0

IE6 has been constantly hijacked ;
this damn site :
http://www.lookfor.cc/index.php?p=37049 , replaces the start page , obliging me to edit the register HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\start page ;

It has happened almost every night since the 1st time a week ago ;

An updated Spybot search and destroy has scanned the system and some cookies have been cleared up but it has not solved the annoying problem ;

Is there something else I can do to eliminate whatever is in the system ?

I am very very fed up with that bastard www.lookfor...

Thank you so much

RW

Hi, I think I have the same problem than you. Please give me some help!!!
This is my HijackThis.log file:

Logfile of HijackThis v1.97.7
Scan saved at 01:39:54, on 01/10/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\POPROXY.EXE
C:\ARCHIVOS DE PROGRAMA\USB FLASH DISK UTILITY\UFD UTILITY\UFDMON.EXE
C:\ARCHIVOS DE PROGRAMA\USB FLASH DISK UTILITY\UFD UTILITY\USBTD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\ES-LA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\NTCH.EXE
C:\WINDOWS\APICH32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\APICH32.EXE
C:\WINDOWS\APICH32.EXE
C:\WINDOWS\APICH32.EXE
C:\WINDOWS\APICH32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\APICH32.EXE
C:\WINDOWS\APICH32.EXE
C:\WINDOWS\APICH32.EXE
C:\INSTALAR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = deArriba Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {486D2C22-7F48-D300-16ED-5B6AF1BC159F} - C:\WINDOWS\SYSTEM\MFCAC.DLL
O3 - Toolbar: @msdxmLC.dll,-1@3082,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\ES\MSNTB.DLL (file missing)
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3Deep Control Panel] C:\ARCHIV~1\CREATIVE\3DEEP\PROGRAM\3DeepCTL.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [VoodooBanshee] rundll32.exe 3dfxVBps.dll,BansheeLoadSettings
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\ARCHIV~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Archivos de programa\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [UFD Monitor] C:\Archivos de programa\USB Flash Disk Utility\UFD Utility\UFDMon.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Archivos de programa\USB Flash Disk Utility\UFD Utility\USBTD.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\es-la\msnappau.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [BCDetect] C:\WINDOWS\SYSTEM\BCDetect.exe defer
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Archivos de programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [APICH32.EXE] C:\WINDOWS\APICH32.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\ARCHIVOS DE PROGRAMA\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Image Transfer.lnk = C:\Archivos de programa\Sony Corporation\Image Transfer\SonyTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.ciudad.com.ar
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38240.8525
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6

3
Contributors
5
Replies
6
Views
13 Years
Discussion Span
Last Post by crunchie
0

Download: "StartDreck", from here:
http://www.niksoft.at/download/startdreck.htm
Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log in this thread.

0

Download: "StartDreck", from here:
http://www.niksoft.at/download/startdreck.htm
Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log in this thread.

Hi, I think I've removed some things, but the blank page changed by a search page persist. TeaTimer showme some changes in the registry keys relating to the browser's Search Page.

This is the log file from StartDreck:

StartDreck (build 2.1.7 public stable) - 2004-10-02 @ 00:13:49 (GMT -03:00)
Platform: Windows 98 (Win 4.10.1998 )
Internet Explorer: 5.50.4522.1800
Logged in as Gabriel Belingueres at GABRIEL

»Registry
»Run Keys
»Current User
»Run
*SpybotSD TeaTimer=C:\ARCHIVOS DE PROGRAMA\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
»RunOnce
»Default User
»Run
*SpybotSD TeaTimer=C:\ARCHIVOS DE PROGRAMA\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
»RunOnce
»Local Machine
»Run
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*3Deep Control Panel=C:\ARCHIV~1\CREATIVE\3DEEP\PROGRAM\3DeepCTL.EXE
*mdac_runonce=C:\WINDOWS\SYSTEM\runonce.exe
*CriticalUpdate=C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
*VoodooBanshee=rundll32.exe 3dfxVBps.dll,BansheeLoadSettings
*Norton Auto-Protect=C:\ARCHIV~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
*Norton eMail Protect=C:\Archivos de programa\Norton AntiVirus\POPROXY.EXE
*UFD Monitor=C:\Archivos de programa\USB Flash Disk Utility\UFD Utility\UFDMon.exe
*UFD Utility=C:\Archivos de programa\USB Flash Disk Utility\UFD Utility\USBTD.exe
*LoadQM=loadqm.exe
*msnappau="c:\program files\MSN Apps\Updater\01.02.3000.1001\es-la\msnappau.exe"
*SystemTray=SysTray.Exe
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*BCDetect=C:\WINDOWS\SYSTEM\BCDetect.exe defer
*ScriptBlocking="C:\Archivos de programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe" -reg
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+FF0F18A7=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF6C03=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF5F93=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFF46BB=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFAECF=C:\WINDOWS\EXPLORER.EXE
+FFFE129F=C:\WINDOWS\PTSNOOP.EXE
+FFFE9917=C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\NAVAPW32.EXE
+FFFE3C9F=C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\POPROXY.EXE
+FFFDA82F=C:\ARCHIVOS DE PROGRAMA\USB FLASH DISK UTILITY\UFD UTILITY\UFDMON.EXE
+FFFDFCBB=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFDEA1F=C:\ARCHIVOS DE PROGRAMA\USB FLASH DISK UTILITY\UFD UTILITY\USBTD.EXE
+FFFDFDAF=C:\WINDOWS\LOADQM.EXE
+FFFEFE7F=C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\ES-LA\MSNAPPAU.EXE
+FFFEEB97=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC41E7=C:\ARCHIVOS DE PROGRAMA\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
+FFFBA1F7=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFFBF023=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFBA3D3=C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
+FFF9ABF3=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF95457=C:\WINDOWS\SYSTEM\SYSKF32.EXE
+FFF81693=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF8007B=C:\INSTALAR\STARTDRECK\STARTDRECK.EXE
»Application specific

Thanks in advance,
Gabriel

0

I think I have the same problem as you. Please give me some help!!!

First of all, you have to obtain a newer version of Internet Explorer. v5.5 is no longer supported or updated. v6.0 is more secure by a good margin. You can find IE 6.0 on an AOL disc, if they have those in Argentina...

You also need a newer version of HijackThis, as well.

Copy these instructions to Notepad or another text editor, then print them out. You should not have any browser windows open when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Reboot into Safe Mode by pressing the [F8] key repeatedly until the boot menu shows up.

Make sure to close any open browser windows. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn’t be – but double check them):

C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\NTCH.EXE
C:\WINDOWS\APICH32.EXE (all instances)

I'll list what, in my opinion, should be dumped. Realize that not all of these are malicious--some are merely superfluous, "excess baggage." Some companies (Real and Apple among them) seem to think their software should run all the time... bleah!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
O2 - BHO: (no name) - {486D2C22-7F48-D300-16ED-5B6AF1BC159F} - C:\WINDOWS\SYSTEM\MFCAC.DLL
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\RunServices: [APICH32.EXE] C:\WINDOWS\APICH32.EXE
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - hxxp://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - hxxp://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6

0

First of all, you have to obtain a newer version of Internet Explorer. v5.5 is no longer supported or updated. v6.0 is more secure by a good margin. You can find IE 6.0 on an AOL disc, if they have those in Argentina...

You also need a newer version of HijackThis, as well.

Copy these instructions to Notepad or another text editor, then print them out. You should not have any browser windows open when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Reboot into Safe Mode by pressing the [F8] key repeatedly until the boot menu shows up.

Make sure to close any open browser windows. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn’t be – but double check them):

C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\NTCH.EXE
C:\WINDOWS\APICH32.EXE (all instances)

I'll list what, in my opinion, should be dumped. Realize that not all of these are malicious--some are merely superfluous, "excess baggage." Some companies (Real and Apple among them) seem to think their software should run all the time... bleah!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\soqbj.dll/sp.html#29126
O2 - BHO: (no name) - {486D2C22-7F48-D300-16ED-5B6AF1BC159F} - C:\WINDOWS\SYSTEM\MFCAC.DLL
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\RunServices: [APICH32.EXE] C:\WINDOWS\APICH32.EXE
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - hxxp://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - hxxp://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6

Thanks!!
I think it's gone now!!
Gabriel

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.