Hijick Log file

[kop442000]

Hi guys.

This URL "http://newsearch.org/hp/index3.html" keeps loading when I start my internet explorer, even though it is not set as my home page.

I have run a number of different spyware programs, and anti-virus but it still happens.

Here is my log file from "hijack this":

Logfile of HijackThis v1.99.1
Scan saved at 20:30:43, on 09/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WinAbring.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Paul\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {26816C40-2FF3-4F01-AAA3-8627A35B741A} - C:\WINDOWS\System32\t.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

Any help would be gratefully received!!

Thanks.

[dl65]

kop442000.......Ok , here's what I would do ....

First .... open hijackthis ..... and click System scan & save logfile.
next ...click on config button.......when config window opens ...in the 4 URL boxes ....... type in ......
http://www.google.com    ( in all 4 boxes )
next click Back ........
Next mark for removal:

ALL R0 entries
ALL R1 entries

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

Next click ......Fix checked ......

There I think that should do it ......now reboot and see how things are .......

The other thing you should do is go to Windows update and D/L SP2 and any other items there . That will get you up to date with the latest things ......SP2 is a important update and you should have it .

Let us know

dl65  

[kop442000]

Thanks very much for your reply.

I have done as you said, and it has certainly helped. But still occasionally, another window opens with that old hijack url on it. It rarely happens, but it worries me that it is still there.

I am just running all the spyware stuff again to see if that helps, what do you think?

With regards to SP2, I did download it, but my broadband modem stopped working properly, so my provider advised me to do a system restore, and it worked ok again. I think I might try it again though... I would really like SP2 on there.

Thanks again for your help!

[merlin_2]

info>>http://www.theeldergeek.com/slipstreamed_xpsp2_cd.htm

try a download of spysweeper..........from webroot .com.....

and to sweep  properly.......disable from the netand disable system restore..another tip.....do you have remote assistaince.....enabled....on your pc.....disable that also...no need unless you are going to help someone!

[dl65]

kop442000......Here's another thing to try .....go to ...
http://www.microsoft.com/athome/security/spyware/software/default.mspx    download and run Antispyware Beta   it is very good .

It may also find that elusive link that is appearing from time to time .   Make sure you turn on the auto up date feature in Antisptware .....


dl65