Home Page On IE is hijacked

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

sbford

Thread Starter
Joined
Apr 5, 2004
Messages
7
i've seen another thread on this but i can't get get rid of this bug that is constantly changing my IE home page from what i deem it (ie MSN.com) to some lame "free web search" page. i've run hijack this and spybot and i can't get it fixed. i want to show you my Hijack This scan sheet but am not sure how to copy and paste it. please help!!!
 
Joined
Mar 20, 2003
Messages
4,823
press Scan, and press Save Log

This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

open that file
Go to Edit | Select all
Now click Edit | copy to copy it

Do not change anything just yet
Come back to the forum, Right Click and paste its contents here

Someone will come along and have a look at it, and advise you what still needs to be removed.
 
Joined
Mar 20, 2003
Messages
4,823
You already have Hijackthis?

I gave the instructions for posting the log assuming that you had Hijack this already on your system
 
Joined
Jan 6, 2002
Messages
19
I have same problem. Is it poor forum etiquette to come in on someone else's thread with my problem? If so, I'll start a new thread.
-------------

My IE home page has been taken over by "allaboutsearching.com". It launches sites that appear to be legit, but lots of them, lots of popups, out of control. It seems to have some timing mechanism in place to launch after some length of time. It had installed a toolbar to my desktop that I managed to get rid of, but it wasn't simple.

I've also lost the feature where I can type search words in the address box and it performs a search, without me having to choose the Search button.

Windows XP
I.E. 6.0.2800.1106

* I've deleted cookies and temp files.
* I've used control panel, internet options to reapply my home page (it's lost with next reboot)
* I've made some of the url's that it uses Restricted Sites
* Tried disabling some scripting and activeX, but reset them because I couldn't do things that I wanted to do
* I've looked in add/remove programs and removed "Active Window", which I think took away the persistent toolbar
* I've searched the computer for files with the date that I started having problems, located some, and renamed the folders and files with the hope of disabling, still afraid I'll break something that I want in the process

It seemed better, but not all better, then last night I was directed to a site, something like "hotbar.com..." it was an .asp page. And it launched an install process. I used task manager to end the task, but I think some damage was already done.

I'm not a super-techie, just basic. Any advice?

Thanks mucho.
 
Joined
Jan 6, 2002
Messages
19
Sure can. I've started new thread "IE is taken over by UFO's ". Sorry for the interrupt!

LucyLu
 

sbford

Thread Starter
Joined
Apr 5, 2004
Messages
7
i do have Hijack This but after I run the scan and hit save log, the file to be saved is a "Log" file and tries to download it in an audio file instead of text. i then get a notice of "corrupt file" appearing and Audioview player appears. interesting too is that a couple of the files i delete from Hijack This after several computer motions re-appear in the files and the hijacking site is back.
 
Joined
Mar 20, 2003
Messages
4,823
Try re-associating .log files with notepad

Click My computer on the desktop
Click Tools | Folder Options | File Types tab
In the Registered File types window, scroll down to LOG and click on it to highlight it

In the Details for 'LOG' extension section, click Change
Select Notepad and ensure that Always use the selected program to open this kind of file is checked

Click OK

Now try to open the hijack this log
 

sbford

Thread Starter
Joined
Apr 5, 2004
Messages
7
wow. amazing. thanks.
so here is the hijack log. interstingly,the R0, F1 and 02 files in the middle i have been deleting, but with a few later keystrokes and a re-scan, the are rejuvinated.

Logfile of HijackThis v1.97.7
Scan saved at 9:05:46 PM, on 04/05/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SERVICES\SERVICES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\VOYETRA\AS2\VTRAY.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\DTTOYS\TOYSEL32.EXE
C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME DEVICES\SIDEWINDER GDP.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CRASHMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\FACPRMON.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FAMONHKW.EXE
C:\PROGRAM FILES\THE HELPSPOT!\RESMON.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FADSKMON.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FASMTMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CMCP16.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\MY DOCUMENTS\HIJACKT1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-web-search.com/4010/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\SERVICES.EXE
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\VOYETRA\AS2\VTRAY.EXE /s
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\SERVICES.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\SERVICES.EXE
O4 - Startup: Desktop Toys.lnk = C:\DTToys\Toysel32.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SideWinder Game Device Profiler.lnk = C:\Program Files\Microsoft Hardware\Game Devices\SideWinder GDP.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37911.4307523148

thanks so much for the advice.
 
Joined
Jun 26, 2002
Messages
176
Do any cleaning at all yet with Adware removers?

Follow these instructions exactly and come back with another HJT log.


GL


Download CWShredder Log offline , Close all Browser windows , Check the Taskbar for minimized windows as well , Hit the ''Fix->''button then restart your computer.

Next , Download Spybot Search & Destroy Open Spybot Search & Destroy (Click Start , Programs , Spybot S&D (Advanced Mode) Click online , Search for updates , Download all available updates. Log offline , Close all Browser windows , Click ''Check for Problems'' , Put a check in every entry Spybot Search & Destroy detects and click ''Fix Selected Problems''.

Download , Update , Configure , and run Ad-Aware 6 Build 181 following the instructions in the Ad-Aware 6: Reference guide by Winchester73.

On the IE Toolbar , Click Tools , Internet Options , Security , ''Internet'' , Click ''Default Level'' You want the slider set to Medium. Select ''Restricted Sites'', Click ''Default Level''You want the slider set to High.

Create a New Folder in C:\ and name it -> ie-spyads . Download IE-SPYAD.ZIP Extract the IE-spyad files to the new C:\IE-spyad Folder , Click Install.bat , Select option #2 (#4 is optional) then exit.

Install Javacool'sSpywareBlaster v3.0. Press ''Enable all Protection''.

When you're finished , Rescan Hijack This , Return to this thread and please show us a follow-up scanlog.
 

sbford

Thread Starter
Joined
Apr 5, 2004
Messages
7
i restarted the computer, went online and the hijacker site did not come up. after several web site changes i went back to the "home" page and it was still MSN.com. i think this worked!!
i believe the CWzapper program is what killed it. i'd been runing ad aware and spybot and it wasn't eliminating the problem. when i ran the CW program and re-ran Hijack This, those programs that had been continuing to surface were gone.
thanks so much for all of the advice. you guys are great.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top