1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Homepage keeps changing?!

Discussion in 'Virus & Other Malware Removal' started by LOZ, Oct 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. LOZ

    LOZ Account Closed Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    65
    I have IE 6 and my homepage keeps changing when I turn my computer back on (when it's been off for a while).

    Somebody, please help!

    LOZ
     
  2. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    First Delete Temp files, Cookies and offline content.To do this,
    Open Internet Explorer/Tools/Internet Options/delete cookies/delete files
    select off-line content/clear history.


    Download cwshredder from here

    http://www.spywareinfo.com/~merijn/files/cwshredder.zip

    Close all browser windows (including minimized windows)
    Run cwshredder

    When it is finished Reboot your computer.

    Download Adaware from here

    Go here http://www.lavasoftusa.com/software/adaware/

    Make sure you select "Check for updates now" and get the latest reference files.

    Run Adaware and hit the Scan now button, make sure Activate indepth scan is selected and then
    hit next. After the scan has completed delete everything it finds.

    Restart your computer.

    Then Download Spybot search & destroy from here. Read the instructions while you're there.

    http://tomcoyote.org/SPYBOT/index1.html

    Install the program (Close all browser windows) and run it.

    Before scanning press "Online" and "Search for Updates"

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds in red.

    Restart your computer.

    Download "Hijack this" from here

    http://www.tomcoyote.org/hjt/


    Once you have unzipped it and have it running, Hit the scan button, when the scan is finished the button will change to a save log button, click it and then a notepad window will open, you need to copy and paste all of the log contents in here and someone will look at it for you.
     
  3. LOZ

    LOZ Account Closed Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    65
    Cheers for that EvileYe. It sure seemed like a pretty extensive set of instructions for the problem I have but I did follow it to the letter.

    Here are my HD results from the HijackThis program:

    Logfile of HijackThis v1.97.3
    Scan saved at 11:43:53, on 19.10.2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\SVCINIT.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\MSG32.EXE
    C:\APPS\ACTIVBOARD\MMKEYBD.EXE
    C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGCC32.EXE
    C:\OHJELMATIEDOSTOT\VOICEAGE\COMMON\VACTRL.EXE
    C:\OHJELMATIEDOSTOT\VOICEAGE\COMMON\VALANGINTERF.EXE
    C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\CD_LOAD.EXE
    C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\APPS\ACTIVBOARD\TRAYMON.EXE
    C:\APPS\ACTIVBOARD\OSD.EXE
    C:\OHJELMATIEDOSTOT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masellaonline.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-homepage.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    F1 - win.ini: run=C:\WINDOWS\svcinit.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\APPS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
    O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\SYSTEM\DREPLACE.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EW Message Server] msg32.exe
    O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
    O4 - HKLM\..\Run: [InCD] C:\Ohjelmatiedostot\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Ohjelmatiedostot\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\OHJELM~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [ExePath] C:\pc_protect_21a\syspcp.exe
    O4 - HKLM\..\Run: [HomeKeyLogger] C:\OHJELMATIEDOSTOT\HOMEKEYLOGGER\KEYLOGGER.EXE
    O4 - HKLM\..\Run: [VaCtrl] C:\Ohjelmatiedostot\VoiceAge\Common\VaCtrl.exe
    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
    O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Ohjelmatiedostot\Jetico\BCWipe\BCWipeTM.exe" startup
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\OHJELM~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [SVC Service] C:\WINDOWS\SYSTEM\svcinit.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Ohjelmatiedostot\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Cydoor] CD_Load.exe
    O4 - HKCU\..\Run: [Update Service] "C:\Ohjelmatiedostot\Yhteiset tiedostot\Teknum Systems\update.exe" /startup
    O4 - Startup: Office Startup.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Suorita Windows-päivityksen tiedosto Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
    O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Ohjelmatiedostot\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\OHJELM~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\OHJELM~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mid: C:\OHJELM~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\OHJELM~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\OHJELM~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/6d2f308e1bcfa7/housecall.antivirus.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = keihas.ton.tut.fi
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 193.166.80.16

    Can anyone tell me what to do next. Thanks in advance!

    LOZ
     
  4. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    I will leave your log for someone with more expertise.
    Have you installed a Key logging program ?

    This Line : O4 - HKLM\..\Run: [HomeKeyLogger] C:\OHJELMATIEDOSTOT\HOMEKEYLOGGER\KEYLOGGER.EXE

    Refers to a key logger running, but I am unsure if you installed it or not.
    If not it might be wise to have this thread moved to the security forum.
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,149
    First Name:
    Derek
    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-homepage.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    F1 - win.ini: run=C:\WINDOWS\svcinit.exe
    O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\SYSTEM\DREPLACE.DLL
    O4 - HKLM\..\Run: [ExePath] C:\pc_protect_21a\syspcp.exe
    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
    O4 - HKLM\..\RunServices: [SVC Service] C:\WINDOWS\SYSTEM\svcinit.exe
    O4 - HKCU\..\Run: [Cydoor] CD_Load.exe
    O4 - Startup: Office Startup.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Suorita Windows-päivityksen tiedosto Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
    O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Ohjelmatiedostot\LimeShop\System\Temp\limeshop_script0.htm

    reboot & delete
    C:\WINDOWS\SYSTEM\svcinit.exe
    C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
    C:\Ohjelmatiedostot\LimeShop\System\Temp\limeshop_script0.htm
    C:\WINDOWS\SYSTEM\DREPLACE.DLL
    C:\WINDOWS\SYSTEM\CD_LOAD.EXE

    If you installed the keylogger yourself then leave it otherwise fix this also
    O4 - HKLM\..\Run: [HomeKeyLogger] C:\OHJELMATIEDOSTOT\HOMEKEYLOGGER\KEYLOGGER.EXE
     
  6. LOZ

    LOZ Account Closed Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    65
    To EvileYe:

    Thanks again for your help. Yes, I installed a keylogger long ago and thought I'd deleted all traces of it. Thanks to hijackthis it seems I really have gotten rid of it now. :)

    To dvk01:

    Thanks for your help. With hijackthis I got rid of everything you told me to get rid of... EXCEPT:

    O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\SYSTEM\DREPLACE.DLL

    Everytime (and I've tried three times!) to get shot of that file, I get the infamous Windows blue screen of death.

    My hijackthis log now looks like this:

    Logfile of HijackThis v1.97.3
    Scan saved at 15:09:04, on 19.10.2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\MSG32.EXE
    C:\APPS\ACTIVBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGCC32.EXE
    C:\OHJELMATIEDOSTOT\VOICEAGE\COMMON\VACTRL.EXE
    C:\OHJELMATIEDOSTOT\VOICEAGE\COMMON\VALANGINTERF.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\APPS\ACTIVBOARD\TRAYMON.EXE
    C:\APPS\ACTIVBOARD\OSD.EXE
    C:\OHJELMATIEDOSTOT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masellaonline.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\APPS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
    O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\SYSTEM\DREPLACE.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EW Message Server] msg32.exe
    O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
    O4 - HKLM\..\Run: [InCD] C:\Ohjelmatiedostot\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Ohjelmatiedostot\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\OHJELM~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [VaCtrl] C:\Ohjelmatiedostot\VoiceAge\Common\VaCtrl.exe
    O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Ohjelmatiedostot\Jetico\BCWipe\BCWipeTM.exe" startup
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\OHJELM~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Ohjelmatiedostot\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Update Service] "C:\Ohjelmatiedostot\Yhteiset tiedostot\Teknum Systems\update.exe" /startup
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\OHJELM~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\OHJELM~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mid: C:\OHJELM~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\OHJELM~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\OHJELM~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/6d2f308e1bcfa7/housecall.antivirus.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = keihas.ton.tut.fi
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 193.166.80.16

    What to do now?
    Shall I continue with the rest of your instructions (i.e. reboot and manually delete)?

    Also, as a result of this operation, my program folder is now full of "backup" files? Can I delete those?

    Cheers!

    LOZ
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Leave the backups for a moment......
    Go here:http://www.mjc1.com/files/mo/
    Download the svcinit fix.

    "This script is for restoring the WinlogonUserInit reg value after being infected by the svcinit/dreplace hijacker...svcinit "
    These scripts are brought to you by Mosaic1;)

    R-boot into safe mode ...run H/T again and "fix"
    O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\SYSTEM\DREPLACE.DLL
    Let us know how it goes.
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Steve you might want to check with Mo' on whether the patch applies to WinME systems. I know the winlogon key does not exist in 98.

    There is probably no harm in applying it one way or another since if it isn't used it would just be irrelevant anyway.
     
  9. LOZ

    LOZ Account Closed Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    65
    $teve:

    I downloaded (from http://www.mjc1.com/files/mo/) and ran the svcinit file. Next you said, "Reboot and run in safe mode". What's safe mode?

    LOZ
     
  10. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Tap the F 8 key while starting the computer, choose safe mode.
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Rog....Thanx for that.I wasnt sure myself.
    I pm`d mo about it and ill let you know as soon as I do.
    ;)
     
  12. LOZ

    LOZ Account Closed Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    65
    Tried F8 on start-up but that didn't work (it just took me to some screen about the drives [floppy etc.]).

    Also tried F2 on start-up to go to BIOS but I couldn't find anything about "safe mode".

    Also went to HijackThis and tried to delete that file (again!) but everytime I now try that, the computer just jams (no more blue screen) and I have to pull the plug.

    I reckon I'll just have to live with lil' ol':

    O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\SYSTEM\DREPLACE.DLL

    Anyways, I reckon the problem I wanted fixed has been fixed...

    So long and thanks for all the fish!

    LOZ
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/173025

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice