Home page keeps changing to some search site. Help

alval · #1 March 9th, 2004, 05:47 PM

In December my internet home page automatically changer to some unwanted search engine. Every time I change it through "tool options" it will stay untill I restart my computer and again a different unwanted search engin appears.
How do I get rid of this auto start home page?
Thanks
Al

Lynn0222 · #2 March 9th, 2004, 05:56 PM

You've got spyware *but* a spyware remover will not remove this one.
Google the name of that search engine and you will find the directions for getting rid of it.

**degsy** · #3 March 9th, 2004, 06:18 PM

HiJackThis should be able to remove it.
http://209.133.47.200/~merijn/files/HijackThis.exe

Other tools, Spybot S&D is one, have options to disable the homepage so that it cannot be changed by spyware.
http://www.safer-networking.org/index.php?page=download

dammit · #4 March 9th, 2004, 06:46 PM

Hi...download spybot first and check for updates before running...have it remove all red entries.
Download hijackthis as suggested and hit scan....when the scan has finished ..hit save log. Copy an paste the log back in this thread...dont make any changes until someone checks it

alval · #5 March 10th, 2004, 02:31 AM

I downloaded Spybot and ran it to fix all problems. I then downloaded Hijack this and copied the resulting log below. If someone can look at it and tell me what I should remove I would greatly appreciate it.
Thanks
Al
Logfile of HijackThis v1.97.7
Scan saved at 6:28:51 PM, on 3/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VECTORVEST\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\ctfmon.exe
C:\windows\winlogon.exe
C:\WINDOWS\System\winspool.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\AL\Local Settings\Temporary Internet Files\Content.IE5\SLEFS1I7\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://1-se.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://1-se.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/h.php?aid=227
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\AL\Application Data\winwc\winwc.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\AL\Application Data\winwc\mssearch.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\AL\Application Data\ieor\msiesh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [lvxl4yidiz] C:\WINDOWS\vz0oabdylf.exe
O4 - HKCU\..\Run: [e761a2yjmu] C:\WINDOWS\fpc0ogu60y.exe
O4 - HKCU\..\Run: [9n130dcgos] C:\WINDOWS\duggxh6yko.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Land Desktop R2\AcDcToday.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...003.3620601852
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\Land Desktop R2\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - file://C:\Program Files\Net-It Now! Starter Edition\jDoc\jDocPrtm.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Land Desktop R2\AcPreview.ocx
O19 - User stylesheet: C:\WINDOWS\color.css
O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)

mike · #6 March 10th, 2004, 10:01 AM

Hi alval ,

Please download CWShredder from:
www.zerosrealm.com/downloads/CWShredder.zip

Unzip, Open CWShredder and click on the Fix button to find and fix any problems.

How to stop CWS infection...read the information when you click "Next" at the end of running CWShredder.

Cheers

mike · #7 March 10th, 2004, 10:41 AM

Hi alval ,

Hi alval ,

Please move HijackThis out of TEMP folder , to a folder of its own.

CWShredder should clean up the ones I left out.

Close ALL browser Windows and Windows Explorer windows, only have HijackThis running.

In HiJackThis, Check the boxes beside the below entries, then click on "Fix checked" .

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/h.php?aid=227

O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - (no file)

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL

O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set

O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe

O4 - HKCU\..\Run: [lvxl4yidiz] C:\WINDOWS\vz0oabdylf.exe

O4 - HKCU\..\Run: [e761a2yjmu] C:\WINDOWS\fpc0ogu60y.exe

O4 - HKCU\..\Run: [9n130dcgos] C:\WINDOWS\duggxh6yko.exe

O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe

O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Reboot into Safe Mode.....( tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,
then press the "Enter" key)

Make sure you can see Hidden files and Folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Then delete the below files and Folders:
You may need to navigate to each file/folder in Windows Explorer....do not rely on a "Search"

C:\WINDOWS\System32\NILaunch.exe ......( delete NILaunch.exe file)

C:\WINDOWS\System32\P2P Networking ......( delete folder)

c:\program files\altnet ......( delete folder)

c:\windows\winlogon.exe ......( delete winlogon.exe file)

C:\WINDOWS\vz0oabdylf.exe ......( delete vz0oabdylf.exe file)

C:\WINDOWS\fpc0ogu60y.exe ......( delete fpc0ogu60y.exe file)

C:\WINDOWS\duggxh6yko.exe ......( delete duggxh6yko.exe file)

C:\WINDOWS\System\winspool.exe ......( delete winspool.ex file)

Reboot computer,
and post back a new HJT log to this thread, please.

Cheers.

alval · #8 March 10th, 2004, 07:08 PM

Ok I have downloads SP1 updates run CWsherdder and booted up in safe mode and removed 3 file on your list. I could not find the others. I wend back to Hijackthis and reposted another thread below.
How do I look now?

Logfile of HijackThis v1.97.7
Scan saved at 11:04:00 AM, on 3/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VECTORVEST\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\AL\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Land Desktop R2\AcDcToday.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...003.3620601852
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\Land Desktop R2\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - file://C:\Program Files\Net-It Now! Starter Edition\jDoc\jDocPrtm.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Land Desktop R2\AcPreview.ocx
O19 - User stylesheet: C:\WINDOWS\color.css

Steven.Bentley · #9 March 10th, 2004, 09:17 PM

That looks clean to me - the tools you've already used have probably removed those files you can't find.

alval · #10 March 10th, 2004, 09:47 PM

OK, I have rebooted my system a few times and My home page has not been replaced by an intruders search engine. My favorites are still intact, no univited guests. I do believe you guys have solved my problem.
Thanks to Lynn0222, Degsy, Dammit,Mike and Steven for your support.
If you get to Arizona drinks are on me.
Great site

Similar Topics
Topic	Topic Starter	Forum	Replies	Last Post
Home page changing....	popscott	Malware Removal	6	January 26th, 2005 06:40 AM
Changing Home page in IE6	Scottgator	Malware Removal	1	May 30th, 2004 09:18 AM
Homepage keeps changing to about:blank search page! help plz	Nordhauser	Malware Removal	2	May 18th, 2004 07:15 PM
Help - Home Page keeps changing	Jenjen	Malware Removal	5	May 17th, 2004 01:17 PM
lookfor.cc popups [was Home page keeps changing to some search site. Help]	DummKopf21	Internet / Browsers	2	March 14th, 2004 05:44 PM