here's the issue: homepage hijacked to show "System Temporarily Unavailable"

it then has a link "Adults Only - Enter here!" which links to www.barelylegal.com. And a pop up of "Congratulations! You've won VIRTUAL REALITY CASINO!" (Yeah, I'm feeling like a winner, for sure.)

Spybot and Adware haven't done anything about it. I'll go run Adaware again whilst I wait for feedback.

Log is as follows:

Logfile of HijackThis v1.97.7
Scan saved at 9:11:28 AM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\Wol SerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\Zen Rem32.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Novell\Zenworks\Naldesk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\PROGRA~1\NavNT\vptray.exe
H:\!spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marquee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Marquee
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://marquee/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - Global Startup: Genuamif.lnk = C:\Program Files\Tivoli\lcf\inv\SCAN\Genuamif.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Novell delivered applications (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://Marquee
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...181.2819675926
O16 - DPF: {CFFFD691-E3B7-11D2-8CFD-00600811D842} (QSPXCTRLProxy.UserControl1) - http://cody/intouch/QSPXCTRLProxy.CAB
O16 - DPF: {E3478A25-C55A-11D1-8EE1-0020AF9FC011} (QSPX Control) - http://cody/modemworksii/Controls/QSPX.ocx
O16 - DPF: {EE60CECC-E38B-11D2-8CFC-00600811D842} (Router.UserControl1) - http://cody/intouch/Router.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{6582C06E-9856-4FBB-8100-30186BD254E6}: Domain = cablevison.com

Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marquee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Marquee
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://marquee/

Reboot then poost a fresh log and let us know how things are running.

alrighty. removed those. IE launches with the default about:blank as per the hijack this fix.

reboot, however, brings back our foul little redirect.

new hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 10:00:57 AM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\Wol SerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\Zen Rem32.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Novell\Zenworks\Naldesk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
H:\!spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://Marquee
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Marquee
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - Global Startup: Genuamif.lnk = C:\Program Files\Tivoli\lcf\inv\SCAN\Genuamif.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Novell delivered applications (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://Marquee
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...181.2819675926
O16 - DPF: {CFFFD691-E3B7-11D2-8CFD-00600811D842} (QSPXCTRLProxy.UserControl1) - http://cody/intouch/QSPXCTRLProxy.CAB
O16 - DPF: {E3478A25-C55A-11D1-8EE1-0020AF9FC011} (QSPX Control) - http://cody/modemworksii/Controls/QSPX.ocx
O16 - DPF: {EE60CECC-E38B-11D2-8CFC-00600811D842} (Router.UserControl1) - http://cody/intouch/Router.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{6582C06E-9856-4FBB-8100-30186BD254E6}: Domain = cablevison.com



marquee is our intranet homepage, in case you hadn't already figured as much.

thanks for the prompt response. eagerly awaiting the next step- i've removed plenty of annoyances, but this one has me stumped. only other thing i ever had real issues with was the about:blank headache on my home pc, but i just swapped to firefox and sidestepped the issue.... if only i could convince corporate to roll out firefox as our default here.

-----aphazia

also of note: it's not a redirect so much as this- whatever's causing the issue seems to be blocking access to 'marquee', as it's unpingable (and it should be.). the redirect page also comes up on any unfound page. so it's my default search page being redirected to the spyware page, i am inferring, coupled with it blocking marquee. is this a logical assumption?

Could you update to the latest version of Hijack This. Theres a link in the page in my signature. That will help us more.