Homepage Changing on Auto - WANT IT STOPPED!!

Thanks Moderator...but that don't work no more...
Trust me...I went through the whole 6 hour rigamarole from that link, and this crap still pops up EVERY time I restart...Homepage changing, 5 new icons on desktop AND 5 new favorites, all spam.

Obviously they saw what we were doing to remove it, and one-upped us.

I was hoping that someone had an another idea of how to remove this.

0 Replies

I've gone through all the steps to remove this f'n thing. It's driving me crazy. If they ever find out who created this mess I'm either going to give him/her a huge beat down or sue them till they are my personal financial institution for all my personal time that they have wasted trying to fix this thing. But seriously, back to the topic at hand, here is a scan of my pc using hijackthis!

Logfile of HijackThis v1.97.7
Scan saved at 7:43:42 PM, on 3/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Updated Drivers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - Global Startup: sytem32.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {407F5185-3B2E-4196-982B-1E258C46F8FD} - ftp://ftp.ea.com/pub/easports/patches/nhl2003/en-us/nhl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://69.0.85.62/activex/AxisCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37881.7478125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

I know exactly when this stupid thing started happening too. There was a crap ton of popups that just wouldn't go away. I must have accidentally clicked yes in the storm. BTW: I've been involved in IT for a long time and those 5 icons on my desktop are killing me.

0 Replies

Just a heads up to the computer experts 'round these parts...I know from personal experience that the steps described in Timber's excellent "Spyware, Browser Hijacks, or other Yuckware? Check here 1st" thread will not, at the moment, fix these thebestse homepage problems. I don't have time to look over these logfiles in detail right now (been super busy of late & my boss is expecting me to actually do some work), but if no one steps in I'll try to help out later...

0 Replies

Here is what TheBestSe.com replied to me with when I made my complaint.

"We receive many letters that our search system
is established as a homepage each time when
computer restart. We have no attitude to this,
our search system is advertised by hundreds of
webmasters and we cannot follow
everyone. At present we use the best
efforts to find out who in it is guilty.
We shall be grateful to You if You inform us
page on which the harmfull program has been
installed.
We suppose You can fix this problem with
HijackThis software(free)
(http://www.spywareinfo.com/~merijn/)
Try to search registry(Start->Run->regedit) and change all keys
containing "thebestse.com". Then look in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and delete suspicious files there. If You are not sure, email us
contents of
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
of Your registry and we will try to help You.
Thanks for understanding.
--
Best regards,
TheBestSE
mailto:[email protected]"

0 Replies

Another newbie with bestse blues
Hi guys. Nice Thread. You seem to be the only people on the web taking this seriously.

Guess what. I'm another poor sap with a hijacked home page.
I've tried cwshredder and adaware. But the little b***** just keeps coming back.

I think my problem is similar to the one that discogail fixed for onyxelle.

Here's my HijackThis log. Anybody spot anything suspicious?

TIA.

Logfile of HijackThis v1.97.7
Scan saved at 13:32:50, on 26/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
O1 - Hosts: 69.93.33.155 altavista.com
O1 - Hosts: 69.93.33.155 www.altavista.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - C:\WINDOWS\SYSTEM32\shdocvw.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [system] C:\systemsearch.hta
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\bible.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: sytem32.exe
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37872.0537962963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/secure/OCARPT.CAB
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://63.167.55.62/thinanywhere/downloads/InstallFromWeb/OneClickNoMSI/setup.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

0 Replies

Anh help on this I can get is appreicated...

Monger wrote:

Just a heads up to the computer experts 'round these parts...I know from personal experience that the steps described in Timber's excellent "Spyware, Browser Hijacks, or other Yuckware? Check here 1st" thread will not, at the moment, fix these thebestse homepage problems. I don't have time to look over these logfiles in detail right now (been super busy of late & my boss is expecting me to actually do some work), but if no one steps in I'll try to help out later...

Well, here's an update... You are correct, the "Check here 1st" isn't valid anymore obviously. Following THEBESTSE's recommendations does delete the registry files, but get this...it keeps regenerating EVERY TIME you restart or log off. I'm not sure if the "your-search.info" shortcuts and favorites are tied together in the same hijack, but I haven't been able to fix either, and they both started the same exact time.

I'm thinking of reloading XP...you think I need to reformat the drive, or just run the restore disk?

0 Replies

orpiment, close all other windows, and with only Hijackthis running check off:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
O1 - Hosts: 69.93.33.155 altavista.com
O1 - Hosts: 69.93.33.155 www.altavista.com
O4 - HKLM\..\Run: [system] C:\systemsearch.hta
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - Global Startup: sytem32.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

Press "Fix Checked" then reboot. After restarting, delete the following files:

C:\systemsearch.hta
C:\WINDOWS\system\systeminit.exe
sytem32.exe <-- not sure where this one is (run a search for it)
C:\WINDOWS\sstyle.css

See if normalness has returned.

Also, make sure to install any IE or security related updates from http://windowsupdate.microsoft.com that are available for your system.

Edit: Added red to make fixes stand out from other posts Mr. Green

0 Replies

Before I go any further...
Ok, I'm on to something here now...I'v e devoted all day to this...

Besides the "THEBESTSE.COM" obvious listings, does anything look out of the ordinary?

Where else besides STARTUP directory can programs be hidden that auto run when you reboot? Is there a startup mode that will allow you to decide line by line what gets processed like in DOS?

Logfile of HijackThis v1.97.7
Scan saved at 10:08:50 AM, on 3/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\bef\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://221.21.21.100/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://221.21.21.100/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://221.21.21.100/officescan/clientinstall/setup.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://221.21.21.100/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.252.163.240/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7ABD710B-DA28-45FE-8A9A-E82A4CC30E5A}: NameServer = 24.217.0.3,24.217.0.4
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

0 Replies

brettfox, close all other windows, and with only Hijackthis running check off:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7ABD710B-DA28-45FE-8A9A-E82A4CC30E5A}: NameServer = 24.217.0.3,24.217.0.4
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

then reboot & delete:

C:\WINDOWS\sstyle.css
C:\WINDOWS\system\systeminit.exe

...lemme know if that fixes it.

Edit: Added horrible red color to make fixes stand out from other posts Mr. Green

0 Replies

WOOOHOOO!!! I think I got it! Ok here is what I did.

1) Go to your startup folder (Start\Programs\Startup) and delete the sytem32.exe. That is where they are sneaky! \
2) Go to your system folder( c:\windows\system or c:\winnt\system usually) and delete systeminit.exe.
3) Search thru the registry for "thebestse" and delete all occurances of it.
4) do #3 above but for systeminit.exe

What they did is dropped system32.exe into the startup folder. When the machine startsup, it would copy and rename itself to c:\winnt\systeminit.exe. It would also modify the registry and all the the keys to get it going.

Also, does anybody know if this is just a hijack program, or is it a virus or a trojan horse or something like that too?

0 Replies

EUREKA!!!!! WE'RE FREE!!!

Monger wrote:

brettfox, close all other windows, and with only Hijackthis running check off:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7ABD710B-DA28-45FE-8A9A-E82A4CC30E5A}: NameServer = 24.217.0.3,24.217.0.4
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

then reboot & delete:

C:\WINDOWS\sstyle.css
C:\WINDOWS\system\systeminit.exe

...lemme know if that fixes it.

OK, WOW!!! That fixes it. Thanks so much Monger. The problem is somewhere here:

O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7ABD710B-DA28-45FE-8A9A-E82A4CC30E5A}: NameServer = 24.217.0.3,24.217.0.4

Don't know what it is, but remove these, and you're free. Any way we can pass this info to CWShredder or Spybot for them to incorporate? It's going to be the next big problem...

0 Replies

My pleasure, brettfox.

0 Replies

Not quite there yet

Monger wrote:

orpiment, close all other windows, and with only Hijackthis running check off:
etc etc
quote]

Thanks for a good try Monger, you seem to be very busy today...
Unfortunately I'm not quite there yet....

I did exactly as you said (including deleting C:\WINDOWS\sstyle.css) but I'm still suffering from a hijacked home page and the file C:\WINDOWS\sstyle.css has re-appeared!!

Here's my new logfile

Hope somebody can help.

Logfile of HijackThis v1.97.7
Scan saved at 17:20:06, on 26/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\QUICKENW\QAGENT.EXE
C:\Program Files\AOL 8.0\aoltray.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
O1 - Hosts: 69.93.33.155 msn.com
O1 - Hosts: 69.93.33.155 search.msn.com
O1 - Hosts: 69.93.33.155 www.msn.com
O1 - Hosts: 69.93.33.155 www.google.com
O1 - Hosts: 69.93.33.155 google.com
O1 - Hosts: 69.93.33.155 altavista.com
O1 - Hosts: 69.93.33.155 www.altavista.com
O1 - Hosts: 69.93.33.155 yahoo.com
O1 - Hosts: 69.93.33.155 www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - C:\WINDOWS\SYSTEM32\shdocvw.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\bible.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37872.0537962963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/secure/OCARPT.CAB
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://63.167.55.62/thinanywhere/downloads/InstallFromWeb/OneClickNoMSI/setup.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

0 Replies

Re: Not quite there yet

orpiment wrote:

Unfortunately I'm not quite there yet....

I did exactly as you said (including deleting C:\WINDOWS\sstyle.css) but I'm still suffering from a hijacked home page and the file C:\WINDOWS\sstyle.css has re-appeared!!

Here's my new logfile

Hope somebody can help...

Please try the steps again, and make sure to delete all 4 files I mentioned.

Monger wrote:

...
Press "Fix Checked" then reboot. After restarting, delete the following files:

C:\systemsearch.hta
C:\WINDOWS\system\systeminit.exe
sytem32.exe <-- not sure where this one is (run a search for it)
C:\WINDOWS\sstyle.css

0 Replies

orpiment,

Try what I suggested above. I think the sytem32.exe is what is causing it all. If you remove everything but the sytem32.exe, the next time you reboot, you'll have to start over! The sytem32.exe will get executed if it is in the startup directory and it will start all over.

0 Replies

Re: Not quite there yet

orpiment wrote:

Monger wrote:
orpiment, close all other windows, and with only Hijackthis running check off:
etc etc
quote]

Thanks for a good try Monger, you seem to be very busy today...
Unfortunately I'm not quite there yet....

I did exactly as you said (including deleting C:\WINDOWS\sstyle.css) but I'm still suffering from a hijacked home page and the file C:\WINDOWS\sstyle.css has re-appeared!!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

Orpiment...check your startup folder, and see if there is a "sytem" entry in there...that could do it...

You still have the file recreating, but this does fix it, I promise you...

0 Replies

Sandman wrote:

orpiment,

Try what I suggested above. I think the system32.exe is what is causing it all. If you remove everything but the system32.exe, the next time you reboot, you'll have to start over! The system32.exe will get executed if it is in the startup directory and it will start all over.

It's sytem32.exe, not system32.exe (important if you're using HijackThis or a search to find it). Here's how the entry looks in orpiment's log file:

O4 - Global Startup: sytem32.exe

0 Replies

Monger wrote:

Sandman wrote:
orpiment,

Try what I suggested above. I think the system32.exe is what is causing it all. If you remove everything but the system32.exe, the next time you reboot, you'll have to start over! The system32.exe will get executed if it is in the startup directory and it will start all over.

It's sytem32.exe, not system32.exe (important if you're using HijackThis or a search to find it). Here's how the entry looks in orpiment's log file:

O4 - Global Startup: sytem32.exe

Yes it is! wow.. very decieving. I'll edit my previous post so I don't confuse anybody.

0 Replies

Yeah, there's certainly a lot to hate about the people making all this shite.

0 Replies

So, does anybody know... is this just a hijack application or is it a trojan horse, or some other type of virus?

0 Replies

Homepage Changing on Auto - WANT IT STOPPED!!

Related Topics

Quick Links

My Account

able2know