1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Homepage "its gone again!" Frlman1

Discussion in 'Virus & Other Malware Removal' started by turner, Sep 26, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    Can you advise please,
    On my previous problem, you cleaned out my pc of "x rated" home page direct diversions. However even though I don't go directly to an unwanted homepage I find that when I come to close my aol connection and clear out my ie temp files etc there it is again something called "www.ewebsearch.net" in place of my home page

    If you go to this site you can see there is an x rated section to this site, so I kind of concluded that this is how my pc keeps getting my favourites filled with unpleasant sites.

    I am still having to clean my favourites out after each visit to the net of unpleasant sites. The difference between my first problem and the one now, is that I do not go directly to the wrong site and I only find my favourites have been added to when I finish surfing. I am now able to reset my ie home page to the msn site by pressing the default button. (I would prefer it to be http://www.aol.co.uk/ but I can't get this to happen either)

    As my pc is directed to this site without my intention, I also felt there must be something still embedded in the registry that is redirecting my pc to do this. But As I haven't got a clue about pc's or what I'm talking about, I'm back again for guidance.

    If this is of any help, I found these functions or whatever you I.T. guys call them in the register and I don't think they look right.

    \HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER =Base URLS "http://www.ss.hostings.com/filez/"

    \HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN = yahoo subst. "****|http://www.ss-hosting.com/cgi-bin/at/out.cgi|http:...

    \HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNETEXPLORER\MAIN search page|bak = "http://searchdesire.com/?p=1

    \HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNETEXPLORER\MAIN search assistant ="C:\WINDOWS\system32\search bar.html"

    \HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNETEXPLORER\SEARCH search assistant_b ="http://www.ewebserach.netsp.htm"

    I also have included the latest HJT scan

    Logfile of HijackThis v1.96.1
    Scan saved at 22:09:24, on 26/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\PRINTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\ERASER\ERASER.EXE
    C:\PROGRAM FILES\AOL 8.0\AOLTRAY.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
    C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
    C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.aol.co.uk/
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Disconnect Telebizz Connection (HKLM)
    O9 - Extra 'Tools' menuitem: Disconnect Telebizz Connection (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37854.4969212963
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

    Any advice will be warmly received.

    Many thanks, turner
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi turner

    Let's get your Hijack Tis updated to the latest version and see the log from it. The new version may show more.

    Open HJT and click on the "Config" tab in the bottom left corner then click on "Misc tools" and "Check for update online" and download the latest version. Scan again and post that log.
     
  3. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    To flrman1
    latest log
    Logfile of HijackThis v1.97.2
    Scan saved at 23:15:16, on 26/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\PRINTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\ERASER\ERASER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\AOL 8.0\AOLTRAY.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
    C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.aol.co.uk/
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Disconnect Telebizz Connection (HKLM)
    O9 - Extra 'Tools' menuitem: Disconnect Telebizz Connection (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37854.4969212963
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Well that log doesn't show anything different.

    Let's give CWShredder a shot.

    Click on the link below and it will download CWShredder. Close all browser windows. UnZip it and click on the cwshredder.exe and let it do it's thing.

    http://www.spychecker.com/download/download_cwshredder.html

    When it is finished restart your computer.

    Check to see if anything has changed. CWShredder should target those registry entries and remove them.
     
  5. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    Checked the registry and nothing appears to have been removed from the list I gave above but this is what the shredder program did
    0 registry values were killed
    - Hostsfile was OK
    - Bootconf.exe was not present
    - Trusted Zone was OK
    - User stylesheet was OK
    - Oemsyspnp.inf was not present
    - Svchost32.exe was not present
    - Msspi.dll Winsock hook was not present
    - Msinfo.exe was not present
    - Winshow.dll BHO was not present
    - MadFinder BHO was not present
    - Ctfmon32.exe was not present
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Hi Turner, Mark's a bit under the weather with the flu and has asked me to pitch in here.

    I think you're on the right track with those registry finds. I would right click on each entry as you see them in the Right hand pane and select "delete"

    I would then go to Internet Options > Programs tab and click the "reset web settings" option to restore all original defaults. You may have to reset your home page after that. An easy way to set a Homepage is just to go there via the address bar and then drag and drop the address page on the Home icon in IE.

    And if you haven't already you should search the entire registry for the keyword string:

    ewebserach

    and delete all hits you find. Start your search with the file tree completely collapsed and "my computer" highlighted and click f3 to continue after every hit.

    The HijackThis Scanlog is not really showing anything and I don't know how this is getting reset.

    Does it reset automatically after a reboot? Or simply on opening and closing IE without going any place other than your default homepage? Can you associate the change with any particular site that you visit?

    Also one of the ways in which Coolwebsearch gets installed, according to Merijn, the author of the "shredder" is a vulnerability in Microsoft's Virtual Machine which applies to all versions up to 3809.

    To see what version you have, open a command shell (start>run: cmd and enter:

    jview

    If you don't have version 3810 you can get it here:

    http://www2.whidbey.com/djdenham/VM.htm
     
  7. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    to Rollin'Rog,
    I have cleared out the registry points listed and I think you are right about it possibly having something to do with certain sites visited setting off a reaction. I will test out the theory and all being well now that the register has been altered the hijacking should occur. Thank you for help. Can I add onto this thread again if I need further support or do I just start a new thread off? Cheers turner
     
  8. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    correction,I meant should not occur in the last posting
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Keep with this one for continuity. It's easier to see what has been done previously.

    Good luck. Did you check your Virtual Machine version?
     
  10. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    It appears that my homepage is remaining in tact. Thank you to both of you who helped me get there.
    In response to your question about my Virtual Machine version when I gave the command you described, I briefly observed a black screen appearing but it kept disappearing and couldn't read it. Could you talk me through the process again (idiot style fashion) and could you tell me what is my virtual machine and what does it do?
     
  11. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    I have found my version of Virtual Machine and it is 3809, so I will take your advice and download 3310 version. I would still appreciate an explanation of what this program does.
    many thanks,
    turner
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Virtual Machine is Microsoft's implementation of Java. They no longer support it except to occasionally provide Security updates for the recently exposed vulnerabilities.

    Another option is to use Sun Java's Java plugin, but I think it's best to have the security hole in Microsoft's plugged anyway. You will be installing version 3810. After rebooting, just open a command prompt and check the new version number by entering jview again.

    You must open the command window first, you cannot enter jview from Start> Run.

    I inadvertantly gave you the directions for XP, in Win98 to open a command prompt window, go to Start> Run and enter: command
     
  13. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    thanks again for all your help. I have downloaded 3810 version and am about to restart pc.
    What an excellent idea this forum is.
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You're most welcome. All the "heavy lifting" was done before me, but I'll put a 'resolved' on this, at least until we hear further from you.
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I'm glad to see you got it sorted out turner. (y)

    Thank's for helping out Rog. :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [Resolved] Homepage gone
  1. PacerFan1
    Replies:
    4
    Views:
    438
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/167687

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice