Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: how home page changed automatically?

  1. #1
    jenaguru Guest

    Default how home page changed automatically?

    Hi all, yesterday I noticed one of my two homepages in IE7 is changed to some page for 'turbo search' (may be turbosearch.com, can't remember correctly). Last surfing before that it worked perfectly.

    I want to know is it any kind of virus/malware activity?

    I am using ZA Pro & Avira AV free.

    Thanks, jenaguru.

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: how home page changed automatically?

    You can use the "search" and the "home page" options in the OSFirewall tab of the ZA Pro to "lock" these in and prevent changes by rogues. The ZA should stop the unwanted changes.

    Okay first read this to the end and then start over.
    The end has important do firsts.

    Is it just the IE that is affected or the Firefox as well?

    Search parameters in the search engines for these things I usually use are the name of file of the rogue and then add + spyware or + remove. So turbosearch.com + remove was the first try and the turbosearch.com + spyware showed me this:

    http://forum.hijackthis.de/showthrea...t=29385&page=2

    taking clues from this,

    start the pc in the safe mode.
    open the regedit.

    change the

    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.turbo-search101.com

    back to your usual home page.

    do a Find in the registry for the SetupClickHere.EXE
    and delete in the registry.


    delete this file in your Start folder

    Startup: Highspeeddownloader.lnk = C:\WINDOWS\system32\SetupClickHere.EXE

    delete this file (if it does not go immediately after deleting it's corresponding key, then immediately reboot back into the safe mode and remove the file - once it's reg key is gone it has may have no more hold of windows)

    C:\WINDOWS\system32\SetupClickHere.EXE

    IMPORTANT - always empty the recycle bin before rebooting or closing the windows just in case the rogues will be active from the recycle bin.

    They also mention this

    C:\WINDOWS\system32\msssc.dll

    so make sure thr Hidden folder/files is not enabled, and in the View of the Explorer, open the Choose Detail... and give as many needed options to show the info - now the mouse over will reveal details.
    If the msssc.dll is rogue, do a Find in the registry while in the safe mode and then delete the file - if the file does not delete properly, then reboot back into the safe mode and then delete it.

    The Properties of the right click will reveal details as to the vendor, date/time and versions, so write these down! Write down the details found in the other rogue files too such as the SetupClickHere.EXE
    Another trick is use the "Details" option in the View of the Explorer, then click the "Date Modified" and the latest and earliest will flip - but more importantly the date of "around that time of the infections" will be grouped together, making eye ball checks for possible infective files a lot easier.

    Then use that vendor name in the search in windows as a parameter. The time/date can be used as a guide to reduce the guessing.
    (note - the search should be fully enhanced in the lower three options!).

    You may find the home page got reset after you changed it back if the file was still active. But once the file is gone, the reset should hold.

    Also check the "windows\downloaded program" folder for some obvious rogue bho addon/activeX.

    Some rogues are very obvious - they actually are seen in the Add and Remove or leave new files/folder directly on the root of the hdd or add new files/folders in the Documents and Settings or have added new folders in the Program Files (and even in the Common Files).

    Okay do the above and then post your HJT here.

    Oldsod.

    Message Edited by Oldsod on 10-31-2008 10:02 AM
    Best regards.
    oldsod

  3. #3
    jenaguru Guest

    Default Re: how home page changed automatically?

    Hi Oldsod,
    I did as per your instructions as far as possible for me. Now HJT for you.
    jenaguru.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:20:15 AM, on 11/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Ananda Computers\Bijoy 2000\Bijoy.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Opera\Opera.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sharekhan.com/#
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.myiris.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Search The Web
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - Global Startup: Bijoy 2000.lnk = C:\Program Files\Ananda Computers\Bijoy 2000\Bijoy.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9A2F31D9-A8AF-4091-9D5C-37DD531A8D37}: NameServer = 218.248.240.208 218.248.240.79
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 4900 bytes

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: how home page changed automatically?

    Hi JenaGuru
    The log looks clean and lean (as far as I can tell).
    I assume the Bijoy.exe from Ananda Computers is legitimate (I just can't figure out what it does!).

    OK I am not using the latest TrendMicro version HJT, but instead the older version still from Merijn Bellekom (before he sold it to TrendMicro).
    But both versions basically work the very same.
    Maybe the interface has changed slightly, but please post the Startup list (in full)

    open the HJT
    open the "Config" under the "Other stuff" (after the scan only option)
    open the "Misc Tools"
    Then in the "Generate Startup list" area, check both options (list minor sections and list empty sections) and then click the "Generate Startup list" button and copy/paste from the .txt into the next post.


    Also please run both the file and registry cleaning of CCleaner (no toolbar included- this is the lean version). This will help remove any possible registry file remnants (I can recommend some additional registry cleaners if you wish) and any unwanted Temp files.

    I run the HJT from time to time to check for something unusual/malware. But I also at the same time run Process Explorer and AutoRuns. Both are excellent tools for finding unusual things and finding out details about files and the windows itself - and all at a glance and in great details. These are very good tools for not just finding rogues and unusal things but also for learning about windows/supported applications and the processes involved. Spend some time with these tools and check these over in depth - much can be gleaned and found.

    Oldsod.
    Best regards.
    oldsod

  5. #5
    jenaguru Guest

    Default Re: how home page changed automatically?

    Hi Oldsod, many thanks for your quick reply.

    First, that happened to only IE, not Opera.
    Second, Bijoy.exe is a writing software, legitimate as you assumed.
    Third, which older version of HJT did you mean?
    Next, I am posting the startup list created as per your directions by current version of HJT.
    Then, I generally use Registry Mechanic, not CCleaner and clenup temp files and cache files manually.
    Lastly, I value your advice and opinions the most about security matters, because I am a real novice and your are expert, generous and extremely helpful. So you please feel free to recommend for extra protection.

    Thanks,
    jenaguru.

    StartupList report, 11/1/2008, 10:50:52 AM
    StartupList version: 1.52.2
    Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v7.00 (7.00.5730.0013)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Ananda Computers\Bijoy 2000\Bijoy.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Opera\opera.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Bijoy 2000.lnk = C:\Program Files\Ananda Computers\Bijoy 2000\Bijoy.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    RTHDCPL = RTHDCPL.EXE
    Alcmtr = ALCMTR.EXE
    ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    NeroFilterCheck = C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    RegistryMechanic =
    avgnt = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    AdobeCS4ServiceManager = "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
    IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    AdobeBridge =

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    =

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
    CODEBASE = http://fpdownload2.macromedia.com/ge...sh/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll

    --------------------------------------------------
    End of report, 5,187 bytes
    Report generated in 0.171 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: how home page changed automatically?

    Download GMER
    Save it to the "C" Drive.
    Unzip the file.
    Next please set the ZA Program control slider to Medium
    Open the gmer.exe
    It will open to the default Rootkit/malware setting and make a quick scan.
    Just wait till it is finished and ignore this result.
    Instead click the Scan button on the right side.
    Once it's scan is finished, then select the Copy next to the Scan button.
    The info is now saved to the clpbrd.exe (windows\system32\clipbrd.exe).
    Next Open the Run and type in clipbrd and press the Enter key [Enter]
    In the "File" of the clipbrd, use the Save As option and save a .txt file on the desktop. Name this new .txt file Rootkit/Malware.txt
    Next click the right pointing arrows next to the Rootkit/Malware - they look like >>>.
    Select the Autostart button and Scan and Copy and again copy from the clipboard. Call this new file AutoStart.txt.
    Close the Gmer.
    Close the clipboard (delete it's file in it's menu before closing it).
    Be very careful with this tool - it can not only remove malware and make changes to the Windows, but if used incorrectly it will ruin the windows (just the same as the HJT can and even more so).
    Now post the rootkit/malware.txt and the autostart.txt files.



    My own HJT file is 1.99.0001 from Soeperman Enterprises Ltd.
    It maybe old but it is still useful. It is one of the older versions still from Merijn (he made some great security and useful applications and is a famous CSW/Adware/spyware fighter).

    Opera can not get infected by this - Opera is immune. Only IE and Firefox can get this type of infection.

    Oldsod.

    Message Edited by Oldsod on 11-01-2008 02:55 AM
    Best regards.
    oldsod

  7. #7
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: how home page changed automatically?

    Open the Internet Explorer.
    Open the "Manage Add-ons" in the Tools Menu.
    Select the "Enable or Disable Add-ons..."
    Check all of the items in the drop down menu and anything suspicious please note the file information and the Publisher and the State and the Type and the File information. Anything looking suspicious or unknown please post.
    While still in the Internet Explorer try these and make sure these still work properly:
    right click menus, source, file and save as, file and open.
    I already saw the title is okay and the opening of the Tools checks this feature at the ame time (some adware will disable the Tools of the IE).

    Open the WINDOWS\Downloaded Programs folder.
    In the list, check the items shown and anything suspicious just right click and open the Properties - the information is helpful in determing if it is a valid file or rogue.
    <hr>

    Open the registry.
    Open here:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap

    in the sub menu only IN THE LEFT Side PANEL, look for any unusual or strange sites listed.
    NOTE - if you have used some security like IESpyAds or spywareblaster or some thing of this nature, there will be blockers for bad sites listed by these applications.

    Then look here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\SafeSites

    and the correct site should be listed and no other url.

    Then here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap

    in the sub menu but only IN THE LEFT sided PANEL, look for any unusual or strange sites listed. (again as before and usually microsoft.com and msn.com and a few others are listed here.

    Then repeat this again here:

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap

    and here:

    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\ZoneMap

    and here:

    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\ZoneMap

    and here:

    HKEY_USERS\S-1-5-21-329068152-776561741-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\ZoneMap

    (these areas are some of the usual places where adware and CWS like to stick itself into the windows and the IE)

    Oldsod.
    Best regards.
    oldsod

  8. #8
    jenaguru Guest

    Default Re: how home page changed automatically?

    I did that all but could not save the text files from clipboard viewer. I saved those manually in two files and posting it here for your inspection.

    jenaguru.

    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2008-11-01 14:31:27
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.14 ----

    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xEE80E040]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xEE80A930]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xEE815A80]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xEE80E510]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xEE814870]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xEE814AA0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xEE817FD0]
    SSDT F7AEBA7C ZwCreateThread
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xEE80E600]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xEE80AF20]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xEE8166E0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xEE816440]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xEE814580]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadDriver [0xEE8083F0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xEE8168B0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwMapViewOfSection [0xEE818270]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xEE80AD70]
    SSDT F7AEBA68 ZwOpenProcess
    SSDT F7AEBA6D ZwOpenThread
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xEE817250]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xEE816CB0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xEE80DC00]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xEE817080]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xEE80E220]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xEE80B120]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetSystemInformation [0xEE8081C0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xEE816140]
    SSDT F7AEBA77 ZwTerminateProcess
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwUnloadDriver [0xEE8085F0]
    SSDT F7AEBA72 ZwWriteVirtualMemory

    INT 0x20 srescan.sys F726AC90

    ---- Kernel code sections - GMER 1.0.14 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2BED 805037ED 11 Bytes [ E5, 80, EE, 70, 48, 81, EE, ... ]
    ? srescan.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.14 ----

    .text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1468] ntdll.dll!KiFastSystemCall + 2 7C90EB8D 2 Bytes [ CD, 20 ]

    ---- Kernel IAT/EAT - GMER 1.0.14 ----

    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EE812CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EE8131C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EE813320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EE812E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EE812E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EE812CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EE8131C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EE813320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EE812CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EE813320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EE8131C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EE812E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EE813320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EE812CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EE8131C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EE812E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EE812CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EE8131C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EE813320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EE812CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EE812E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EE813320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EE8131C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

    ---- Devices - GMER 1.0.14 ----

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

    ---- Registry - GMER 1.0.14 ----

    Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3 08\Shell@MinPos1024x768(1).x -32000
    Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3 08\Shell@MinPos1024x768(1).y -32000

    ---- EOF - GMER 1.0.14 ----

  9. #9
    jenaguru Guest

    Default Re: how home page changed automatically?

    Oldsod the second autostart scan is here.
    jenaguru.

    GMER 1.0.14.14536 - http://www.gmer.net
    Autostart scan 2008-11-01 14:33:14
    Windows 5.1.2600 Service Pack 2


    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLN ame = Ati2evxx.dll

    HKLM\SYSTEM\CurrentControlSet\Services\ &gt;&gt;&gt;
    AntiVirScheduler@ = &quot;C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe&quot;
    AntiVirService@ = &quot;C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe&quot;
    Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
    PSI_SVC_2@ = &quot;c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe&quot;
    ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
    UMWdf@ = C:\WINDOWS\system32\wdfmgr.exe
    vsmon@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run &gt;&gt;&gt;
    @RTHDCPLRTHDCPL.EXE = RTHDCPL.EXE
    @AlcmtrALCMTR.EXE = ALCMTR.EXE
    @ZoneAlarm Client&quot;C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe&quot; = &quot;C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe&quot;
    @NeroFilterCheckC:\Program Files\Common Files\Nero\Lib\NeroCheck.exe = C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    @RegistryMechanic /*file not found*/ = /*file not found*/
    @avgnt&quot;C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe&quot; /min = &quot;C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe&quot; /min
    @QuickTime Task&quot;C:\Program Files\QuickTime\qttask.exe&quot; -atboottime = &quot;C:\Program Files\QuickTime\qttask.exe&quot; -atboottime
    @Adobe Reader Speed Launcher&quot;C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe&quot; = &quot;C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe&quot;
    @AdobeCS4ServiceManager&quot;C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e&quot; -launchedbylogin = &quot;C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e&quot; -launchedbylogin

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run &gt;&gt;&gt;
    @ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
    @IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}&quot;C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe&quot; ASO-616B5711-6DAE-4795-A05F-39A1E5104020 = &quot;C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe&quot; ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    @AdobeBridge /*file not found*/ = /*file not found*/

    HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved &gt;&gt;&gt;
    @{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
    @{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
    @{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
    @{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
    @{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
    @{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&amp;Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
    @{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll = C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll
    @{DE902992-61FC-4A01-8091-53E1895C9775} /*CDR Icon Handler*/c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll = c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
    @{DE902993-61FC-4A01-8091-53E1895C9775} /*CPT Icon Handler*/c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll = c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
    @{DE902994-61FC-4A01-8091-53E1895C9775} /*CMX Icon Handler*/c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll = c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
    @{1462EBAA-96E7-4D93-9A66-0E4068DE4FCF} /*CDR Thumbnail Provider*/c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll = c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
    @{1462EBAB-96E7-4D93-9A66-0E4068DE4FCF} /*CPT Thumbnail Provider*/c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll = c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
    @{1462EBAC-96E7-4D93-9A66-0E4068DE4FCF} /*CMX Thumbnail Provider*/c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll = c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
    @{F9633464-9E18-4C06-9D3A-E131C036A9FA} /*CDR Property Handler*/c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll = c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
    @{F9633465-9E18-4C06-9D3A-E131C036A9FA} /*CPT Property Handler*/c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll = c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
    @{7DDDBFE0-09C4-4680-9E13-8CE7D00EDE57} /*CDR Property Sheet*/c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll = c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
    @{7DDDBFE1-09C4-4680-9E13-8CE7D00EDE57} /*CPT Property Sheet*/c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll = c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
    @{7DDDBFE2-09C4-4680-9E13-8CE7D00EDE57} /*CMX Property Sheet*/c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll = c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
    @{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
    @{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll

    HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ &gt;&gt;&gt;
    Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll
    WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ &gt;&gt;&gt;
    Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll
    WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

    HKLM\Software\Microsoft\Internet Explorer\Main &gt;&gt;&gt;
    @Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
    @Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
    @Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

    HKCU\Software\Microsoft\Internet Explorer\Main &gt;&gt;&gt;
    @Start Pagehttp://sharekhan.com/ = http://sharekhan.com/
    @Local Pagehttp://www.myiris.com = http://www.myiris.com

    HKLM\Software\Classes\PROTOCOLS\Handler\ &gt;&gt;&gt;
    cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
    dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
    its@CLSID = C:\WINDOWS\system32\itss.dll
    mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
    ms-its@CLSID = C:\WINDOWS\system32\itss.dll
    mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DL L
    tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

    HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup &gt;&gt;&gt;
    Bijoy 2000.lnk = Bijoy 2000.lnk
    Microsoft Office.lnk = Microsoft Office.lnk

    ---- EOF - GMER 1.0.14 ----

  10. #10
    jenaguru Guest

    Default Re: how home page changed automatically?

    Oldsod, I checked all the registry locations and found all are fine, no strange or unusual sites.

    Thanks, jenaguru.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •