IE6 hijacked - cwshredder&hijackthis can´t clear it

•

What is DaniWeb IT Discussion Community?

You're currently browsing the Web Browsers section within the Tech Talk category of DaniWeb, a massive community of 455,962 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 3,578 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.

Join our community!

Please support our Web Browsers advertiser: 64-bit Windows Community

Thread Tools Display Modes

Views: 2693 | Replies: 0

•

Join Date: Oct 2003

Posts: 21

Reputation: Ron Wolpa is an unknown quantity at this point

Rep Power: 0

Solved Threads: 0

Ron Wolpa

Offline

Newbie Poster

IE6 hijacked - cwshredder&hijackthis can´t clear it

Aug 21st, 2004

aug 21 2004

IE6 has been hijacked ;

http://homepage.com/ is the start page now ;
(Start page entry is :
http://%68%6F%6D%65%70%61%67%65%2E%6...%63%63/%68%70/ )

I tried to run CWShredder v1.59.1 and hijackthis v1.98.2 ;

CWShredder´s Restoring Internet Explorer Pages item suceeds to clear 18 items ; The 1st time I open IE6 after using CWShredder , it opens a blank page , then I close to test it and open a 2nd time , so the hijacking page is back as start page ;

I ran hijackthis v1.98.2 , but without success :

browser helper object C:\DPE.dll has been found , I check it to be fixed , but
it gets back ;
At the end of this post I will paste hijackthis LOG ;

It is interesting to note that I have the useless SpywareBlaster Version 3.2 which would be a protection against hijacking (by the looks of it I will remove it......feeling cross about that) ;

Well friends I count on you for some help ;

Cheers
RW
.....................................................................................................
Logfile of HijackThis v1.98.2
Scan saved at 21:17:24, on 21/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\ADMUNCHER\ADMUNCH.EXE
C:\WINDOWS\SYSTEM\FPPDIS2A.EXE
C:\VITALAGENT8\VITALAGENT\PROGRAM\VTLAGENT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\MSXMIDI.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\!_DOWNLOAD\!_IE6_SETUP_SECURITY\IE_SECURITY\HIJACKTHIS\HIJACKTHIS_V1.98.2.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\DPE.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Ad Muncher] C:\ADMUNCHER\ADMUNCH.EXE /bt
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\SYSTEM\fppdis2a.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: MyVitalAgent.lnk = C:\vitalagent8\VitalAgent\Program\VtlAgent.exe
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\getright502\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\getright502\GRbrowse.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\icq\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\icq\ICQ.exe
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorU...iveInstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {F1835D04-7CCF-489E-8184-C08A1F682169} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL

.....................................................................................................