can't change home page for IE

Hi Guys!

2 problems: (1) Just the other day, something must have happenned because I suddenly can't change any more the IE Home page in "Internet Options" because the buttons are gray, and I can't click inside the type area ;(2) A trange toolbar keeps appearing on the taskbar every time I log on even though I disable it every time. It says "Search the Web" and has a small search button next to it. How can I get rid of it ?

Thanks

 

Stefano19--It looks like you have been "hijacked ", that is spyware (often a trojan) that takes over your homepage, search engine and could send info about your PC back to its owner.
Probably the best thing to do is to download and install HiJackThis (free)
http://radiosplace.com
Then post the log here and someone can help you.
What is your homepage now?
P.S. I tried running a search on Google about the symptoms you describe but found that more than one trojan acts this way. You might have a look at these references to see if either describes what you are seeing.
http://forums.techguy.org/archive/index.php/t-240710.html
http://securityresponse.symantec.com/avcenter/venc/data/js.seeker.b.html
If you have those indicators there are ways of manually uninstalling.

 

Logfile of HijackThis v1.98.0
Scan saved at 6:23:10 AM, on 7/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\sm56hlpr.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera7\opera.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\FlashGet\JetCar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.artelecom.ro
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whatsfind.com/page.html
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [tqmshnyznyr] C:\WINDOWS\System32\xsfkdf.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\dhcnchfw.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamagr32.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD006BC9-6B01-4C31-967A-B1F8BB59E632}: NameServer = 80.97.194.3 80.97.194.4

 

stefano19,

You have Trojan.Sidea on your machine, according to symantec. It "sends stolen information to specific email addresses." There may be other problems as well.

Disable System Restore by: My Computer, right click, properties, system restore tab, check turn off box.

Be sure you have a firewall before you go online. See zonealarm.

Update the virus definitions for your antivirus program and do a complete scan, and/or do an online scan with housecall or RAV.

Then you'll need to delete the values that were added to the registry, as indicated in the symantec link above. The experts will help with that after you post the new log.

Then download the newest hijackthis, place it in it's own folder and unzip it, upgrade it online, and run it from there, and save the log and post it here again. The experts here will also look at your problem and advise you.

 

stefano19--
I am no expert on HiJackThis logs, but here are some comments on yours.
You may or may not have the Trojan.sideA. Do you run a download program called FlashGet? If so the reference to Jetcar.exe may be OK.
The malware I find are the following
C:\Program Files\WindowsSA\omniscient.exe
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windo ws\System32\wsaupdater.exe,
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [tqmshnyznyr] C:\WINDOWS\System32\xsfkdf.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamagr32.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamagr32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
You should consider putting these items into quarantine. Then reboot, and run HiJackThis again and post the log.
By the way, you do seem to have the latest version of HJT already.
I am also suspicious about the following items
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD006BC9-6B01-4C31-967A-B1F8BB59E632}: NameServer = 80.97.194.3 80.97.194.4
And unless you live in Romania, I suspect you should also fix these items
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.artelecom.ro
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whatsfind.com/page.html
I do not think you have much to lose by quarantining these items, also. You can always restore if you find you need them.
The main trouble with my suggestions is some of the malware will reinstall unless you totally eliminate them.
But let's see what quarantining does for you.
I hope someone more knowledgeable will chime in.
P.S. I am putting these URL's here in case we need them later.
http://www.doxdesk.com/parasite/MySearch.html
http://www.wilderssecurity.com/archive/index.php/t-35120
http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=TROJ_BLAZEFIND.A

 

thanks

thanks, will do my best and post soon after I quarantine.

Stefano

 

fixing...

ok, I ran Hijack this, and I checked the suspicious items and then clicked on Fix Checked. Is taht correct ? This is how the log looks now :

Logfile of HijackThis v1.98.0
Scan saved at 7:38:46 AM, on 7/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\sm56hlpr.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Opera7\opera.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\FlashGet\JetCar.exe
C:\Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\dhcnchfw.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD006BC9-6B01-4C31-967A-B1F8BB59E632}: NameServer = 80.97.194.3 80.97.194.4

 

There may be problems I missed but here are some problems you still have. An earlier suggestion was that you turn off system restore and run a virus scan with an online scanner like RAV. Did you do that?

C:\Program Files\WindowsSA\omniscient.exe was dropped on you by a trojan and looks to be not dealt with.
http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=TROJ_BLAZEFIND.A

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
Do a search in this section for "P2P Networking" (without the quotes). Bad stuff but more to getting rid of it than just closing the registry run setting.

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
I can't think of a single legit reason for a user to disable Regedit. Maybe if you were on a large corporate network and the IS/IT folks wanted more control they would set such a policy but a single user or small network shouldn't.

O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
Can't find much specifics on this one but if it were on my PC, it would go.

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\dhcnchfw.exe
Can't find any information about dhcnchfw.exe and that is usually a very bad sign. I'd get rid of the entry unless you know exactly what it is and installed it yourself.

O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe is from another worm infection.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
Doing nothing or maybe just nothing good. Needs to go.