll (file missing)

#2 Guest_Amateur_*

  • Guests

Posted 12 July 2004 - 07:00 PM


#3 terryb



  • Full Member
  • Pip
  • 51 posts

Posted 12 July 2004 - 07:33 PM

It's a startup page downloader trojan.
First, go in and see if you can manually change your homepage!
Do you have Hijack This, Spybot Search & Destroy, and Adaware 6.0?
If not, I can give you the addresses to go there.
I'll also give you info. on other free virus scan options.
if need be.

#4 Guest_Amateur_*

  • Guests

Posted 12 July 2004 - 07:36 PM

Well, I obviously have HijackThis :-) but I will download Spybot Search and Destroy. I tried Adaware and that didn't pick anything up. I will get back to you if Spybot detects anything.

#5 terryb



  • Full Member
  • Pip
  • 51 posts

Posted 12 July 2004 - 07:45 PM

oops, sorry, I meant CWShredder.
The reason I recommend Spybot SD is because of the tools
in advanced mode that can protect your homepage and block
bad servers.
Also, have you tried the panda scan?

#6 Guest_Amateur_*

  • Guests

Posted 12 July 2004 - 09:19 PM

OK, CWShredder fixed the problem. I can now use yahoo.com and other search engines. Thanks alot.

One more question. How do I replace the missing file in the HijackThis log: O21 - SSODL: System - {58F27183-FE6E-41DD-9E0F-B04D118A5449} - C:\WINDOWS\system32\system32.dll (file missing)

#7 terryb



  • Full Member
  • Pip
  • 51 posts

Posted 12 July 2004 - 09:37 PM

Are you familiar with the sfc tool (System file check)?
It scans your pc for any important windows files that
have been damaged or replaced, then it replaces them
with valid copies.
This is especially helpful if your computer has been
infected with viruses/trojans/etc. that have attacked your
To run it, Click on Start-Run , type: sfc /scannow and Press the "Enter" key. Have the Windows XP CD handy, because if your files have been
damaged, it will ask for the CD so a clean copy can be obtained. If you are asked what you want to do after you insert the disk, just click on
"exit". Let the SFC do the rest. After about 10 min., when it is done, remove the disk. That should do it.
And, may I suggest that you go into Spybot S&D to tools/Browser pages
and make sure your search pages are set appropriately. You may look into the Host File tool also, since it blocks servers that are notorious for "bad behaviour"--like CoolWebSearch.

#8 Guest_Amateur_*

  • Guests

Posted 12 July 2004 - 09:48 PM

Thanks terryb. Greatly appreciated. Take care.

#9 terryb



  • Full Member
  • Pip
  • 51 posts

Posted 12 July 2004 - 11:03 PM

You're welcome! Hope it helped.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!