IE startpage hijacked to citi.com

I will run hijack this later (at work now) but my home computer runs IE 6.0 Windows XP and the startpage is hijacked to citi.com. Did anyone have the same problem and knows the fix. If not, will post my hijackthis log later.

Logfile of HijackThis v1.97.7
Scan saved at 10:01:06, on 01.05.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\SpyStopper\spystopper.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Thomas Hemmen\Eigene Dateien\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = URL
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = URL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = URL
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = URL
O2 - BHO: (no name) - {00000000-663f-49e8-bdf6-f26db51c7dd5} - C:\WINDOWS\liqui.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {8E929F51-5914-11D6-971F-0050FC3F9161} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyStopper] C:\Programme\SpyStopper\spystopper.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PVR] C:\Programme\XemiComputers\Pocket Voice Recorder\PVR.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOKUME~1\THOMAS~1\LOKALE~1\Temp\DELDIR0.EXE" "C:\Programme\McAfee\McAfee Shared Components\Guardian\"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .mp4: C:\Programme\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.vobis.de
O16 - DPF: ConferenceRoom Java Client - URL
O16 - DPF: DigiChat Applet - URL
O16 - DPF: Yahoo! NFL GameChannel StatTracker - URL
O16 - DPF: {00000000-663f-49e8-bdf6-f26db51c7dd5} (LIQUIObj Class) -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - URL
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - URL
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - URL
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!URL
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - URL
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - URL
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - URL
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - URL
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - URL
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - URL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - URL
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - URL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - URL
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB492B11-11C5-42A9-B9CD-58DDDC133225}: NameServer = 217.237.149.161 194.25.2.129

Hi a726452004,

Run HijackThis, place a checkmark next to the following items. Close ALL other browsers and windows. Click "Fix checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.citi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.citi.com
O2 - BHO: (no name) - {00000000-663f-49e8-bdf6-f26db51c7dd5} - C:\WINDOWS\liqui.dll (file missing)
O3 - Toolbar: (no name) - {8E929F51-5914-11D6-971F-0050FC3F9161} - (no file)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/...les/initial.cab
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOKUME~1\THOMAS~1\LOKALE~1\Temp\DELDIR0.EXE" "C:\Programme\McAfee\McAfee Shared Components\Guardian\"


Fix these if you don't want this to be your start page:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.vobis.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.vobis.de/
O14 - IERESET.INF: START_PAGE_URL=http://www.vobis.de

Reboot and post a new log.

Tom

I'm having this same problem, I deleted the first two with citi.com in them, but they just come back. I have no clue what to do anymore ... here is my log from hackthis. I would really appreciate any help! Thanks!

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\gearsec.exe
C:\Windows\System32\nvsvc32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Windows\Mixer.exe
C:\Program Files\refreshlock\RefreshLock.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Windows\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Geoff\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = URL
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = URL
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [C-Media Speaker Configuration] E:\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [RefreshLock] C:\Program Files\refreshlock\RefreshLock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccHelp] ccHelp.hta
O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SysUpd] C:\Windows\SysUpd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [Q828026] "C:\Windows\INF\unregmp2.exe" /UpdateWMP
O4 - HKLM\..\RunOnce: [KB824141] rundll32.exe apphelp.dll,ShimFlushCache
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - URL
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - URL
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - URL
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - URL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - URL
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - URL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - URL
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - URL
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - URL
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - URL
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - URL
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - URL

Hi Geebs,

Please start a new thread, with Hijacking or something similar in the title. Post your entire log including the header (the windows and IE version numbers)

Thanks