[foody]

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:Windows XP Pro sp2
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:
Hello Whoever, is anyone aware of a trojan named Allinone.com? Sometimes(not always)when I close my homepage this page is sitting behind it. I have Startpage Guard which stops it taking over I guess but it must be in my system. Is it malicious? I have Hijack this and can post a log if needed. Thankyou

[Geekgirl]

I haven't seen this one and Google didnt bring nothing up on it. Go ahead and paste your HJT log in here

[foody]

Logfile of HijackThis v1.99.1
Scan saved at 12:35:11 PM, on 5/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1537AC1-2F45-4568-88EC-F101E24659D4}: NameServer = 203.194.27.57 203.194.56.150
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

[Geekgirl]

Your log is clean as a whistle

Startpage Guard may be stopping it from hijacking your startpage.

[foody]

Thanks Geek Girl, I searched Google b4 I posted with you and got one entry that referred to it as spyware but the webpage was blank when I clicked on itso could'nt find out anymore. I now have Microsoft Spyware loaded and it found 1 entry for Quickmetasearch which I had problems with last week when you helped me. I removed the file msvcrta.dll from System32files as you instructed but apart from using Outlook to get my mail I haven't been back on the Net. How could it have reappeared ?  Could it be lurking somewhere else in the works? What if I disable Startpage guard to see if it hijacks again  or should I let sleeping dogs lie? Sorry to be a pest.  Foody

[Geekgirl]

Use these programs weekly to add for better protection

Download / Install / Update / and Run:
Adaware SE check for any updates before running it.
Get the plug-in for fixing VX2 variants. You can download it at this SITE
 To run this tool, install to the hard drive, then open Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection.
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Download and install Spybot S&D . Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Also if you dont have a firewall, Zone Alarm is a good free firewall.

Let sleeping dogs lie is what I always say. No need to wake them up, their 10 times nastier

[foody]

Hello Geek Girl,I have done as you instructed above but when closing download page for VX2 cleaner a blank page was sitting behind called itallnowdone.com .Have run AdAware (VX2 did'nt need a'clean') Spybot (no results) and MIcrosoft Antispyware Beta 1 (also no detected problems.) Do you know anything of this itallnowdone.com? I feel violated! Your thoughts appreciated. Thanks,  Foody

[Geekgirl]

Turn off Active Desktop