|
Internet / Browsers Use this board for problem solving and the discussion of Internet and Browser issues |
![]() |
|
Topic Tools |
#1
|
|||
|
|||
![]()
In December my internet home page automatically changer to some unwanted search engine. Every time I change it through "tool options" it will stay untill I restart my computer and again a different unwanted search engin appears.
How do I get rid of this auto start home page? Thanks Al |
#2
|
|||
|
|||
You've got spyware *but* a spyware remover will not remove this one.
Google the name of that search engine and you will find the directions for getting rid of it. |
#3
|
||||
|
||||
HiJackThis should be able to remove it.
http://209.133.47.200/~merijn/files/HijackThis.exe Other tools, Spybot S&D is one, have options to disable the homepage so that it cannot be changed by spyware. http://www.safer-networking.org/index.php?page=download |
#4
|
||||
|
||||
Hi...download spybot first and check for updates before running...have it remove all red entries.
Download hijackthis as suggested and hit scan....when the scan has finished ..hit save log. Copy an paste the log back in this thread...dont make any changes until someone checks it ![]() |
#5
|
|||
|
|||
Home page hijacker
I downloaded Spybot and ran it to fix all problems. I then downloaded Hijack this and copied the resulting log below. If someone can look at it and tell me what I should remove I would greatly appreciate it.
Thanks Al Logfile of HijackThis v1.97.7 Scan saved at 6:28:51 PM, on 3/9/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL$VECTORVEST\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\WINDOWS\System32\NILaunch.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\WINDOWS\System32\ctfmon.exe C:\windows\winlogon.exe C:\WINDOWS\System\winspool.exe C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\AL\Local Settings\Temporary Internet Files\Content.IE5\SLEFS1I7\HijackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://1-se.com/srchasst.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://1-se.com/srchasst.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/h.php?aid=227 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.008i.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated) O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\AL\Application Data\winwc\winwc.dll O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\AL\Application Data\winwc\mssearch.dll O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\AL\Application Data\ieor\msiesh.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe O4 - HKCU\..\Run: [lvxl4yidiz] C:\WINDOWS\vz0oabdylf.exe O4 - HKCU\..\Run: [e761a2yjmu] C:\WINDOWS\fpc0ogu60y.exe O4 - HKCU\..\Run: [9n130dcgos] C:\WINDOWS\duggxh6yko.exe O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM) O9 - Extra button: Copernic Agent (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O13 - WWW. Prefix: http://ehttp.cc/? O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Land Desktop R2\AcDcToday.ocx O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...003.3620601852 O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\Land Desktop R2\InstFred.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - file://C:\Program Files\Net-It Now! Starter Edition\jDoc\jDocPrtm.cab O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Land Desktop R2\AcPreview.ocx O19 - User stylesheet: C:\WINDOWS\color.css O19 - User stylesheet: C:\WINDOWS\my.css (HKLM) |
#6
|
|||
|
|||
Hi alval ,
Please download CWShredder from: www.zerosrealm.com/downloads/CWShredder.zip Unzip, Open CWShredder and click on the Fix button to find and fix any problems. How to stop CWS infection...read the information when you click "Next" at the end of running CWShredder. Cheers |
#7
|
|||
|
|||
Hi alval ,
Hi alval , Please move HijackThis out of TEMP folder , to a folder of its own. CWShredder should clean up the ones I left out. Close ALL browser Windows and Windows Explorer windows, only have HijackThis running. In HiJackThis, Check the boxes beside the below entries, then click on "Fix checked" . R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/h.php?aid=227 O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - (no file) O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe O4 - HKCU\..\Run: [lvxl4yidiz] C:\WINDOWS\vz0oabdylf.exe O4 - HKCU\..\Run: [e761a2yjmu] C:\WINDOWS\fpc0ogu60y.exe O4 - HKCU\..\Run: [9n130dcgos] C:\WINDOWS\duggxh6yko.exe O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - Reboot into Safe Mode.....( tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......, then press the "Enter" key) Make sure you can see Hidden files and Folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html Then delete the below files and Folders: You may need to navigate to each file/folder in Windows Explorer....do not rely on a "Search" C:\WINDOWS\System32\NILaunch.exe ......( delete NILaunch.exe file) C:\WINDOWS\System32\P2P Networking ......( delete folder) c:\program files\altnet ......( delete folder) c:\windows\winlogon.exe ......( delete winlogon.exe file) C:\WINDOWS\vz0oabdylf.exe ......( delete vz0oabdylf.exe file) C:\WINDOWS\fpc0ogu60y.exe ......( delete fpc0ogu60y.exe file) C:\WINDOWS\duggxh6yko.exe ......( delete duggxh6yko.exe file) C:\WINDOWS\System\winspool.exe ......( delete winspool.ex file) Reboot computer, and post back a new HJT log to this thread, please. Cheers. |
#8
|
|||
|
|||
Homepage problems
Ok I have downloads SP1 updates run CWsherdder and booted up in safe mode and removed 3 file on your list. I could not find the others. I wend back to Hijackthis and reposted another thread below.
How do I look now? Logfile of HijackThis v1.97.7 Scan saved at 11:04:00 AM, on 3/10/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\devldr32.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL$VECTORVEST\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\AL\Desktop\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM) O9 - Extra button: Copernic Agent (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Land Desktop R2\AcDcToday.ocx O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...003.3620601852 O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\Land Desktop R2\InstFred.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - file://C:\Program Files\Net-It Now! Starter Edition\jDoc\jDocPrtm.cab O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Land Desktop R2\AcPreview.ocx O19 - User stylesheet: C:\WINDOWS\color.css |
#9
|
|||
|
|||
That looks clean to me - the tools you've already used have probably removed those files you can't find.
|
#10
|
|||
|
|||
![]()
OK, I have rebooted my system a few times and My home page has not been replaced by an intruders search engine. My favorites are still intact, no univited guests. I do believe you guys have solved my problem.
Thanks to Lynn0222, Degsy, Dammit,Mike and Steven for your support. If you get to Arizona drinks are on me. Great site |
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
Home page changing.... | popscott | Malware Removal | 6 | January 26th, 2005 06:40 AM |
Changing Home page in IE6 | Scottgator | Malware Removal | 1 | May 30th, 2004 09:18 AM |
Homepage keeps changing to about:blank search page! help plz | Nordhauser | Malware Removal | 2 | May 18th, 2004 07:15 PM |
Help - Home Page keeps changing | Jenjen | Malware Removal | 5 | May 17th, 2004 01:17 PM |
lookfor.cc popups [was Home page keeps changing to some search site. Help] | DummKopf21 | Internet / Browsers | 2 | March 14th, 2004 05:44 PM |
All times are GMT +1. The time now is 11:35 PM.