0

Internet Explorer has been hijacked and I can't stop it resetting to gb10.hpwis.com as the home page. I have tried so much already but nothing has worked. Whatever it is cannot be detected by Norton Antivirus 2004, Adaware or Spybot (all fully up to date). I have also tried CWShredder2, Stinger, Trend online Housecall scan, AboutBuster, IEFix and TrojanHunter and used Killbox to delete files that I thought were suspicious (though obviously I must have missed some). I deleted winPE.exe but it's still being referred to in the registry. Oh, and I've done all those in safe mode as well as normal running, but as soon as I do a normal reboot it all comes back.

I run an HP Pavillion PC and have even done a destructive revert-to-factory-settings restore, but it even persisted after that!!! I don't understand it. :sad:

Here's my latest HijackThis log, after I tried all the stuff above in safe mode:-

Logfile of HijackThis v1.99.1
Scan saved at 22:30:10, on 14/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\gsicon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ms ownage] winPE.exe
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\Msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I also deleted a lot of stuff from the registry using regedit, which had persisted even after I used HijackThis to fix some of the nasties above - all references to gb10, srchasst, Search Assistant, ownage or WinPE, but obviously that did no good either.


PLEASE, please can someone help? I'm desperate.

Edit: Forgot to mention, when I boot up the Adwatch monitoring window comes up, but a warning pops up from Norton Antivirus to say it is disabled. Then all the registry changes happen setting IE to gb10.hpwin.com and then Norton Antivirus comes on (obviously too late). Dunno if that helps.

2
Contributors
10
Replies
11
Views
11 Years
Discussion Span
Last Post by just_a_nobody
0

Oh, forgot to add that as well as doing all the above I was also deleting all contents of temporary folders and IE history, and also emptying the recycle bin before rebooting. And HijackThis is in its own folder.

0

These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
(Description: Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers )

O4 - HKLM\..\Run: [ms ownage] winPE.exe
(Description: W32/Rbot-AJL WORM)

O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
(Description: W32/Rbot-AJL WORM)


Suggestions

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
(Description: HP monitoring tool. Unnecessary. Remove this to free up some system resources.)

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
(Description: HP software update checker and wizard launcher.)

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
(Description: HP software update checker and wizard launcher.)

O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
(Description: ADSL modem monitor from Eicon Networks (as used by BT for its Broadband internet service for example). Can safely be disabled without affecting the connection - all this does is give an indication of connectivity and access to the diagnostic facilities. Removing this entry will free up some system resources.)

O4 - HKLM\..\Run: [Reminder] \"C:\Windows\Creator\Remind_XP.exe\"
(Description: Subscription reminder to unlock unkimited use for SoftThinks CD Creator CD/DVD rewriting software, usually supplied with HP PC's as a pre-installed package. Unnecessary. Removing this will free up a small amount of system resources. )


1) Press the "Fix checked" button. Then close HijackThis.


2) Then reboot your computer.

3) Search for and delete the file Alcxmntr.exe

4) Delete the file winPE.exe which resides in C:\WINDOWS\System32\ or C:\WINDOWS\System\

5) Empty your recycle bin.

6) Run Windows Update and install all critical updates.

7) Make sure your anti-virus program is up to date with the latest patches. If you do not have an anti-virus program, download and install AVG Personal Edition Anti-Virus, which is free.

8) Reboot one last time. Your PC should now be free from spyware!
We suggest that you run HijackThis again, just to make sure that none of the entries that you removed suddenly reappeared. If they haven't, print out our HijackThis log and put it somewhere safe. You can refer to it later if your PC starts acting up.

0

Thanks for replying so quickly - your help is appreciated. Unfortunately I am no better off. I did everything that you said above, including downloading and installing all available Windows updates, and double checking that Norton Antivirus was up to date. I had already deleted Alcxmntr.exe and winPE.exe, all temporary files and emptied my recycle bin.

After all this, my IE is still being hijacked. Here is my latest HJT log:-

Logfile of HijackThis v1.99.1
Scan saved at 21:12:57, on 15/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [ms ownage] winPE.exe
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\Msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Interestingly (though I don't know if it means anything) even the additional registry keys that you advised me to delete are back again.

Anyone got any other ideas I could try please?

0

Ok try this site: http://www.sophosantivirus.org/virusinfo/analyses/w32rbotajl.html
Look at the Recovery and Advanced tabs

Also, if you have XP then download a trial version of Ewido.

You can download a trial version of Ewido here: http://www.ewido.net/en/

Be sure you update it before using it, and when it finds a problem, be sure to select the check box to do the same action (clean) when it finds a problem, otherwise, you will have to click continue, to keep scanning with every problem it finds.

0

Thanks again for your quick reply.
I could not download any of the patches as they are older than the software my system already has in place (they are SP1, I have SP2). I downloaded Ewido, updated it and ran it with some interesting results (you could see the ms ownage registry keys reinstalling within seconds of being deleted). However nothing has changed. IE still resets to gb10blahblah and all the dodgy registry keys come back even after deletion.

Anyone got any other ideas?

0

Well this is all I have left. Create a folder in C: and name it: Autoruns. Now, download this program: http://www.sysinternals.com/Files/Autoruns.zip to that folder, and unzip it in that folder. When you use the >exe file to run Autoruns, use the top most exe file.

Now go to this site and follow their directions: http://www.bleepingcomputer.com/forums/How_to_remove_a_Trojan_Virus_Worms_or_other_Malware-tut101.html


If that doesn't work, then the only thing else that I can suggest, is to zero the hard drive, fdisk, format, and reinstall Windows.

0

Thanks for that. I already have used Autoruns as well as AVG which a friend recommended to remove it. This thing isn't going anywhere :( I already had done a destructive restore using the HP software, but it looks like I'm going to have to get dirty. The only problem is that if I lose the HP programmes I am worried about losing my Windows XP licence number etc as there is no record of it on the PC or in any documentation. I'm really annoyed that the Norton software I am paying good money for is useless in this situation.

0

Download Everest, it should give you your XP key: http://www.lavalys.com/products.php?lang=en

I am not a Norton fan, get AVG free, in fact, if you do a clean install, leave Norton off, below is a list of programs I recommend.

I only list here, the programs that I have used and I’m satisfied with, I know there are other great programs, but these are just the ones that I use, and can verify, as being worthy.

SYSTEM INVENTORY
Everest: http://www.lavalys.com/products.php?lang=en

SPYWARE
AdAware: http://www.lavasoftusa.com/software/adaware/
Spybot S&D: http://www.safer-networking.org/en/index.html
SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
Microsoft AntiSpyware (XP only): http://www.microsoft.com/athome/security/spyware/software/default.mspx

VIRUS PROTECTION
AVG Free: http://www.majorgeeks.com/download886.html

VIRUS and SPYWARE DETECTION
Ewido (XP only - trial version): http://www.ewido.net/en/
HijackThis: http://www.majorgeeks.com/download3155.html

ONLINE HijackThis ANALYZERS
HijackThis analyzer #1: (website) http://www.hijackthis.de/index.php?langselect=english
HijackThis analyzer #2: (website) http://www.help2go.com/modules.php?name=HJTDetective
HijackThis analyzer #3: (website) http://hjt.iamnotageek.com/

ONLINE VIRUS SCAN WEBSITE
Trend Micro: http://housecall.trendmicro.com/

Miscellaneous Tools
Starter: http://www.snapfiles.com/download/dlstarter.html
Icon Restore: http://www.majorgeeks.com/download4125.html
Erunt (XP only): http://www.larshederer.homepage.t-online.de/erunt/
MemTest86: http://www.memtest86.com/
A-Squared: http://www.emsisoft.com/en/software/download/
CWShredder: http://www.softpedia.com/get/Intern...WShredder.shtml

0

IT'S GONE!!! - in the most bizarre way

I pasted my HJT logs into the first analysis site you suggested, went into safe mode and deleted the keys that they thought were bad or suspicious. Then I went straight from that into System Restore without normal boot-up first. After restore the system was clean...until I started Adwatch! As soon as Adwatch started up all the nasty registry entries reinstalled. So I deleted Adaware and Adwatch, and will use Spybot instead. I went through the exact same process again and so far there has been no reappearance of anything bad. It seems that somehow the infection was linked to Adwatch.

All I know is that I now have a clean PC with some nice analytical bits to play with (I really like Ewido).

Thanks tons for your help. It meant a lot that someone bothered to reply to my desperate plea.

*hugz*

Jeppie

0

We're all glad we could help...good luck. If you you download the spyware and AVG programs that I recommend, and do an update and scan once a week with each, then you will keep your system safe. If you are on broadband, I would suggest you get a decent firewall, if you don't have one already.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.