hi-jack this thread

  Chezdez 21:57 02 Feb 05
Locked

hey guys, i'm at college at the moment, and my homepage for internet
explorer keeps changing to click here. i have
altered it both within internet explorer and within the registry, but to no
avail, it keeps changing back!!!

the system is windows 2000 professional, Adaware, F-secure anti-virus, AMD
duron 1GHz 120 MB RAM (128 total, but 8MB if for onboard graphics). the
individual PC's on the network don't have a firewall, but the router is a
CISCO 2514, and the firewall on that is the active firewall. as far as i
know, this is the only computer on the network with this problem. luckily,
this network is seperate from the main college network, so i have admin
rights on this computer

Logfile of HijackThis v1.99.0
Scan saved at 09:12:46, on 01/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\F-Secure\Anti-Virus\fssm32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\F-Secure\Common\FSMA32.EXE

C:\Program Files\F-Secure\Common\FSMB32.EXE

C:\Program Files\F-Secure\Common\FCH32.EXE

C:\Program Files\F-Secure\Common\FAMEH32.EXE

C:\Program Files\F-Secure\Common\FNRB32.EXE

C:\Program Files\F-Secure\Common\FIH32.EXE

C:\Program Files\F-Secure\Anti-Virus\fsav32.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\khooker.exe

C:\WINNT\system32\RunDll32.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Adaptec

Shared\CreateCD\CreateCD50.exe

C:\Program Files\Adaptec\Easy CD Creator 5

\DirectCD\DirectCD.exe

C:\Program Files\F-Secure\Common\FSM32.EXE

C:\WINNT\system32\internat.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft

Office\Office\WINWORD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\PROGRA~1\WinZip\winzip32.exe

C:\DOCUME~1\jase\LOCALS~1\Temp\HijackThis.exe

second half to follow

  Chezdez 21:58 02 Feb 05

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
click here

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.burnley.ac.uk

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec
Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD
Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program
Files\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINNT\system32\dslgeaccess[1].exe -N

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINNT\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = networking.com

O17 -
HKLM\System\CCS\Services\Tcpip\..\{AF5A6A91-CC70-4BA6-8C71-17999D52CF68}:
NameServer = 213.120.62.101,213.120.62.98

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = networking.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = networking.com

O23 - Service: Logical Disk Manager Administrative Service - VERITAS
Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown - C:\Program
Files\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Network Request Broker - F-Secure Corporation -
C:\Program Files\F-Secure\Common\FNRB32.EXE

O23 - Service: F-Secure Authentication Agent - F-Secure Corporation. All
Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE

O23 - Service: F-Secure Management Agent - F-Secure Corporation - C:\Program
Files\F-Secure\Common\FSMA32.EXE

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown -
%ProgramFiles%\WinPcap\rpcapd.exe (file missing)


ok, so theres the log, any ideas as to what is causing this??

thanks in advance

  Chezdez 21:59 02 Feb 05

i'm not actually at college, i tried posting it at college, couldn't work out why it wouldn't post, think it was because i was over 800 words, so i e-mailed it to myself and only just got round to posting now

  Nellie2 22:28 02 Feb 05

I can't see any malware in your log... just the homepage that is causing you problems.

Please move HijackThis into a permanent folder. It is important that you run HijackThis.exe in its own folder so the backup files that HijackThis file will create will not be accidentally deleted on reboot.

Then open hijackthis, click the scan button and wait until the scan has finished, put a tick against the following and click 'fix checked'

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://community.globaleaccess.com/

Reboot and let me know if that solves your problem

  Chezdez 22:31 02 Feb 05

tried removing the registry key, no joy

it may be worthwhile noting that there are several people that use the computers, everyone that uses them has admin rights, and my profile is a roaming profile, with local admin priveleges

  Dan the Confused 23:56 02 Feb 05

There's an uninstaller for it apparently click here

  Chezdez 14:22 03 Feb 05

thanks for that, but it doesn't appear to have worked

ran the uninstall, re-booted, and it was still there

then i ran it twice (without reboot), and it managed to 'uninstall' it twice

any other ideas?

  Dan the Confused 19:11 03 Feb 05

Since you've been tampering with the registry it may be worth re-installing it again and then run the uninstaller. Otherwise, I don't know why it doesn't work. Have you tried contacting them?

  Chezdez 15:55 06 Feb 05

contacting the site? no, but i will try that on tuesday when i'm back in college

i also have a backup of the registry on the server (had to do it as part of a task), so i'll try that (if it isn't infected as well :S)

This thread is now locked and can not be replied to.

What is Amazon Go and will it come to the UK? The store without checkouts or queues

1995-2015: How technology has changed the world in 20 years

Why ecommerce hasn't taken off on social media

New MacBook Pro 2016 review | MacBook Pro with Touch Bar review: Apple's expensive and powerful…