Hi, I am guessing you left out a word.  This is what you typed:

R1-HKCU\Software\Microsoft\Internet Explorer\Main,OldSP=about:blank  I am guessing you meant to type:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

This is a tough one, causing problems for many, many folks. It appears to mutate on a reboot so the removal process is manual and a bit difficult.  Removal tools are being worked on.  If you want us take a look, please follow the directions below:

Hi,  If you would like us to take a look at your computer, we will need you to follow the directions below.  Once your log is posted, please be patient.  We are all volunteers with families and real jobs, and the logs being posted are many. We do work the logs in the order they come in.  One of the experts here will assist you with your log as soon as possible.  Thanks...pskelley

We need you to download and install an analysis and repair tool called Hijackthis.
 
Download the zipped file from here: http://www.majorgeeks.com/download3155.html

 
 
Please unzip Hijackthis.zip and move hijackthis.exe file into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don't place it on the Wallpaper, in a temp folder, or in the root level of the C: drive or the My Documents folder. It will create many backup files and they need to be stored in a unique Hijackthis folder. If it is properly placed it will look like this:   C:\HJT\HijackThis.exe.

Hijackthis FAQ (Frequently Asked Questions) at:  http://russelltexas.com/malware/faqhijackthis.htm
 
After downloading, and unzipping the hijackthis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run Hijackthis, click on the 'scan' button and then 'save log' button.
 
Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt
 
Special Notice! Hijackthis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the Hijackthis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. Hijackthis should identify the vast majority of your problems and enable us to help you clean them off your system.
 

Stay in this thread for continuity. Reply to this message.
 
Thanks,
 
pskelley
In Training at TomCoyote.com and Spywareinfo.com

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-) 

I have a hijacked homepage - here is the log.  I appreciate anything you can do to help me.  I also have a problem where Office XP tries to install all the time.  These happened about the same time.  Are they related or 2 different viruses?

Logfile of HijackThis v1.98.0
Scan saved at 12:09:07 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msub32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\iegs32.exe
C:\WINDOWS\apicd32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\program files\dialers\nsvdr\nsvdr.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\system32\sncntr.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
C:\Program Files\Franklin Covey\Planner\Compass.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Franklin Covey\Planner\planner.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Dell\Support\bin\support.exe
C:\Program Files\Dell\Support\bin\BrowserApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe
c:\program files\internet explorer\iexplore.exe
C:\hijackthisremoval\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ywnkt.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ywnkt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ywnkt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ywnkt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ywnkt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ywnkt.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0CDF6D82-5712-7179-76F5-8BCB61F5E50A} - C:\WINDOWS\apiys32.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [nsvdr] c:\program files\dialers\nsvdr\nsvdr.exe /noconnect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Sd32info] c:\windows\system32\sd32info.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [apicd32.exe] C:\WINDOWS\apicd32.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Info32] c:\windows\system32\info32.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunOnce: [iegs32.exe] C:\WINDOWS\system32\iegs32.exe
O4 - HKLM\..\RunOnce: [addsh.exe] C:\WINDOWS\system32\addsh.exe
O4 - HKLM\..\RunOnce: [cruy32.exe] C:\WINDOWS\cruy32.exe
O4 - HKLM\..\RunOnce: [d3qk32.exe] C:\WINDOWS\system32\d3qk32.exe
O4 - HKLM\..\RunOnce: [crvs32.exe] C:\WINDOWS\crvs32.exe
O4 - HKLM\..\RunOnce: [mfcmr.exe] C:\WINDOWS\mfcmr.exe
O4 - HKLM\..\RunOnce: [msub32.exe] C:\WINDOWS\SYSTEM32\msub32.exe
O4 - HKLM\..\RunOnce: [sdknh.exe] C:\WINDOWS\system32\sdknh.exe
O4 - HKLM\..\RunOnce: [iewd32.exe] C:\WINDOWS\iewd32.exe
O4 - HKLM\..\RunOnce: [javagq.exe] C:\WINDOWS\javagq.exe
O4 - HKLM\..\RunOnce: [d3qd32.exe] C:\WINDOWS\d3qd32.exe
O4 - HKLM\..\RunOnce: [craz.exe] C:\WINDOWS\system32\craz.exe
O4 - HKLM\..\RunOnce: [ipwn32.exe] C:\WINDOWS\ipwn32.exe
O4 - HKLM\..\RunOnce: [ipoi.exe] C:\WINDOWS\ipoi.exe
O4 - HKLM\..\RunOnce: [crqa.exe] C:\WINDOWS\crqa.exe
O4 - HKLM\..\RunOnce: [sdkka.exe] C:\WINDOWS\sdkka.exe
O4 - HKLM\..\RunOnce: [netjr32.exe] C:\WINDOWS\system32\netjr32.exe
O4 - HKLM\..\RunOnce: [syswr32.exe] C:\WINDOWS\syswr32.exe
O4 - HKLM\..\RunOnce: [mslv32.exe] C:\WINDOWS\system32\mslv32.exe
O4 - HKLM\..\RunOnce: [addtj.exe] C:\WINDOWS\addtj.exe
O4 - HKLM\..\RunOnce: [msxb32.exe] C:\WINDOWS\system32\msxb32.exe
O4 - HKLM\..\RunOnce: [winmo.exe] C:\WINDOWS\winmo.exe
O4 - HKLM\..\RunOnce: [atljp.exe] C:\WINDOWS\atljp.exe
O4 - HKLM\..\RunOnce: [ieow.exe] C:\WINDOWS\system32\ieow.exe
O4 - HKLM\..\RunOnce: [sdklp.exe] C:\WINDOWS\system32\sdklp.exe
O4 - HKLM\..\RunOnce: [d3tf32.exe] C:\WINDOWS\system32\d3tf32.exe
O4 - HKLM\..\RunOnce: [iedg.exe] C:\WINDOWS\system32\iedg.exe
O4 - HKLM\..\RunOnce: [crcw32.exe] C:\WINDOWS\crcw32.exe
O4 - HKLM\..\RunOnce: [mfces32.exe] C:\WINDOWS\mfces32.exe
O4 - HKLM\..\RunOnce: [atlkr.exe] C:\WINDOWS\system32\atlkr.exe
O4 - HKCU\..\Run: [Enhance32] c:\windows\system32\enhance32.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://www.plaxo.com/activex/PlaxoInstall.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\cpgocdkf.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/action/NSupd9x.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4336/mcfscan.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Thank you,

Pam P.

Hi Pam, I am sorry, but you have posted your log in another persons thread.  We only work one log per thread as it would get very confusing to attempt to do otherwise. I would appreciate it if you would go here:

http://forums.us.dell.com/supportforums/board/post?board.id=si_virus 

and post a new message in a thread that will be your own. Thanks...pskelley

We need to make you aware that many, many logs are being posted.  Because we are few, all volunteers with families and real jobs, we will have to ask you to be patient.  We work the logs in the order they come in.  One of the experts (trained at SpywareInfo & Tom Coyote) will assist with your log as soon as possible. They may ask for a fresh log as rebooting can mutate the newest infections.

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-)