• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
grumpup

hompage changing

7 posts in this topic

basically my elderly parents computer has gotten to the point where I can no longer fix the problems myself. I've got hijackthis downloaded and also cwshredder. I have spyhunter and also norton.

 

The problem is the home page keeps changing, letters when typing don't show up right away and these pop ups are still makeing it past my 2 different popup blockers. Please anyone who knows what they are doing please help.

 

Thanks GUMPUP

 

Logfile of HijackThis v1.97.7

Scan saved at 10:33:32 AM, on 6/24/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\POPUPBLOCKER\ENIGMAPOPUPSTOP.EXE

C:\WINDOWS\SYSTEM\IEHOST.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\OUCHJBG.EXE

C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE

C:\PROGRAM FILES\COMMON FILES\UPDMGR\UPDMGR.EXE

C:\WINDOWS\SYSTEM\ICMDMOE.EXE

C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE

C:\PROGRAM FILES\GRID 01\SOFTWARE FOR KEEP.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\PROGRAM FILES\EZULA\MMOD.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)

F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE

O1 - Hosts: 69.20.16.183 ieautosearch

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O3 - Toolbar: link program eq - {361C3A39-9158-BB39-766E-4106A8DF1A3A} - C:\PROGRAM FILES\SETUP INTRA BLUE\SOFT MATH.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe

O4 - HKLM\..\Run: [ZIY] C:\WINDOWS\TEMP\ZIY.EXE

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\SYSTEM\IEHost.exe

O4 - HKLM\..\Run: [amlkrnd] C:\WINDOWS\SYSTEM\ouchjbg.exe

O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe

O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [AutoLoadero2t71IMkXINJ] "C:\WINDOWS\SYSTEM\ICMDMOE.EXE" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [GREAT BAGS] C:\PROGRA~1\GRID 01\SOFTWARE FOR KEEP.exe

O4 - HKLM\..\Run: [o92h36R] ICMDMOE.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

O4 - HKCU\..\Run: [ZytnRWdmg] LFPMP70N.EXE

O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...AB?38020.679375

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://66.230.145.49/420/online.chm::/on-line.exe

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/98ME/CDTInc/bridge.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

O19 - User stylesheet: C:\WINDOWS\win32.bmp

Share this post


Link to post
Share on other sites

Just letting you know that you haven't been ignored, I am working on your problem.

Share this post


Link to post
Share on other sites

Hello Grumpup, and welcome to the forums.

 

Download this: http://www.downloads.subratam.org/VX2Finder9x.exe and run it

 

1-Click "Click To find Find VX2.Abetterinternet"

 

2-Delete all files found

You will get a message about "cannot delete this one" matching the same name in the Guardian Key.

 

3-Click "Open regedit" will take you right to the Guardian Key(no need to search for it)

 

4-Hilite "Guardian", RightClick and choose Security/permissions, you'll get another window with 'advanced'...

DE-select (uncheck) the lower box with "inheritable permissions"

Hit 'ok' and 'remove' on the following security prompts.

 

Restart computer.

 

5-On restart use VX2Finder again, select + delete the last file, click "User Agent$" will remove that entry from the registry.

 

6-Click "Open regedit" again, this time restoring the checkmark in "inheritable permissions"

 

7-Click "Guardian.reg" in VX2Finder Deletes the Guardian Key.

 

8-Use Find again should produce a clean log of blank values.

 

9-Click "Restore Policy" to restore the Debug policy altered in the look2Me installation.(requires reboot to apply, but not immediatley neccessary)

 

Download LSP Fix from the following location:

http://www.cexx.org/LSPFix.exe

Open LSP Fix and check the "I know what I'm doing" box. Move all copies of inetadpt.dll to the "Remove" column. Then click "Finish" and exit LSP Fix.

 

Now press Ctrl+Alt+Delete and end the following processes (some may not be there):

 

C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\POPUPBLOCKER\ENIGMAPOPUPSTOP.EXE

 

C:\WINDOWS\SYSTEM\IEHOST.EXE

 

C:\PROGRAM FILES\EZULA\MMOD.EXE

 

C:\PROGRAM FILES\GRID 01\SOFTWARE FOR KEEP.EXE

 

C:\WINDOWS\SYSTEM\OUCHJBG.EXE

 

C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE

 

C:\PROGRAM FILES\COMMON FILES\UPDMGR\UPDMGR.EXE

 

C:\WINDOWS\SYSTEM\ICMDMOE.EXE

 

Important: Create a folder such as C:\HJT and move Hijack This there. When you run Hijack This from this folder and have it "Fix checked" it will create a backup file of modifications to use if restore is necessary. The backups will be harder to clean out later if it is left in it's present location.

 

Next, open Hijack This and check the following boxes:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)

 

O1 - Hosts: 69.20.16.183 ieautosearch

 

O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

 

O3 - Toolbar: link program eq - {361C3A39-9158-BB39-766E-4106A8DF1A3A} - C:\PROGRAM FILES\SETUP INTRA BLUE\SOFT MATH.DLL

 

O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

 

O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe

 

O4 - HKLM\..\Run: [ZIY] C:\WINDOWS\TEMP\ZIY.EXE

 

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\SYSTEM\IEHost.exe

 

O4 - HKLM\..\Run: [amlkrnd] C:\WINDOWS\SYSTEM\ouchjbg.exe

 

O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe

 

O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE

 

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

 

O4 - HKLM\..\Run: [AutoLoadero2t71IMkXINJ] "C:\WINDOWS\SYSTEM\ICMDMOE.EXE" /PC="AM.WILD" /HideUninstall

 

O4 - HKLM\..\Run: [GREAT BAGS] C:\PROGRA~1\GRID 01\SOFTWARE FOR KEEP.exe

 

O4 - HKLM\..\Run: [o92h36R] ICMDMOE.EXE

 

O4 - HKCU\..\Run: [ZytnRWdmg] LFPMP70N.EXE

 

O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe

 

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

 

O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://66.230.145.49/420/online.chm::/on-line.exe

 

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

 

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

 

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/98ME/CDTInc/bridge.cab

 

O19 - User stylesheet: C:\WINDOWS\win32.bmp

 

Now hit "Fix checked" and close Hijack This.

 

Reboot your computer into safe mode. Instructions on how to do that are available here:

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

Uninstall the following programs via Add/Remove programs under control panel:

Spyhunter

Kazaa

 

Why uninstall Spy Hunter? It is not a legitimate Anti-Spyware program. It is known to tell users that they have spyware that is not actually there to get you to pay for it, and then do almost nothing to deal with actual spyware.

 

Why uninstall Kazaa? It is a spyware-laden application and there are plenty of safer file-sharing applications. A list is available here:

http://www.spywareinfo.com/articles/p2p/

 

Now delete the following files/folders. You may need to show hidden files/folders to do that. Instructions on how to show hidden files/folders are available here:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Delete the following files/folders (some may already be gone):

 

C:\PROGRA~1\ezula\ <- this folder

C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ <- this folder

C:\PROGRAM FILES\GRID 01\ <- this folder

C:\WINDOWS\SYSTEM\OUCHJBG.EXE <- this file

C:\WINDOWS\SYSTEM\IEHOST.EXE <- this file

C:\PROGRAM FILES\COMMON FILES\DPI\ <- this folder

C:\PROGRAM FILES\COMMON FILES\UPDMGR\ <- this folder

C:\WINDOWS\SYSTEM\ICMDMOE.EXE <- this file

C:\WINDOWS\win32.exe <- this file

C:\WINDOWS\TEMP\ZIY.EXE <- this file

C:\WINDOWS\ALCHEM.exe <- this file

C:\PROGRA~1\GRID 01\ <- this folder

 

Search for and delete the following if found:

 

LFPMP70N.EXE

 

Reboot your PC and post a new Hijack This log.

Edited by gravylover5

Share this post


Link to post
Share on other sites

Gravy-

 

Thanks for the reply. I won't be able to work on their computer till the 4th of July weeken when I'm back at their place. Just add another reply so I know you'll take a look at it after that. Thanks Again

 

GRUM

Share this post


Link to post
Share on other sites

Gravy-

 

I got to step #2 before I ran into this problem: I can find nothing about "Open regedit" (your steps are bleow.) Where is that located?, it's not with the VX2Finder window

 

Thanks GRUM

 

 

 

3-Click "Open regedit" will take you right to the Guardian Key(no need to search for it)

 

4-Hilite "Guardian", RightClick and choose Security/permissions, you'll get another window with 'advanced'...

DE-select (uncheck) the lower box with "inheritable permissions"

Hit 'ok' and 'remove' on the following security prompts.

 

Restart computer.

 

5-On restart use VX2Finder again, select + delete the last file, click "User Agent$" will remove that entry from the registry.

 

6-Click "Open regedit" again, this time restoring the checkmark in "inheritable permissions"

 

7-Click "Guardian.reg" in VX2Finder Deletes the Guardian Key.

 

8-Use Find again should produce a clean log of blank values.

 

9-Click "Restore Policy" to restore the Debug policy altered in the look2Me installation.(requires reboot to apply, but not immediatley neccessary)

Share this post


Link to post
Share on other sites

My apologies, Grumpup, for the incorrect instructions. I hope it didn't cause too much frustration. Use these instructions for VX2Finder instead of the ones I supplied earlier. Then follow the instructions that I gave for the steps after VX2Finder.

 

http://www.downloads.subratam.org/VX2Finder9x.exe

 

for windows 98 & Me versions..

 

For Win9x, it doesn't even require a reboot, just find files(verify they are not legitimate Windows files)

 

-Select files and delete them all (Rundll32 & Explorer will end process leaving blank desktop)

 

-User Agent$ Removes the User Agent String in Registry

 

-Look2Me.reg Fixes the Double Quicklaunch toolbar.

 

Also, your version of Hijack This is outdated. Please download version 1.98.0, available here:

 

http://downloads.subratam.org/hijackthis.zip

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0