MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: hijacked browser
June 20, 2019, 08:29:43 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 20, 2019, 08:29:43 AM

Login with username, password and session length
 
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: hijacked browser  (Read 1469 times)
fattydavies
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« on: November 09, 2004, 01:24:38 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:win xp sp2
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:


Hi,

I've been hijacked by the richfind toolbar which I successfully got rid of using adaware but I can't seem to stop it changing my homepage from google to msn, been looking on the forums and here is my hijack this log, hope you guys can help!!
Thanks in advance.


Logfile of HijackThis v1.98.2
Scan saved at 13:15:41, on 09/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\RFA\rfagent.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Documents and Settings\Mark Evans\Desktop\Software\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R3 - URLSearchHook: Richfind - {39352355-C2A9-4BCB-9A11-8D2079D979CD} - C:\WINDOWS\system32\Q1673328.dll
R3 - URLSearchHook: Richfind - {4EA817B9-CE28-45B9-B280-1F262A7A0ECE} - C:\WINDOWS\system32\Q1673328.dll
R3 - URLSearchHook: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O2 - BHO: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Richfind - {841A5FD1-6C90-4348-BA47-C91757AC218A} - C:\WINDOWS\system32\Q1673328.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O2 - BHO: Richfind - {D7C89A88-FD7D-4883-818E-2002CD536AE1} - C:\WINDOWS\system32\Q1673328.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Richfind - {83777790-4AA6-4C04-AA52-6F9ED03ADF70} - C:\WINDOWS\system32\Q1673328.dll
O3 - Toolbar: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [POINTER] c:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O9 - Extra button: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll
O9 - Extra button: Richfind - {83777790-4AA6-4C04-AA52-6F9ED03ADF70} - C:\WINDOWS\system32\Q1673328.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Filter: text/html - {F6F22B9A-B571-44BF-BDE5-0360FB7D8C11} - C:\WINDOWS\system32\Q1673328.dll
O18 - Filter: text/plain - {F6F22B9A-B571-44BF-BDE5-0360FB7D8C11} - C:\WINDOWS\system32\Q1673328.dll

Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #1 on: November 09, 2004, 01:34:13 PM »

Run hijack this and fix the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R3 - URLSearchHook: Richfind - {39352355-C2A9-4BCB-9A11-8D2079D979CD} - C:\WINDOWS\system32\Q1673328.dll
R3 - URLSearchHook: Richfind - {4EA817B9-CE28-45B9-B280-1F262A7A0ECE} - C:\WINDOWS\system32\Q1673328.dll
R3 - URLSearchHook: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O2 - BHO: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O2 - BHO: Richfind - {841A5FD1-6C90-4348-BA47-C91757AC218A} - C:\WINDOWS\system32\Q1673328.dll
O2 - BHO: Richfind - {D7C89A88-FD7D-4883-818E-2002CD536AE1} - C:\WINDOWS\system32\Q1673328.dll

O3 - Toolbar: Richfind - {83777790-4AA6-4C04-AA52-6F9ED03ADF70} - C:\WINDOWS\system32\Q1673328.dll
O3 - Toolbar: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O9 - Extra button: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O9 - Extra button: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll
O9 - Extra button: Richfind - {83777790-4AA6-4C04-AA52-6F9ED03ADF70} - C:\WINDOWS\system32\Q1673328.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O18 - Filter: text/html - {F6F22B9A-B571-44BF-BDE5-0360FB7D8C11} - C:\WINDOWS\system32\Q1673328.dll
O18 - Filter: text/plain - {F6F22B9A-B571-44BF-BDE5-0360FB7D8C11} - C:\WINDOWS\system32\Q1673328.dll

Reboot and post a new log
Logged

John Vickers
fattydavies
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #2 on: November 09, 2004, 01:49:04 PM »

Hi again,
thanks fro the help, here is a new hijack this log. Unfortunately it seems to still be doing it and the richfind toolbar has now re-appeared!

Logfile of HijackThis v1.98.2
Scan saved at 13:43:08, on 09/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\RFA\rfagent.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mark Evans\Desktop\Software\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - URLSearchHook: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
R3 - URLSearchHook: Richfind - {4EA817B9-CE28-45B9-B280-1F262A7A0ECE} - C:\WINDOWS\system32\Q1673328.dll
O2 - BHO: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O2 - BHO: Richfind - {D7C89A88-FD7D-4883-818E-2002CD536AE1} - C:\WINDOWS\system32\Q1673328.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O3 - Toolbar: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [POINTER] c:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O9 - Extra button: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Filter: text/html - {F6F22B9A-B571-44BF-BDE5-0360FB7D8C11} - C:\WINDOWS\system32\Q1673328.dll
O18 - Filter: text/plain - {F6F22B9A-B571-44BF-BDE5-0360FB7D8C11} - C:\WINDOWS\system32\Q1673328.dll

Thanks again.
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #3 on: November 09, 2004, 02:37:52 PM »

Ok download CWSHREDDER but do not run it yet

disable system restore.You can enable it once you are clean


Using System Restore Windows XP

Run hijack this and fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R3 - URLSearchHook: Richfind - {39352355-C2A9-4BCB-9A11-8D2079D979CD} - C:\WINDOWS\system32\Q1673328.dll
R3 - URLSearchHook: Richfind - {4EA817B9-CE28-45B9-B280-1F262A7A0ECE} - C:\WINDOWS\system32\Q1673328.dll
R3 - URLSearchHook: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O2 - BHO: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O2 - BHO: Richfind - {841A5FD1-6C90-4348-BA47-C91757AC218A} - C:\WINDOWS\system32\Q1673328.dll
O2 - BHO: Richfind - {D7C89A88-FD7D-4883-818E-2002CD536AE1} - C:\WINDOWS\system32\Q1673328.dll

O3 - Toolbar: Richfind - {83777790-4AA6-4C04-AA52-6F9ED03ADF70} - C:\WINDOWS\system32\Q1673328.dll
O3 - Toolbar: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O9 - Extra button: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\system32\Q1673328.dll
O9 - Extra button: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll
O9 - Extra button: Richfind - {83777790-4AA6-4C04-AA52-6F9ED03ADF70} - C:\WINDOWS\system32\Q1673328.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O18 - Filter: text/html - {F6F22B9A-B571-44BF-BDE5-0360FB7D8C11} - C:\WINDOWS\system32\Q1673328.dll
O18 - Filter: text/plain - {F6F22B9A-B571-44BF-BDE5-0360FB7D8C11} - C:\WINDOWS\system32\Q1673328.dll

Boot to safe mode making sure you can see hidden files and folders


How To Boot Into SafeMode

How To Show Hidden Files And Folders

Delete:

C:\WINDOWS\system32\Q1673328.dll

While in safe mode Close all browser windows, open cwshredder.exe then click
"Fix" and let it run.

Reboot and post a new log




Logged

John Vickers
fattydavies
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #4 on: November 09, 2004, 03:00:50 PM »

Hello,

done everything as you said it, but I think the log is still showing some references to richfind, but the toolbar has gone again now!
Here is the latest log.

Logfile of HijackThis v1.98.2
Scan saved at 14:56:16, on 09/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\RFA\rfagent.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Documents and Settings\Mark Evans\Desktop\Software\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - URLSearchHook: Richfind - {4EA817B9-CE28-45B9-B280-1F262A7A0ECE} - C:\WINDOWS\system32\Q1673328.dll (file missing)
R3 - URLSearchHook: Richfind - {7A02F6FA-FEE1-4F4E-804A-3361303190E8} - C:\WINDOWS\system32\Q1673328.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O2 - BHO: Richfind - {D7C89A88-FD7D-4883-818E-2002CD536AE1} - C:\WINDOWS\system32\Q1673328.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll (file missing)
O3 - Toolbar: Richfind - {91A1B2D7-6103-4BAA-876E-F41702A552B4} - C:\WINDOWS\system32\Q1673328.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [POINTER] c:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll (file missing)
O9 - Extra button: Richfind - {91A1B2D7-6103-4BAA-876E-F41702A552B4} - C:\WINDOWS\system32\Q1673328.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Thanks again, I'd be totally lost without your help.
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #5 on: November 09, 2004, 03:07:55 PM »

Ok we got rid of some of it now lets get it all.Run hijack this and fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - URLSearchHook: Richfind - {4EA817B9-CE28-45B9-B280-1F262A7A0ECE} - C:\WINDOWS\system32\Q1673328.dll (file missing)
R3 - URLSearchHook: Richfind - {7A02F6FA-FEE1-4F4E-804A-3361303190E8} - C:\WINDOWS\system32\Q1673328.dll (file missing)
O2 - BHO: Richfind - {D7C89A88-FD7D-4883-818E-2002CD536AE1} - C:\WINDOWS\system32\Q1673328.dll (file missing)
O3 - Toolbar: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll (file missing)
O3 - Toolbar: Richfind - {91A1B2D7-6103-4BAA-876E-F41702A552B4} - C:\WINDOWS\system32\Q1673328.dll (file missing)
O9 - Extra button: Richfind - {761462ED-831C-41AC-92B3-D4B9D3E9090C} - C:\WINDOWS\system32\Q1673328.dll (file missing)
O9 - Extra button: Richfind - {91A1B2D7-6103-4BAA-876E-F41702A552B4} - C:\WINDOWS\system32\Q1673328.dll (file missing)

Restart your computer but Do Not open any browsers just yet.

Go to start>settings>control panel>internet options
Under the general tab
click>delete cookies>say ok
click>delete files>check delete offline content>say ok twice
Under the programs tab
click>reset web settings

Run hijack this and post one more log
Logged

John Vickers
fattydavies
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #6 on: November 09, 2004, 03:20:47 PM »

Hi,
latest log file, still won't let me change my homepage to google instead of msn though?



Logfile of HijackThis v1.98.2
Scan saved at 15:14:57, on 09/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\RFA\rfagent.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mark Evans\Desktop\Software\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [POINTER] c:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Thanks once more.
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #7 on: November 09, 2004, 03:26:48 PM »

.Run hijack this and fix

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk

Restart your computer but Do Not open any browsers just yet.

Go to start>settings>control panel>internet options
Under the general tab
click>delete cookies>say ok
click>delete files>check delete offline content>say ok twice
Under the programs tab
click>reset web settings

Run hijack this and post one more log

« Last Edit: November 09, 2004, 03:41:19 PM by jvic » Logged

John Vickers
fattydavies
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #8 on: November 09, 2004, 03:34:16 PM »

here is the latest log file, still can't change homepage I'm afraid.

Logfile of HijackThis v1.98.2
Scan saved at 15:28:48, on 09/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\RFA\rfagent.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mark Evans\Desktop\Software\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [POINTER] c:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #9 on: November 09, 2004, 03:47:45 PM »

I don't see anything in your log that would prevent you from changing your homepage.I would recommend using Mozilla as a browser as there are less chances for malware to get onto your computer and also you get no popups.i will do some more research and see if I can't find the reason you can't change your homepage
Logged

John Vickers
fattydavies
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #10 on: November 09, 2004, 03:50:55 PM »

ok, thanks a lot for all of your help, I wouldn't of had a clue where to even begin, you have been great!
Thanks again.
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #11 on: November 09, 2004, 03:55:33 PM »

I should have thought of this earlier
If you have SpyBot S&D installed, go to the Tools<<IE Tweaks
Is "Lock IE Start Page Settings" ticked?
If so, uncheck it.
Logged

John Vickers
fattydavies
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #12 on: November 09, 2004, 04:36:32 PM »

Thats done it! I had several ad and spyware progs running, got a bit over-zealous after getting hit with that stupid richfind thing!
Cheers!
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #13 on: November 09, 2004, 04:41:29 PM »

Glad to help

Prevention
To help in preventing your system from being infected again

* SpywareBlaster will prevent spyware from being installed.
  Spywareblaster

* SpywareGuard offers realtime protection from spyware installation attempts.
  Spywareguard


To protect yourself further:

* IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  IE/Spyad

* Get the free google toolbar to help stop pop up windows.
  Google Toolbar


These steps should be done on a regular basis.

1.You should run a scan with Ad-Aware regularly (Keep the definitions updated)

2.Run windows updates at least once a month

3.Keep your antivirus updated weekly

4.I also suggest that you delete any files from "temp", "tmp" folders.
  In Internet Explorer, click on
  "Tools" => "Internet Options" => "Delete Files" and select the box that says
  "Delete All Offline Content" and click on "OK" twice.




Logged

John Vickers
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #14 on: November 10, 2004, 02:30:41 AM »

I'll leave this topic open for a few days then close it.If you need it reopened please PM a mod and supply a link to this thread
Logged

John Vickers
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 21, 2018, 04:30:10 PM