1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IE resets homepage everytime I restart my comp

Discussion in 'Windows XP' started by bunis3, Oct 13, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. bunis3

    bunis3 Thread Starter

    Joined:
    Aug 30, 2003
    Messages:
    18
    Everytime i restart, my homepage resets to some other site.... any idea whats causing this? heres the log

    Logfile of HijackThis v1.97.2
    Scan saved at 4:28:59 PM, on 10/13/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
    C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\JONCHE~1\LOCALS~1\Temp\Rar$EX00.375\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Jon Chen\Application Data\winshow\winshow.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Documents and Settings\Jon Chen\Desktop\b\FlashGet\jccatch.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
    O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MSupdater.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\Jon Chen\Desktop\b\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\Jon Chen\Desktop\b\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://free.aol.com
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt4_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37506.3603935185
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4D1A2C97-4C6B-4A57-881B-A759CADC763D}: NameServer = 168.95.192.1,168.95.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{88BD3475-EB67-45CE-8576-51FB0CE10493}: NameServer = 168.95.192.1,168.95.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A14DC5DF-4055-4B21-B8F2-C799DAE92D1C}: NameServer = 168.95.192.1,168.95.1.1
    O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll

    thanks!
     
  2. Dan O

    Dan O

    Joined:
    Feb 13, 1999
    Messages:
    8,974
    Have you tried Tweak UI to Repair IE?

    If you don't have it you can download it from Micorsoft.
     
  3. bunis3

    bunis3 Thread Starter

    Joined:
    Aug 30, 2003
    Messages:
    18
    ok, just downloaded it
    cant see how it could help though
    what exactly should I do with it?
     
  4. fweaver

    fweaver

    Joined:
    Oct 13, 2003
    Messages:
    28
    Is the home page changed to the same (some other site) site. This could be the work of some rogue script file if you are sent to the same web site no matter what you set as the home page.

    If it is a different site each time -- You may need to re-install IE 6.

    Frank
     
  5. bunis3

    bunis3 Thread Starter

    Joined:
    Aug 30, 2003
    Messages:
    18
  6. bunis3

    bunis3 Thread Starter

    Joined:
    Aug 30, 2003
    Messages:
    18
    oh yeah, also
    how do i get rid of winshow? cant seem to find the folder it is in to delete it
     
  7. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    Run Hijack This again and have it FIX these entries:

    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Jon Chen\Application Data\winshow\winshow.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Documents and Settings\Jon Chen\Desktop\b\FlashGet\jccatch.dll

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4D1A2C97-4C6B-4A57-881B-A759CADC763D}: NameServer = 168.95.192.1,168.95.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{88BD3475-EB67-45CE-8576-51FB0CE10493}: NameServer = 168.95.192.1,168.95.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A14DC5DF-4055-4B21-B8F2-C799DAE92D1C}: NameServer = 168.95.192.1,168.95.1.1

    O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll





    Then Delete Temp files, Cookies and offline content.To do this,
    Open Internet Explorer/Tools/Internet Options/delete cookies/delete files
    select off-line content/clear history.


    Download Adaware from here

    Go here http://www.lavasoftusa.com/software/adaware/

    Make sure you select "Check for updates now" and get the latest reference files.

    Run Adaware and hit the Scan now button, make sure Activate indepth scan is selected and then
    hit next. After the scan has completed delete everything it finds.

    Restart your computer.

    Then Download Spybot search & destroy from here. Read the instructions while you're there.

    http://tomcoyote.org/SPYBOT/index1.html

    Install the program (Close all browser windows) and run it.

    Before scanning press "Online" and "Search for Updates"

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds in red.

    Restart your computer.

    Post another Hijack Log.
     
  8. PlatinumDrag

    PlatinumDrag

    Joined:
    Oct 15, 2003
    Messages:
    49
    Restore back to before you have been getting this search page. Next time run spyblaster when you visit those kinds of pages and you wont have this happen again.

    Most folks are amazed how corrupt thier systems become and bring them to the shop for servive.
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Definately not![Just my opinion]
    You are better dealing with the problem because it may happen again and you will know what to do if or when it does.

    Bunis3.....Add this to EvileYes list.
    O4 - Global Startup: MSupdater.exe

    Shabba!;)
     
  10. PlatinumDrag

    PlatinumDrag

    Joined:
    Oct 15, 2003
    Messages:
    49
    That is the problem, spyware. That page was installed and changed automatically by visiting sites.

    Normally you could just go in under IE tools and reset it, but if the spyware is still there so will the page the next time you open it. If you are unable to locate this then you have to restore before the site was visited, this removes the spyware.

    P.S. your link for ad-aware is no longer worth it, the person who bought the program allows his spyware to be installed. Should you feel the need to keep this then fine, just have a secondary program.
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Platinum....
    We would rather teach posters how to find and remove crapware form their systems and how to prevent re-infections.....Sys restore is fine and an excellent idea but if you dont know how you got here then your gonna be a regular visitor to these forums.....no slight at all on you my friend.
    ..............Two programs...im not sure your aware of but will may you in the shop........."spywareguard" and "spywareblaster"
    Kept updated will stop most spy/add/foistware from stealth installing.
    http://www.javacoolsoftware.com/spywareblaster.html

    ;)
     
  12. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Mind you.....................you may get less business:D
     
  13. Aftab

    Aftab

    Joined:
    Oct 15, 2003
    Messages:
    72
    If this is only happening once you have restarted windows then its possible that on startup windows is importing a registry file which sets your default page to search.com. Search your machine for a suspicious file with a ".REG" extension and then search the registry for that filename.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/171590

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice