1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Home Page On IE is hijacked

Discussion in 'Web & Email' started by sbford, Apr 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. sbford

    sbford Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    7
    i've seen another thread on this but i can't get get rid of this bug that is constantly changing my IE home page from what i deem it (ie MSN.com) to some lame "free web search" page. i've run hijack this and spybot and i can't get it fixed. i want to show you my Hijack This scan sheet but am not sure how to copy and paste it. please help!!!
     
  2. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    press Scan, and press Save Log

    This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    open that file
    Go to Edit | Select all
    Now click Edit | copy to copy it

    Do not change anything just yet
    Come back to the forum, Right Click and paste its contents here

    Someone will come along and have a look at it, and advise you what still needs to be removed.
     
  3. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    You already have Hijackthis?

    I gave the instructions for posting the log assuming that you had Hijack this already on your system
     
  4. LucyLu

    LucyLu

    Joined:
    Jan 6, 2002
    Messages:
    19
    I have same problem. Is it poor forum etiquette to come in on someone else's thread with my problem? If so, I'll start a new thread.
    -------------

    My IE home page has been taken over by "allaboutsearching.com". It launches sites that appear to be legit, but lots of them, lots of popups, out of control. It seems to have some timing mechanism in place to launch after some length of time. It had installed a toolbar to my desktop that I managed to get rid of, but it wasn't simple.

    I've also lost the feature where I can type search words in the address box and it performs a search, without me having to choose the Search button.

    Windows XP
    I.E. 6.0.2800.1106

    * I've deleted cookies and temp files.
    * I've used control panel, internet options to reapply my home page (it's lost with next reboot)
    * I've made some of the url's that it uses Restricted Sites
    * Tried disabling some scripting and activeX, but reset them because I couldn't do things that I wanted to do
    * I've looked in add/remove programs and removed "Active Window", which I think took away the persistent toolbar
    * I've searched the computer for files with the date that I started having problems, located some, and renamed the folders and files with the hope of disabling, still afraid I'll break something that I want in the process

    It seemed better, but not all better, then last night I was directed to a site, something like "hotbar.com..." it was an .asp page. And it launched an install process. I used task manager to end the task, but I think some damage was already done.

    I'm not a super-techie, just basic. Any advice?

    Thanks mucho.
     
  5. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Please Lucy, could you start an new thread, it'll avoid confusion (me especially;))
     
  6. LucyLu

    LucyLu

    Joined:
    Jan 6, 2002
    Messages:
    19
    Sure can. I've started new thread "IE is taken over by UFO's ". Sorry for the interrupt!

    LucyLu
     
  7. sbford

    sbford Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    7
    i do have Hijack This but after I run the scan and hit save log, the file to be saved is a "Log" file and tries to download it in an audio file instead of text. i then get a notice of "corrupt file" appearing and Audioview player appears. interesting too is that a couple of the files i delete from Hijack This after several computer motions re-appear in the files and the hijacking site is back.
     
  8. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Try re-associating .log files with notepad

    Click My computer on the desktop
    Click Tools | Folder Options | File Types tab
    In the Registered File types window, scroll down to LOG and click on it to highlight it

    In the Details for 'LOG' extension section, click Change
    Select Notepad and ensure that Always use the selected program to open this kind of file is checked

    Click OK

    Now try to open the hijack this log
     
  9. sbford

    sbford Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    7
    wow. amazing. thanks.
    so here is the hijack log. interstingly,the R0, F1 and 02 files in the middle i have been deleting, but with a few later keystrokes and a re-scan, the are rejuvinated.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:05:46 PM, on 04/05/2004
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SERVICES\SERVICES.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\VOYETRA\AS2\VTRAY.EXE
    C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\DTTOYS\TOYSEL32.EXE
    C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME DEVICES\SIDEWINDER GDP.EXE
    C:\VSTASCAN\VSACCESS.EXE
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CRASHMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\FACPRMON.EXE
    C:\PROGRAM FILES\THE HELPSPOT!\FAMONHKW.EXE
    C:\PROGRAM FILES\THE HELPSPOT!\RESMON.EXE
    C:\PROGRAM FILES\THE HELPSPOT!\FADSKMON.EXE
    C:\PROGRAM FILES\THE HELPSPOT!\FASMTMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CMCP16.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\MY DOCUMENTS\HIJACKT1.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-web-search.com/4010/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\SERVICES.EXE
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [VoyetraTray] C:\VOYETRA\AS2\VTRAY.EXE /s
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\SERVICES.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\SERVICES.EXE
    O4 - Startup: Desktop Toys.lnk = C:\DTToys\Toysel32.exe
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: SideWinder Game Device Profiler.lnk = C:\Program Files\Microsoft Hardware\Game Devices\SideWinder GDP.exe
    O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37911.4307523148

    thanks so much for the advice.
     
  10. jameso321

    jameso321

    Joined:
    Jun 26, 2002
    Messages:
    176
    Do any cleaning at all yet with Adware removers?

    Follow these instructions exactly and come back with another HJT log.


    GL


    Download CWShredder Log offline , Close all Browser windows , Check the Taskbar for minimized windows as well , Hit the ''Fix->''button then restart your computer.

    Next , Download Spybot Search & Destroy Open Spybot Search & Destroy (Click Start , Programs , Spybot S&D (Advanced Mode) Click online , Search for updates , Download all available updates. Log offline , Close all Browser windows , Click ''Check for Problems'' , Put a check in every entry Spybot Search & Destroy detects and click ''Fix Selected Problems''.

    Download , Update , Configure , and run Ad-Aware 6 Build 181 following the instructions in the Ad-Aware 6: Reference guide by Winchester73.

    On the IE Toolbar , Click Tools , Internet Options , Security , ''Internet'' , Click ''Default Level'' You want the slider set to Medium. Select ''Restricted Sites'', Click ''Default Level''You want the slider set to High.

    Create a New Folder in C:\ and name it -> ie-spyads . Download IE-SPYAD.ZIP Extract the IE-spyad files to the new C:\IE-spyad Folder , Click Install.bat , Select option #2 (#4 is optional) then exit.

    Install Javacool'sSpywareBlaster v3.0. Press ''Enable all Protection''.

    When you're finished , Rescan Hijack This , Return to this thread and please show us a follow-up scanlog.
     
  11. sbford

    sbford Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    7
    i restarted the computer, went online and the hijacker site did not come up. after several web site changes i went back to the "home" page and it was still MSN.com. i think this worked!!
    i believe the CWzapper program is what killed it. i'd been runing ad aware and spybot and it wasn't eliminating the problem. when i ran the CW program and re-ran Hijack This, those programs that had been continuing to surface were gone.
    thanks so much for all of the advice. you guys are great.
     
  12. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    You're welcome :D
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217208

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice