hello!

actually the problem occurs for my friend not for me I'm just writing in substitution since his english is even worse than mine.

first of all he cant change the IE Homepage - it was actually set to www.google.com but everytime he re-opens the browser now it is automatically changed to "about:blank" and some weird page (with a lot of links about all kinda stuff) opens with a pop-up advertise saying that his PC is infected by spyware. also for the most parts he doesnt have admin rights anymore - but he is actually logged in with his Admin-User. Fot instance, i tried to install an anti-spyware tool on his pc and i was told i wasn't allowed to do so cause i wouldn't have admin-rights, which is certainly not true.
also he has serious problems with IE which occasionally closes while some error-message appears (i really cant remember what it was exactly, something about something about a problem and if he wants to send an error-report to microsoft i think - i guess you know what i mean). the next problem occurs when using outlook express, which also pops up some errormessage about a missing .dll and it wants to run the debug-mode and then some other strange stuff happens: some Microsoft Frontpage-Install Windows pops-up and proceedes until i cancel it.
It all seems to point to a virus/spyware or whatever since all the strange happenings occured at once.
i already removed some files which were supposed to be spyware or something (i did that with some tools like adaware, spybot etc. which i did directly from an USB-stick i brought, since i couldn't actually install anything on his pc).
anyway i hope my problem was kinda understanable - excuse my prolly bad english, thx ;)

following i got a hijackthis-log, oh ... btw he uses Win2k!

any help is greatly appreciated!

thanks in advance!

bye,
kornsp1racy

Logfile of HijackThis v1.97.7
Scan saved at 17:04:36, on 14.10.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\SOUNDMAN.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Programme\FinePixViewer\QuickDCF.exe
C:\WINNT\system32\msiexec.exe
E:\Washer\washer.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=igon
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supret.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=igon
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F0 - system.ini: Shell=explorer.exe C:\WINNT\system32\prntsvr.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\system32\prntsvr.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {150FA160-130D-451F-B863-B655061432BA} - C:\WINNT\system32\mdv_32.dll
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} - C:\WINNT\msnbkc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CADE34BB-3CC4-45E9-8183-AF5BEF7835B4} - C:\WINNT\system32\hge.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Config Loader] scvhost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows33.exe] Windows33.exe
O4 - HKLM\..\Run: [System-Config] msptmf32.com
O4 - HKLM\..\Run: [Configuration Loader] msgfix.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunServices: [Config Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Windows33.exe] Windows33.exe
O4 - HKLM\..\RunServices: [System-Config] msptmf32.com
O4 - HKLM\..\RunServices: [Configuration Loader] msgfix.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINNT\system32\winproc32.exe
O4 - HKCU\..\Run: [System-Config] msptmf32.com
O4 - HKCU\..\Run: [Configuration Loader] msgfix.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Programme\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - Global Startup: Exif Launcher.lnk = C:\Programme\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mp3: C:\Programme\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3758D156-9996-4EA6-8691-C2C20FCE1498}: NameServer = 195.34.133.10,195.34.133.11

Dear User,
Run, Safe Mode. Start Hijackthis and remove all your R1's and R0's as follows:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=igon
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supret.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=igon
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Try starting internet explorer to see if you get your default home page www.google.com

Let me know how it goes,
Arcaned

Hi Arcaned!

Thank you very much for your reply!

Unfortunetely i can't try it now, since I'm not at my friend's computer now but i will try it as soon as i get the possibily to do so. by the way might the above solution actually also be a solution for the other problems i mentioned?

thanks in advance - and thanks again for the answer!

bye,
kornsp1racy

hi again!
i now tried out the solution u mentioned above + i also ran CWshredder which also found some infections and fixed them. now the problem with the homepage doesnt exist anymore but all the other problems are still present. the most annoying problem is the thing with the admin rights. i cant even open regedit without getting an error claiming that i dont have the rights opening it - even though im actually logged in as administrator. i then tried to rename the "regedit.exe" file to "regedit.com" then i could open it. however all that seems really strange to me. any other hints/suggestions?

btw, here's a new hijackthis-log after i fixed the homepage-problem:
-----

Logfile of HijackThis v1.97.7
Scan saved at 17:16:00, on 19.10.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\SOUNDMAN.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Programme\FinePixViewer\QuickDCF.exe
C:\WINNT\system32\msiexec.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Administrator\Desktop\Neuer Ordner\HijackThis.exe

F0 - system.ini: Shell=explorer.exe C:\WINNT\system32\prntsvr.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\system32\prntsvr.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Config Loader] scvhost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows33.exe] Windows33.exe
O4 - HKLM\..\Run: [System-Config] msptmf32.com
O4 - HKLM\..\Run: [Configuration Loader] msgfix.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunServices: [Config Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Windows33.exe] Windows33.exe
O4 - HKLM\..\RunServices: [System-Config] msptmf32.com
O4 - HKLM\..\RunServices: [Configuration Loader] msgfix.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [System-Config] msptmf32.com
O4 - HKCU\..\Run: [Configuration Loader] msgfix.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Programme\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - Global Startup: Exif Launcher.lnk = C:\Programme\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mp3: C:\Programme\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3758D156-9996-4EA6-8691-C2C20FCE1498}: NameServer = 195.34.133.10,195.34.133.11

any help is greatly appreciated of course!

bye,
kornsp1racy