Hi all,

I have a REALLY BIG problem. Of course I blame myself because of that too. I used to visited lots of porno websites and now I get one weird problem.

Whenever I reboot my laptop, and before I double-click on IE browser, I have to go to Control Panel to change the default home page !!! WHY ?
Because there is ALWAYS HARD-CODED into my registry entries in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main, on Default_Page_URL, Search Bar, Search Page entries, with value:"http://sexylight.com"

Please help me out with your expertise and if not, I am going to have my butt kicked off !

Thank you so much.

you installed a 3rd party porn software onto ur computer

you say hard coded.. well it gets put back there on the rgeistry because the program loads back up when u restart

id advice you to go through your whole hard drive and unistall everything that you dont need also clean temp int files. delete cookies. clear history

also turn off loading programs that you dont need at start up

you can download msconfig.exe
http://www.techadvice.com/win2000/m/msconfig_w2k.htm

Thanks for your input.

I believe I did (without my concious) installed the prono software.

I will try to use the msconfig.exe to troubleshoot and will update this message after that !

Also, you may want to do these three things.
Download Spybot S&D, Ad-Aware, and HiJackThis if you haven't already. Boot your computer in safe mode, run your virus checker, then ad-aware, and then spybot S&D. If those three things do not work, run HiJackThis (but remember to have it running from its own folder, not a temp folder) and then post it here on the site and we'll all help you get this clean and clear.

If you don't have Ad-Aware or Spybot S&D and get them for the first time after reading this post, I recommend running them once a week from now on, and always remember to check for updates.

Sorry and hope you don't mind that I will ask the following question as I am new here.

Where to get the 3 softwares ?
Pls show me the link.

Thank you.

Woops, sometimes I get way ahead of myself....when I say run HiJackThis and post it here if the first progs do not work, what I mean is, run HiJackThis and post the log it produces.

Logfile of HijackThis v1.97.7
Scan saved at 4:26:38 PM, on 2/4/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\E_S00RP2.EXE
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\mnmsrvc.exe
C:\PROGRAM FILES\COMMON FILES\EPOAgent\naimas32.exe
C:\Program Files\Java\j2re1.4.0_03\bin\javaw.exe
D:\oracle\oracle9iDS\bin\agntsrvc.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\MSTask.exe
D:\oracle\oracle9iDS\bin\dbsnmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\pctspk.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRAM FILES\COMMON FILES\EPOAgent\naimag32.exe
C:\WINNT\System32\Rundll32.exe
C:\WINNT\system32\llass.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\PROGRA~1\WINZIP~1.0\winzip32.exe
C:\DOCUME~1\ffpg7h\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sexylight.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sexylight.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://out.true-counter.com/c/?344012 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://approvedlinks.com/hp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
O1 - Hosts: 206.161.200.105 auto.search.msn.com
O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
O1 - Hosts: 206.161.200.103 www.smutserver.com
O1 - Hosts: 206.161.200.103 www1.smutserver.com
O1 - Hosts: 206.161.200.103 www2.smutserver.com
O1 - Hosts: 206.161.200.103 www3.smutserver.com
O1 - Hosts: 206.161.200.103 www4.smutserver.com
O1 - Hosts: 206.161.200.103 www5.smutserver.com
O1 - Hosts: 206.161.200.103 www6.smutserver.com
O1 - Hosts: 206.161.200.103 www7.smutserver.com
O1 - Hosts: 206.161.200.103 www8.smutserver.com
O1 - Hosts: 206.161.200.103 www9.smutserver.com
O1 - Hosts: 206.161.200.103 www10.smutserver.com
O1 - Hosts: 206.161.200.103 www11.smutserver.com
O1 - Hosts: 206.161.200.103 www12.smutserver.com
O1 - Hosts: 206.161.200.103 www13.smutserver.com
O1 - Hosts: 206.161.200.103 www14.smutserver.com
O1 - Hosts: 206.161.200.103 www15.smutserver.com
O1 - Hosts: 206.161.200.103 www16.smutserver.com
O1 - Hosts: 206.161.200.103 www17.smutserver.com
O1 - Hosts: 206.161.200.103 www18.smutserver.com
O1 - Hosts: 206.161.200.103 www19.smutserver.com
O1 - Hosts: 206.161.200.103 www20.smutserver.com
O1 - Hosts: 206.161.200.103 www21.smutserver.com
O1 - Hosts: 206.161.200.103 www22.smutserver.com
O1 - Hosts: 206.161.200.103 www23.smutserver.com
O1 - Hosts: 206.161.200.103 www24.smutserver.com
O1 - Hosts: 206.161.200.103 www25.smutserver.com
O1 - Hosts: 206.161.200.103 www26.smutserver.com
O1 - Hosts: 206.161.200.103 www27.smutserver.com
O1 - Hosts: 206.161.200.103 www28.smutserver.com
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINNT\system32\HDBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINNT\DNSErr.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O2 - BHO: (no name) - {D5B72AED-E54A-11D6-B1B2-444553540000} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: OTN Toolbar - {75C4878F-71F4-11D6-9FFF-0002A57DA588} - D:\oracle\OTNTOO~1.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [smss] C:\WINNT\System32\os\smss.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\PROGRAM FILES\COMMON FILES\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [AxFilter] Rundll32.exe C:\WINNT\DOWNLO~1\AxFilter.dll,Rundll32
O4 - HKLM\..\Run: [lar] C:\WINNT\system32\llass.exe
O4 - HKLM\..\Run: [sys] regedit /s sys.reg
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe -X
O4 - HKLM\..\RunServices: [lar] C:\WINNT\system32\llass.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [winlogon] c:\winnt\winlogon.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Search - c:\winnt\ex.htm
O9 - Extra button: Short Message (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O19 - User stylesheet: C:\WINNT\Web\oslogo.bmp
O19 - User stylesheet: C:\WINNT\Web\oslogo.bmp (HKLM)

Hi!!

1. SpyBot Search and Destroy www.security.kolla.de
2. Ad-aware - www.lavasoft.com
3. SpywareBlaster www.wilderssecurity.net/spywareblaster.html
4. CWShredder www.merijn.com
For "4" scroll down the blue centre and find 24 Jan 2004 and first download the file CWWWSearch.SmartKiller removal tool. Then go down to 19 Jan 2004 and download CWSHredder.

When you have downloaded open them and UPDATE them immediately to ensure you have the most recent updates.

ALL require regular updating - weekly at least to ensure you have the most recent files.

SpywareBlaster will require little attention apart from updating since it runs in the background to keep most malware from even getting onto your system. The others will require manual running.

CWShredder is a specific program to combat CoolWebSearch home page highjacker. To run this program you click "Fix" when you open it.
SpywareBlaster will run in the background and requires little attention EXCEPT for regular updating - weekly at least.

The best news is that ALL these programs are FREE. If you wish to donate to the author you may well find a request for this but you do not have to do this to download the programs.

Hi all,

Thanks for helping me to resolve my problem, I have used msconfig plus other tools mentioned by you all.

Great jobs !
Appreciate.