I have run into one I can not seem to locate: my home page keeps reseting to
http://1-se.com/home.html. Fixing this with HijackThis does not eliminate the proble as it returns with the next boot.
Logfile of HijackThis v1.97.7
Scan saved at 10:02:01 PM, on 4/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\AGRSMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\HOMENETWORK\ICM.EXE
C:\PROGRAM FILES\DEERFIELD.COM\INTERQUICK\INTERQUICK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\HOMENETWORK\ICMMONITOR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
D:\PROGRAM FILES\MICROSOFT\OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAM FILES\WMCONNECT\WMTRAY.EXE
D:\PROGRAM FILES\MICROSOFT\OFFICE\OFFICE10\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\WINFILE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\TCFHAJQB\HIJACKTHIS[1].EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://in.webcounter.cc/-/?mszoe (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://1-se.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://in.webcounter.cc/-/?mszoe about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:80
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
http://www.seagate.com/redirects/campai...eatools/cd
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://in.webcounter.cc/--/?mszoe (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
http://1-se.com/srchasst.html (obfuscated)
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [ICMMonitor] C:\PROGRAM FILES\HOMENETWORK\ICMMonitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ICMEngine] C:\PROGRAM FILES\HOMENETWORK\ICM.EXE -9Xservice
O4 - HKLM\..\RunServices: [InterQuickEngine] C:\PROGRAM FILES\DEERFIELD.COM\INTERQUICK\INTERQUICK.EXE -9Xservice
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
O4 - Startup: Office Startup.lnk = D:\Program files\Microsoft\Office\Office\OSA.EXE
O4 - Startup: Microsoft Office.lnk = D:\Program files\Microsoft\Office\Office10\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = D:\Program files\Microsoft\Office\Office\FINDFAST.EXE
O4 - Startup: Wal-Mart Connect Tray Icon.lnk = D:\Program files\wmconnect\wmtray.exe
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://66.117.38.54:80/iex/ofile.exe?url=http://66.117.38.54:80/dexUS585.exe
O19 - User stylesheet: C:\WINDOWS\color.css
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)
Thank You! That did it! 
Stumble It!
Tweet This
Bookmark on Delicious
Share on Facebook
Share on MySpace