Hi i have problem with my IE.The start page has changed to: http://t.rack.cc/h.php?aid=420 this is HijackThis report: ____________________________________________ Logfile of HijackThis v1.97.7 Scan saved at 19:23:25, on 24.01.2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: E:\WINNT\System32\smss.exe E:\WINNT\system32\winlogon.exe E:\WINNT\system32\services.exe E:\WINNT\system32\lsass.exe E:\Programme\Sygate\SPF\smc.exe E:\WINNT\system32\svchost.exe E:\WINNT\system32\spoolsv.exe E:\PROGRA~1\Grisoft\AVG6\avgserv.exe E:\WINNT\System32\svchost.exe E:\WINNT\system32\regsvc.exe E:\WINNT\system32\MSTask.exe E:\WINNT\System32\WBEM\WinMgmt.exe E:\WINNT\system32\svchost.exe E:\WINNT\Explorer.exe E:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe E:\Programme\Grisoft\AVG6\avgcc32.exe E:\Programme\Gemeinsame Dateien\Real\Update_OB\rnathchk.exe E:\WINNT\system32\internat.exe E:\PROGRA~1\WEATHE~1\Weather.exe E:\Programme\Panicware\Pop-Up Stopper Free Edition\PSFree.exe E:\WINNT\system32\wuauclt.exe E:\Programme\Gemeinsame Dateien\Real\Update_OB\realevent.exe E:\Programme\Internet Explorer\iexplore.exe E:\Downloads\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=420 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=420 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=420 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=420 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=420 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=420 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=420 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=420 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e-plus.cc/search.php?aff_id=46&keyword=%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.t-online.de:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = a1.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/h.php?aid=420 R1 - HKLM\Software\Microsoft\Internet Explorer,Search = yahoo.com/search/people F2 - REG:system.ini: UserInit=E:\WINNT\system32\userinit.exe O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - E:\WINNT\mskddm.dll O2 - BHO: (no name) - {2f993f9e-026a-40a6-b629-1f02ef21e27d} - E:\DOKUME~1\ADMINI~1\ANWEND~1\zdulythprtr.dll (file missing) O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - E:\WINNT\iDonate.dll O2 - BHO: yes - {9527D42F-D666-11D3-B8DD-00600838CD5F} - E:\WINNT\System32\IETie.dll O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - E:\WINNT\AdRoar.dll (file missing) O3 - Toolbar: (no name) - {d1ae6b32-b0ee-4b3d-abb6-3eccd5b906c4} - E:\DOKUME~1\ADMINI~1\ANWEND~1\zdulythprtr.dll (file missing) O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - E:\WINNT\AdRoar.dll (file missing) O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [WEPStat] WEPStat.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] "E:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG_CC] E:\Programme\Grisoft\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [Soundmx] \soundmx.exe O4 - HKLM\..\Run: [QuickTime Task] "E:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WebInstall2] E:\WINNT\Temp\Adware\WebInstall.exe /R O4 - HKLM\..\Run: [b3dupdate] E:\WINNT\BDE\b3dsetup.exe -silent -p "E:\WINNT\BDE" -s setup.cab O4 - HKLM\..\Run: [Trickler] "e:\programme\grokster\fsg_4104.exe" O4 - HKLM\..\Run: [AdRoarUpdate] E:\WINNT\ARUpdate.exe O4 - HKLM\..\Run: [RVP] E:\Programme\RVP\bpc.exe O4 - HKLM\..\Run: [KAZAA] E:\Programme\Grokster\Grokster.exe /SYSTRAY O4 - HKLM\..\Run: [sys] regedit -s sys.reg O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [WeatherCast] E:\PROGRA~1\WEATHE~1\Weather.exe /q O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "E:\Programme\Panicware\Pop-Up Stopper Free Edition\PSFree.exe" O8 - Extra context menu item: Download All Links with IDM - E:\Programme\Internet Download Manager\IEGetAll.htm O13 - DefaultPrefix: O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {04662C71-4771-11D7-8412-0080ADB7C759} (Dialer.UserControl1) - http://www.paybizz.net/nd/final/dfg.cab O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswax.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA} (CometCursor Class) - http://files.cometsystems.com/cometcursor/cobrand/comet.cab?0.92167275272654281067154439518 O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) - http://download.nocreditcard.com/download/Object/ieaccess2.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {38545C2A-03CD-42C3-BC62-C537A6D5A8F6} (38545C2A-03CD-42C3-BC62-C537A6D5A8F6) - http://download.globaldialer.net/GlobalDialer_de.cab O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://216.65.38.226/Download_Plugin.exe O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.22.199.157/activex/AxisCamControl.ocx O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://fr4-download.nocreditcard.com/download/Object/DialerHTML/DHTMLAccess1040.cab O16 - DPF: {99E79790-2B09-11D6-8C73-0800460222F0} - http://seks.yeterli.com/install.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37897.3519328704 O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://204.177.92.201/nslite/nslite.cab O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://ilsearch.com/download/free_plugin.exe O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab O19 - User stylesheet: E:\WINNT\Web\tips.ini O19 - User stylesheet: E:\WINNT\hh.htt (HKLM) ____________________________________________ I changed the values on regedit but still when i restart my PC i have the same values as before.AVG,Norton say everything is ok.I installed Anti Trojan programm and again nthg. pls help me

You need CWShredder first. Go to www.merijn.org/downloads.html navigate down the centre(blue) area and download CWShredder. THEN update it, close all browser windows and run it (click on "Fix"). You should also have/try SpyWareBlaster, SpyBot Search and Destroy and AdAware: all can be found easily via a Google search and all are free. Download each, update each and run SpyBotS&D and AdAware (SpyWareBlaster runs in the background and will keep most malware off your system) BUT they all require updating - weekly at least!!

Ray i tried to fix the problem with Hijackthis but still have problem.Do u think CWShredder is better than Hijackthis

Not necessarily - I do not possess the knowledge to sort out the report from HighJackThis: these columns will expect you to have tried all the programs I suggested before you lodge a HJT report. However, there are a number of contributors to these columns who will straightway offer you a "reading" of a HJT report - that's what makes these pages such necessary reading for us!! I do use ALL of the programs I suggested and, to date, I have not picked up any malware. Good luck!

Hi Ray,well i tried so many programs but still nthg.Everytime i open my PC internet exlporers start page is changed.

I had the same problem and I used CWShredder today(http://www.spywareinfo.com/~merijn/junk/CWShredder.exe), it seems it has worked. Good luck

I'm running win2000, IE 6. I had this same problem and tracked down and (hopefully) fixed it last night before checking what it was today! I traced the problem down to a file in the c:\winnt\ directory called sys.reg Find this file and open it (edit). It should contain instructions to change your IE start page etc to t.rack.cc/php. I deleted this file and removed it from the registry (it shows you where it has written to the registry when you view it in edit mode). I think this has solved it. Cheers, Nilo.