• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Maff

IE Start page infected

14 posts in this topic

I have recently just rid myself of a variant of about:blank but now i'm reinfected but this time it's worse. MUCH worse.

 

Intially AVG virus checker alerted me to trojan virus. (i can't remember the name of it now as i'm at work and my home cpu does let me go online now!) It appears it infected the IE Start up. I ran AVG to check for infected files it found 9 and remedied them. I've also tried all the regular methods of ridding yourself of hijacking: CW Shredder, HijAck this (using my primitive knowledge of it eg deleteing susipicous items) but now the problem seems worse. This is what happens..

 

The CPU boots up and when i try to open IE browers the message comes up saying there has been an unknown error in Internet explorer and will now close. But it does'nt end there. This error message is then repeated for the all programs running on my desktop eventually ending with just a cyan screen and nothing else! I can shut down from there. Even when i open 'my computer' is it starts this chain of close down

 

What is going on? I will try and post my hijack log if i can get my home CPU online

 

PLEASE HELP!!

I'm running Windows Me btw

Edited by Maff

Share this post


Link to post
Share on other sites

Here is my HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 19:18:33, on 09/06/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\SYSTEM\LOGON.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\NTL\BROADBAND MEDIC\SMARTBRIDGE\MOTIVESB.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\QMIN\LMMALEIQ.EXE

C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE

C:\PROGRAM FILES\NTL\BROADBAND MEDIC\BIN\MPBTN.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL (file missing)

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NTL\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\SYSTEM\logon.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\SYSTEM\irun4.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet

O4 - Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Startup: LimeWire 4.0.4.lnk = C:\Program Files\LimeWire\LimeWire 4.0.4\LimeWire.exe

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Kangaroo (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07a3224205185c...ip/RdxIE601.cab

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

Share this post


Link to post
Share on other sites

Thanks for your support Rockfly! I did get exicted for a moment when i saw someone had replied (thinking it was an expert!!) Still, nice to know you not being completely ignored :D

 

Another day another bump! ;)

Share this post


Link to post
Share on other sites

homepage hijacker:

 

C:\WINDOWS\SYSTEM\LOGON.EXE

 

dont need:

 

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

 

this process doesn't look too good i would take it out:

 

C:\WINDOWS\SYSTEM\QMIN\LMMALEIQ.EXE

 

i dont know if this is your homepage but i dont see why it's not just msn.com, the second entry can go...i would suggest the google toolbar google toolbar

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

 

 

these can go:

 

O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL (file missing)

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

it ihnk this has to do with the process for hijacking:

 

O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\SYSTEM\logon.exe

 

dont use limewire it's horrible..if you want to use any of those retarded P2P thigns use kazza lite k++ but you'll have to dig to find it in the internet:

 

O4 - Startup: LimeWire 4.0.4.lnk = C:\Program Files\LimeWire\LimeWire 4.0.4\LimeWire.exe

 

if your infected with cws go to my signature and run adaware spybot and most importantly cwshredder which should get rid of cws.

 

hope this helps {SoW}Rob

Share this post


Link to post
Share on other sites

Many thanks for the reply Rob! Much appreciated.

Okay i'll get rid of all what you suggested.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

 

My homepage (was) the BBC homepage so no, i wont need that!

 

I think my file sharing days are over!! Limewire...GONE!

 

I think this virus tried to infect CW Shredder when i opened it initially. It created a random string of text to stop it.

I will also try adaware spybot. shall i post a new log of this?

 

Massive thanks again Rob. :thumbsup:

Share this post


Link to post
Share on other sites
dont use limewire it's horrible..if you want to use any of those retarded P2P thigns use kazza lite k++ but you'll have to dig to find it in the internet:
This is an incredibly bad suggestion... Not only is KazaaLite cracked software, it also puts you into the Kazaa network that is riddled with malware... It is one of the main reasons this forum is so busy... If you want to do file sharing, please look here:

 

http://www.spywareinfo.com/articles/p2p/

 

Also, please note that caruch6392 has been making a large number of errors... if you have any more problems, please post back with a fresh log and details....

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0