Hijacking


G

Guest

Hi
My internet Explorer has been hijacked and i seem to keep getting a search
page
as my blank page.
I have run programs like adaware, spy stopper and highjack this.
still i am getting this annoying page.
When i have run Highjack this to clear it, on opening explorer i get a pop up
which resets my home page to the search page.
Can somebody help me please!

I am using XP with SP2

Here is the Hijack this log file...

Logfile of HijackThis v1.97.7
Scan saved at 09:06:57, on 15/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\Firewall\PavFires.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
C:\WINDOWS\d3md32.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\apvxdwin.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\WINDOWS\system32\appez.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\downloaded\spyware\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.vanessa-mae.pwp.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arioch's
Main
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9A8194E4-E89A-F96E-41AC-3B95DC66C7C0} -
C:\WINDOWS\system32\appzy.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence
Eliminator\ee.exe /m
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program
Files\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Farces & Attrapes] C:\Program Files\eMule\Temp\Emule
v0.42D Upload Limit Crack Patcher By Maf.exe \farces
O4 - HKLM\..\Run: [SoundControl] C:\WINDOWS\System32\smrss.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil
/RemAdvDef /Migration32
O4 - HKLM\..\Run: [imjpmig] D:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG
/Migration /SetPreload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda
Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum
Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [appez.exe] C:\WINDOWS\system32\appez.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager
Controller\AdManCtl.exe
O4 - HKLM\..\Run: [imekrmig] D:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program
Files\Panda Software\Panda Platinum Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB
Plus\Driver\WATCH.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda
platinum internet security\pavlsp.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -
http://www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093187653344
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38221.3499074074
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) -
http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -
http://www2.incredimail.com/contents/setup/downloader/imloader.cab



Many thanks
 
Ad

Advertisements

M

Mike Hall

Try CWShredder..

http://www.intermute.com/spysubtract/cwshredder_download.html ..

You might also want to look at www.pchell.com.. Mark Hastings is doing a
sterling job there..

--
Mike Hall
MVP - Windows Shell/user







Arioch said:
Hi
My internet Explorer has been hijacked and i seem to keep getting a search
page
as my blank page.
I have run programs like adaware, spy stopper and highjack this.
still i am getting this annoying page.
When i have run Highjack this to clear it, on opening explorer i get a pop
up
which resets my home page to the search page.
Can somebody help me please!

I am using XP with SP2

Here is the Hijack this log file...

Logfile of HijackThis v1.97.7
Scan saved at 09:06:57, on 15/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Platinum Internet
Security\passrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\Firewall\PavFires.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\AVENGINE.EXE
C:\WINDOWS\d3md32.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\apvxdwin.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\SRVLOAD.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\WINDOWS\system32\appez.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\WebProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\downloaded\spyware\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.vanessa-mae.pwp.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Arioch's
Main
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9A8194E4-E89A-F96E-41AC-3B95DC66C7C0} -
C:\WINDOWS\system32\appzy.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence
Eliminator\ee.exe /m
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program
Files\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Farces & Attrapes] C:\Program Files\eMule\Temp\Emule
v0.42D Upload Limit Crack Patcher By Maf.exe \farces
O4 - HKLM\..\Run: [SoundControl] C:\WINDOWS\System32\smrss.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil
/RemAdvDef /Migration32
O4 - HKLM\..\Run: [imjpmig] D:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG
/Migration /SetPreload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda
Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda
Platinum
Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [appez.exe] C:\WINDOWS\system32\appez.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager
Controller\AdManCtl.exe
O4 - HKLM\..\Run: [imekrmig] D:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program
Files\Panda Software\Panda Platinum Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB
Plus\Driver\WATCH.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat
6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda
platinum internet security\pavlsp.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX
Player) -
http://www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl
Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093187653344
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38221.3499074074
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) -
http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -
http://www2.incredimail.com/contents/setup/downloader/imloader.cab



Many thanks
 
J

Jon Erlandson

Browsing the log I see two suspect processes , C:\WINDOWS\d3md32.exe and
C:\WINDOWS\system32\appez.exe . If CWShredder and Ad-Aware don't pick it up
you might try Spybot Search and Destroy
http://www.safer-networking.org/en/download/index.html . If you still have
the problem you can try renaming these files and if that solves the problem
without causing another delete them. I've googled the two programs i.e.,
"d3md32.exe" and "appez.exe" and see nothing about them which may mean it is
a recent Hijack exploit or belongs to a recently released legitimate program
(I doubt that however.)

After all that rerun HijackThis, check the following box and have HijackThis
fix it.
O4 - HKLM\..\Run: [appez.exe] C:\WINDOWS\system32\appez.exe


Arioch said:
Hi
My internet Explorer has been hijacked and i seem to keep getting a search
page
as my blank page.
I have run programs like adaware, spy stopper and highjack this.
still i am getting this annoying page.
When i have run Highjack this to clear it, on opening explorer i get a pop
up
which resets my home page to the search page.
Can somebody help me please!

I am using XP with SP2

Here is the Hijack this log file...

Logfile of HijackThis v1.97.7
Scan saved at 09:06:57, on 15/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Platinum Internet
Security\passrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\Firewall\PavFires.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\AVENGINE.EXE
C:\WINDOWS\d3md32.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\apvxdwin.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\SRVLOAD.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\WINDOWS\system32\appez.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\WebProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\downloaded\spyware\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.vanessa-mae.pwp.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Arioch's
Main
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9A8194E4-E89A-F96E-41AC-3B95DC66C7C0} -
C:\WINDOWS\system32\appzy.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence
Eliminator\ee.exe /m
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program
Files\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Farces & Attrapes] C:\Program Files\eMule\Temp\Emule
v0.42D Upload Limit Crack Patcher By Maf.exe \farces
O4 - HKLM\..\Run: [SoundControl] C:\WINDOWS\System32\smrss.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil
/RemAdvDef /Migration32
O4 - HKLM\..\Run: [imjpmig] D:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG
/Migration /SetPreload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda
Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda
Platinum
Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [appez.exe] C:\WINDOWS\system32\appez.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager
Controller\AdManCtl.exe
O4 - HKLM\..\Run: [imekrmig] D:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program
Files\Panda Software\Panda Platinum Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB
Plus\Driver\WATCH.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat
6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda
platinum internet security\pavlsp.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX
Player) -
http://www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl
Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093187653344
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38221.3499074074
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) -
http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -
http://www2.incredimail.com/contents/setup/downloader/imloader.cab



Many thanks
 
G

Guest

Thanks Guys
I have removed the hijack but i am still being bombarded with it each time i
open
Inter net Explorer.
I have found a program listed in my Ad Remove programs listing called Home
Search
Assistant which might be the suspect programme? because i am getting search
engine
pop ups every time i do a search and pop ups called only the best.

I have tried uninstalling Home Search but all it does is takes me to a
website to allow
me to download the uninstall software, can any body tell me what i need to
look for in
the Registry and on my drive to enable me to delete it?

many thanks

Arioch said:
Hi
My internet Explorer has been hijacked and i seem to keep getting a search
page
as my blank page.
I have run programs like adaware, spy stopper and highjack this.
still i am getting this annoying page.
When i have run Highjack this to clear it, on opening explorer i get a pop up
which resets my home page to the search page.
Can somebody help me please!

I am using XP with SP2

Here is the Hijack this log file...

Logfile of HijackThis v1.97.7
Scan saved at 09:06:57, on 15/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\Firewall\PavFires.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
C:\WINDOWS\d3md32.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\apvxdwin.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\WINDOWS\system32\appez.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\downloaded\spyware\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.vanessa-mae.pwp.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arioch's
Main
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9A8194E4-E89A-F96E-41AC-3B95DC66C7C0} -
C:\WINDOWS\system32\appzy.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence
Eliminator\ee.exe /m
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program
Files\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Farces & Attrapes] C:\Program Files\eMule\Temp\Emule
v0.42D Upload Limit Crack Patcher By Maf.exe \farces
O4 - HKLM\..\Run: [SoundControl] C:\WINDOWS\System32\smrss.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil
/RemAdvDef /Migration32
O4 - HKLM\..\Run: [imjpmig] D:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG
/Migration /SetPreload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda
Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum
Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [appez.exe] C:\WINDOWS\system32\appez.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager
Controller\AdManCtl.exe
O4 - HKLM\..\Run: [imekrmig] D:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program
Files\Panda Software\Panda Platinum Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB
Plus\Driver\WATCH.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda
platinum internet security\pavlsp.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -
http://www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093187653344
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38221.3499074074
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) -
http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -
http://www2.incredimail.com/contents/setup/downloader/imloader.cab



Many thanks
 
Ad

Advertisements

J

Jon Erlandson

Remove Home Search Assistant
http://www.short-media.com/review.php?r=259


Arioch said:
Thanks Guys
I have removed the hijack but i am still being bombarded with it each time
i
open
Inter net Explorer.
I have found a program listed in my Ad Remove programs listing called Home
Search
Assistant which might be the suspect programme? because i am getting
search
engine
pop ups every time i do a search and pop ups called only the best.

I have tried uninstalling Home Search but all it does is takes me to a
website to allow
me to download the uninstall software, can any body tell me what i need to
look for in
the Registry and on my drive to enable me to delete it?

many thanks

Arioch said:
Hi
My internet Explorer has been hijacked and i seem to keep getting a
search
page
as my blank page.
I have run programs like adaware, spy stopper and highjack this.
still i am getting this annoying page.
When i have run Highjack this to clear it, on opening explorer i get a
pop up
which resets my home page to the search page.
Can somebody help me please!

I am using XP with SP2

Here is the Hijack this log file...

Logfile of HijackThis v1.97.7
Scan saved at 09:06:57, on 15/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Platinum Internet
Security\passrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\Firewall\PavFires.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\AVENGINE.EXE
C:\WINDOWS\d3md32.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\apvxdwin.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\SRVLOAD.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\WINDOWS\system32\appez.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum Internet
Security\WebProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\downloaded\spyware\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.vanessa-mae.pwp.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\cqoxq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Arioch's
Main
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9A8194E4-E89A-F96E-41AC-3B95DC66C7C0} -
C:\WINDOWS\system32\appzy.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence
Eliminator\ee.exe /m
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program
Files\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Farces & Attrapes] C:\Program Files\eMule\Temp\Emule
v0.42D Upload Limit Crack Patcher By Maf.exe \farces
O4 - HKLM\..\Run: [SoundControl] C:\WINDOWS\System32\smrss.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil
/RemAdvDef /Migration32
O4 - HKLM\..\Run: [imjpmig] D:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG
/Migration /SetPreload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda
Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda
Platinum
Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [appez.exe] C:\WINDOWS\system32\appez.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager
Controller\AdManCtl.exe
O4 - HKLM\..\Run: [imekrmig] D:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program
Files\Panda Software\Panda Platinum Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB
Plus\Driver\WATCH.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat
6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda
platinum internet security\pavlsp.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX
Player) -
http://www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl
Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093187653344
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38221.3499074074
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) -
http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -
http://www2.incredimail.com/contents/setup/downloader/imloader.cab



Many thanks
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

hijacked? 1
A new hijacking 161
homepage hijack 3
Desktop Hijacking 6
Browser Hijack 3
Browser hijacking :( 3
Hijacked Browser 2
HiJack this log: 2

Top