IE Hijacked by Cadabra.com

When I start Internet Explorer (running Win 98) the default start up url is www.cadabra.com which really bugs me.

I want to start with google or some other sites but not cadabra.

When I go to Internet Options and apply www.google.com as the defailt start up url it doesn't make any diffference - the next time (even after rebooting) that IE starts up it's back to cadabra.

I'm running Norton AV s/w with latest updates and have repeatedly scanned for spyware using Adware (with latest updates).

What's causing IE to start up with cadabra and how to I get rid of it?

Thanks and regards.

 

Download HijackThis from the CWShredder link in my signature. Place it in a permanent folder on the drive (I create a new one named HijackThis), open and scan, then save log. Once saved it will open in notepad. Select all from the edit menu, copy and paste it here. Don't fix anything with it yet! Someone experienced with the logs will advise how/what to fix.

 

Go here and download HijackThis, extract it to its own permanent folder and run a scan, save the log and copy and paste it into your next reply.

 

OK P3-450 have d/l'd the s/w and will install this eve and post the log.

Thanks for the help.

In the meantime I have a quck, related? question -- Over the past week on the suspect PC a couple of times I got a blue full screen, titled something like IE 6 browser, with an error msg box that said something kind of like "IE has detected a saser virus - click OK to disinfect ".

The msg looked very suspect (and Norton AV (continuously running in bkgrnd) didn't pick up the virus) so I closed [with X] the window but I'm wondering now if there really was an infection and if that is the problem I'm having with my IE being hijacked???

 

Been waiting to see if you were going to respond in this thread or the identical one you posted an hour earlier, to which I responded. You did the right thing with that popup. Do you have a firewall installed? If not, install one and see if the popups stop. Kerio, Zone Alarm and Sygate the most poular available for free here.

BTW, your other post was moved to the security forum, as this one most likely will be.

 

Ten thousand apologies for apparently double posting - I definitely didn't intend to and I'm not even certain how I did it in the first place.

Any ways here's my scan log from Hijack This. Before I scanned I thought I'd be smart and I did a regedit search for "sysupd" (which I found was loading in Start Up), as well as renaming "sysupd.exe in my windows folder. I think this helped a bit but that stupid cadabra.com is still loading.

Hope you can spot something I can fix from this scan --
BTW - nit sure what HelpDD.exe is...

Logfile of HijackThis v1.97.7
Scan saved at 7:16:06 PM, on 12/05/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\TPWRMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\SYSTEM\MSXMLFILT.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TPwrMgr] TPwrMgr.Exe
O4 - HKLM\..\Run: [TMOUSE] C:\Toshiba\Mouse\tmouse.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://navce/navceclientinstall/webinst/WebInst.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37875.7808101852
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.4.18/ttinst.cab

 

DDHelp.exe is DirectDraw Helper. Legit piece of Microsoft DirectX stuff - graphics related.

Run HJT again and get rid of
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\SYSTEM\MSXMLFILT.DLL

 

OK super - did what was suggested and IE is working and loading google upon start up.

Thanks for the help.

 

Fis this also
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.4.18/ttinst.cab

Newt, guys, IE and folders must be closed when fixing bho's for proper removal

 

Thanx Lonnie. I think I knew that - I think.