[Resolved] Homepage "its gone again!" Frlman1

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
Can you advise please,
On my previous problem, you cleaned out my pc of "x rated" home page direct diversions. However even though I don't go directly to an unwanted homepage I find that when I come to close my aol connection and clear out my ie temp files etc there it is again something called "www.ewebsearch.net" in place of my home page

If you go to this site you can see there is an x rated section to this site, so I kind of concluded that this is how my pc keeps getting my favourites filled with unpleasant sites.

I am still having to clean my favourites out after each visit to the net of unpleasant sites. The difference between my first problem and the one now, is that I do not go directly to the wrong site and I only find my favourites have been added to when I finish surfing. I am now able to reset my ie home page to the msn site by pressing the default button. (I would prefer it to be http://www.aol.co.uk/ but I can't get this to happen either)

As my pc is directed to this site without my intention, I also felt there must be something still embedded in the registry that is redirecting my pc to do this. But As I haven't got a clue about pc's or what I'm talking about, I'm back again for guidance.

If this is of any help, I found these functions or whatever you I.T. guys call them in the register and I don't think they look right.

\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER =Base URLS "http://www.ss.hostings.com/filez/"

\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN = yahoo subst. "****|http://www.ss-hosting.com/cgi-bin/at/out.cgi|http:...

\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNETEXPLORER\MAIN search page|bak = "http://searchdesire.com/?p=1

\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNETEXPLORER\MAIN search assistant ="C:\WINDOWS\system32\search bar.html"

\HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNETEXPLORER\SEARCH search assistant_b ="http://www.ewebserach.netsp.htm"

I also have included the latest HJT scan

Logfile of HijackThis v1.96.1
Scan saved at 22:09:24, on 26/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\AOL 8.0\AOLTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.aol.co.uk/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Disconnect Telebizz Connection (HKLM)
O9 - Extra 'Tools' menuitem: Disconnect Telebizz Connection (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37854.4969212963
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Any advice will be warmly received.

Many thanks, turner
 
Joined
Jul 26, 2002
Messages
46,331
Hi turner

Let's get your Hijack Tis updated to the latest version and see the log from it. The new version may show more.

Open HJT and click on the "Config" tab in the bottom left corner then click on "Misc tools" and "Check for update online" and download the latest version. Scan again and post that log.
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
To flrman1
latest log
Logfile of HijackThis v1.97.2
Scan saved at 23:15:16, on 26/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\AOL 8.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.aol.co.uk/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Disconnect Telebizz Connection (HKLM)
O9 - Extra 'Tools' menuitem: Disconnect Telebizz Connection (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37854.4969212963
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 
Joined
Jul 26, 2002
Messages
46,331
Well that log doesn't show anything different.

Let's give CWShredder a shot.

Click on the link below and it will download CWShredder. Close all browser windows. UnZip it and click on the cwshredder.exe and let it do it's thing.

http://www.spychecker.com/download/download_cwshredder.html

When it is finished restart your computer.

Check to see if anything has changed. CWShredder should target those registry entries and remove them.
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
Checked the registry and nothing appears to have been removed from the list I gave above but this is what the shredder program did
0 registry values were killed
- Hostsfile was OK
- Bootconf.exe was not present
- Trusted Zone was OK
- User stylesheet was OK
- Oemsyspnp.inf was not present
- Svchost32.exe was not present
- Msspi.dll Winsock hook was not present
- Msinfo.exe was not present
- Winshow.dll BHO was not present
- MadFinder BHO was not present
- Ctfmon32.exe was not present
 
Joined
Dec 9, 2000
Messages
45,855
Hi Turner, Mark's a bit under the weather with the flu and has asked me to pitch in here.

I think you're on the right track with those registry finds. I would right click on each entry as you see them in the Right hand pane and select "delete"

I would then go to Internet Options > Programs tab and click the "reset web settings" option to restore all original defaults. You may have to reset your home page after that. An easy way to set a Homepage is just to go there via the address bar and then drag and drop the address page on the Home icon in IE.

And if you haven't already you should search the entire registry for the keyword string:

ewebserach

and delete all hits you find. Start your search with the file tree completely collapsed and "my computer" highlighted and click f3 to continue after every hit.

The HijackThis Scanlog is not really showing anything and I don't know how this is getting reset.

Does it reset automatically after a reboot? Or simply on opening and closing IE without going any place other than your default homepage? Can you associate the change with any particular site that you visit?

Also one of the ways in which Coolwebsearch gets installed, according to Merijn, the author of the "shredder" is a vulnerability in Microsoft's Virtual Machine which applies to all versions up to 3809.

To see what version you have, open a command shell (start>run: cmd and enter:

jview

If you don't have version 3810 you can get it here:

http://www2.whidbey.com/djdenham/VM.htm
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
to Rollin'Rog,
I have cleared out the registry points listed and I think you are right about it possibly having something to do with certain sites visited setting off a reaction. I will test out the theory and all being well now that the register has been altered the hijacking should occur. Thank you for help. Can I add onto this thread again if I need further support or do I just start a new thread off? Cheers turner
 
Joined
Dec 9, 2000
Messages
45,855
Keep with this one for continuity. It's easier to see what has been done previously.

Good luck. Did you check your Virtual Machine version?
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
It appears that my homepage is remaining in tact. Thank you to both of you who helped me get there.
In response to your question about my Virtual Machine version when I gave the command you described, I briefly observed a black screen appearing but it kept disappearing and couldn't read it. Could you talk me through the process again (idiot style fashion) and could you tell me what is my virtual machine and what does it do?
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
I have found my version of Virtual Machine and it is 3809, so I will take your advice and download 3310 version. I would still appreciate an explanation of what this program does.
many thanks,
turner
 
Joined
Dec 9, 2000
Messages
45,855
Virtual Machine is Microsoft's implementation of Java. They no longer support it except to occasionally provide Security updates for the recently exposed vulnerabilities.

Another option is to use Sun Java's Java plugin, but I think it's best to have the security hole in Microsoft's plugged anyway. You will be installing version 3810. After rebooting, just open a command prompt and check the new version number by entering jview again.

You must open the command window first, you cannot enter jview from Start> Run.

I inadvertantly gave you the directions for XP, in Win98 to open a command prompt window, go to Start> Run and enter: command
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
thanks again for all your help. I have downloaded 3810 version and am about to restart pc.
What an excellent idea this forum is.
 
Joined
Dec 9, 2000
Messages
45,855
You're most welcome. All the "heavy lifting" was done before me, but I'll put a 'resolved' on this, at least until we hear further from you.
 
Joined
Jul 26, 2002
Messages
46,331
I'm glad to see you got it sorted out turner. (y)

Thank's for helping out Rog. :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top