[Krelian]

I've been having some problems lately, I stumbled upon a seriously bulky spyware site that installed some pretty nasty stuff on my computer. Since then, I've ran Ad-aware, Spybot S&D, Hijack This, CWShredder, and my Antivirus. (all up to date). I think I've got it all, but for some reason, my Internet Explorer keeps wanting to save to the TEMP directory, and then immediately open. It auto downloads, there isn't even a save as dialogue.

Also, another problem, there is a strange file in my TEMP that wont delete, everytime I delete it it comes back.

And while I'm on the boards, might as well throw another problem at you brilliant people you ... whenever I use my HOST file it seems to d/c me from the internet. I'm thinking maybe its too large? Any advice would be appreciated! Thanks in advance!

 

[Rollin' Rog]

Unzip HijackThis to a permnent folder, run it and select "Scan". Then save the scanlog and copy/paste the results here.

http://www.spywareinfo.com/~merijn/downloads.html

Also open up Internet Options. Select the General page and then under Temporary Internet files, "Settings". What does it say for the location of your temporary internet folder?

 

[Krelian]

I already have hijack this, as I stated before, and I have ran it. Second of all, it says "Temporary Internet Files". It's not saving the files to the internet temp, it's saving them to the WINDOWS temp.

Oddly enough though, hijack this freezes when I try to run it again, I was intending to paste the hijack this log right after my first post, but the stupid thing keeps freezing!

 

[Krelian]

Okay I managed to get it unfrozen...
Here is my log, I put in "Safe" for the items I know are safe, and "?" for items I have no clue.

Logfile of HijackThis v1.97.7
Scan saved at 10:04:46 AM, on 4/5/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL Safe
C:\WINDOWS\SYSTEM\MSGSRV32.EXE Safe
C:\WINDOWS\SYSTEM\mmtask.tsk Safe
C:\WINDOWS\SYSTEM\MPREXE.EXE ?
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE Safe
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE Safe
C:\WINDOWS\EXPLORER.EXE Safe
C:\WINDOWS\TASKMON.EXE Safe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE Safe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE Safe
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE Safe
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE Safe
C:\PROGRAM FILES\PYRENEAN\EDEXTER\EDEXTER.EXE Safe
C:\PROGRAM FILES\CREATIVE ELEMENT POWER TOOLS\STARTUP.EXE Safe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE Safe
C:\WINDOWS\SYSTEM\WMIEXE.EXE ?
C:\PROGRAM FILES\CIDIAL\CIDIAL.EXE Safe
C:\WINDOWS\SYSTEM\RNAAPP.EXE ?
C:\WINDOWS\SYSTEM\TAPISRV.EXE ?
C:\WINDOWS\SYSTEM\DDHELP.EXE ?
D:\PROGRAMS\HIJACK THIS\HIJACKTHIS 1.97.7.EXE Safe
C:\PROGRAM FILES\GRISOFT\AVG7\AVGWB.DAT Safe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mikros0ft 1nt3r/\/et Xpl0r3r Safe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL Safe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX Safe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun Safe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe Safe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe Safe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp Safe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP Safe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE Safe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme Safe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe Safe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" Safe
O4 - HKLM\..\RunServices: [avgamsvr.exe] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE Safe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme Safe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart Safe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background Safe
O4 - Startup: eDexter.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe Safe
O4 - Startup: Creative Element Power Tools Startup.lnk = C:\Program Files\Creative Element Power Tools\Startup.exe Safe
O4 - Startup: CiDial 2.3.lnk = C:\Program Files\CiDial\CiDial.exe Safe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present ?
O8 - Extra context menu item: Open In &New Window - C:\WINDOWS\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.tui Safe
O8 - Extra context menu item: View old version at &archives.org - C:\WINDOWS\Application Data\TuneUp Software\TuneUp Utilities\Web\tuarch.tui Safe
O8 - Extra context menu item: Zoom &In* - C:\WINDOWS\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.tui Safe
O8 - Extra context menu item: Zoom &Out* - C:\WINDOWS\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.tui Safe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38079.0627546296 ?
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Safe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab Safe

 

[Krelian]

Taadaa, I figured out what I was doing wrong, I hit open instead of save when the dialogue poped up. I can now save again with IE, yet it still gives me a warning about "exe" files. I'd like to disable this, because I'm pretty aware of the danger of exe files, but the checkbox option to take off the message is grayed out. Anybody know if this is native of IE to be grayed out? Anybody know any registry entries to change this?