home search hijack etc

  rsturbo 05:33 27 Nov 2004
Locked

have been hijacked, i can't get into the trusted sites applet in tools/internet options/security - its greyed out? i bet this crap hijack has something lurking in there. any ideas how to get access to this applet would be greatly appreciated. have followed various links on this subjectfrom this and google searches - nothing seems to work for me :(

  Andsome 09:15 27 Nov 2004

Go to this website and follow the instructions for downloading and running a program called Hijack this. DO NOT attempt to do any deleting yourself. Post your scan on the site, and you are virtually certain to get your problem resolved. There are several experts on the site who are geniuses at sorting out these problems. Several of them also visit here. The problem here is that due to restrictions you have to split your scan into two halves for posting, whereas on Windows forum you can post it all in one go.

click here

  Taff36 09:38 27 Nov 2004

You definately need Adaware & Spybot search and destroy when you`ve sorted out the problem. In Spybot S & D you can select a setting that specifically prevents anyone (Including you) resetting the homepage - you have to manually turn it off before doing so.

  rsturbo 00:38 28 Nov 2004

used hijack this before so have used that, got rid of main infection - can now keep hold of home page. However i run spybot and it comes up with 4 or 5 changes in zones section of registry: WebTrends live: Tracking cookie (Internet Explorer: user) (Cookie, nothing done)

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1606980848-839522115-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

i now have control of my zones applet in security tab - removed suspicious ip address.
in add/remove programs i can'trid myself of:
home search assistant, shopping wizard, windows task aid, search extender when i try i get sent to a website and asked to click a link to download removal program. yeh right!!

  rsturbo 04:16 28 Nov 2004

Logfile of HijackThis v1.97.7
Scan saved at 03:12:52, on 28/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\1st Security Agent\newadmin.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

  rsturbo 04:17 28 Nov 2004

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [00saskda] "C:\Program Files\1st Security Agent\newadmin.exe" saskda
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

  rsturbo 04:18 28 Nov 2004

can you understand or should i post somewhere else?

  rsturbo 17:10 28 Nov 2004

the only thing i noticed is i have sp2 - the browser has an information bar that tells me when something it does not like is being blocked. well even when i open google home page it is blocking some kind of active content. any ideas?

thanks again for looking

  rsturbo 01:19 29 Nov 2004

it told us what program/file its trying to stop.
i now can't get into the INTERNET sites applet in tools/internet options/security - its greyed out? i also can't drop down the security slider below medium, when i try this a dialoge box opens telling me the recommended level is medium - it then, as soon as i try to close it changes the setting back to medium. This or something is stopping me accessing my ebay sign in.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Samsung Galaxy A9 review: Hands-on

Can the Huawei P20 Pro really replace a digital SLR?

Surface Laptop 2 vs MacBook Pro

Samsung Galaxy S9 vs Sony Xperia XZ3