Computer Support Forum

AWOLA + Hijacked IE Home Page + others...

Question: AWOLA + Hijacked IE Home Page + others...

Hi everyone-

I'm trying to help my younger brother get his computer functioning properly.

Within the last couple of weeks, he's acquired the AWOLA problem, the machine runs incredibly slow and also his home page starts out at something completely different even though we've changed it back many times.

I've gone through the 5 steps and this is what I have.
Thank you all for your help.




Deckard's System Scanner v20071014.68
Run by Adam on 2008-04-25 23:30:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-26 04:31:07 UTC - RP1005 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).
System Drive C: has 4.34 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-25 23:35:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Documents and Settings\Adam\Application Data\xoszl.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\Documents and Settings\Adam\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com" target="_blank" class="invilink">http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32/left.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kansas.scout.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=7&ar=msnhome
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131405841\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: about://internet (HKCU)
O15 - Trusted Zone: http://mcafee.com (HKCU)
O15 - Trusted Zone: https://mcafee.com (HKCU)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} () - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll (file missing)
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: McAfee Application Installer Cleanup (0021061209111001) (0021061209111001mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\002106~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe


--
End of file - 9822 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 TLA13 - c:\docume~1\adam\locals~1\temp\user.bak (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 0021061209111001mcinstcleanup (McAfee Application Installer Cleanup (0021061209111001)) - c:\windows\temp\002106~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01551028&REV_02\4&1C660DD6&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01551028&REV_02\4&1C660DD6&0&40F0
Service: E100B


-- Scheduled Tasks -------------------------------------------------------------

2008-04-23 12:45:56 338 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-04-23 12:45:53 330 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-04-21 20:00:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-25 and 2008-04-25 -----------------------------

2008-04-25 23:00:01 0 d-------- C:\ie-spyad_zo
2008-04-25 22:42:48 0 d-------- C:\Program Files\SpywareBlaster
2008-04-24 22:59:15 0 d-------- C:\Program Files\Panda Security
2008-04-24 22:56:26 0 d-------- C:\WINDOWS\LastGood
2008-04-24 18:59:15 0 d-------- C:\Documents and Settings\Adam\Application Data\McAfee
2008-04-23 23:53:33 0 d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-04-23 23:49:36 0 d-------- C:\Program Files\Spyware Doctor
2008-04-23 23:48:30 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-23 23:38:56 9216 --a------ C:\WINDOWS\system32\ffnd.exe <Not Verified; Kephyr; FreeFixer's Native Deleter>
2008-04-23 23:33:14 0 d-------- C:\Program Files\FreeFixer
2008-04-23 23:20:37 0 d-------- C:\Program Files\Bazooka Scanner
2008-04-23 12:52:03 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Desktop
2008-04-23 12:52:03 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\SiteAdvisor
2008-04-23 12:51:18 0 d-------- C:\Program Files\SiteAdvisor
2008-04-23 12:51:17 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor
2008-04-23 12:51:17 0 d-------- C:\Documents and Settings\Adam\Application Data\SiteAdvisor
2008-04-23 12:49:42 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-04-23 12:45:03 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-23 12:44:42 0 d-------- C:\Program Files\McAfee
2008-04-23 12:28:52 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2008-04-23 12:10:04 0 --ahs---- C:\Documents and Settings\Adam\Application Data\00480f30d0b1e8feaf0bba196fc0fe19c480954a0ae966ef01.dat
2008-04-23 07:50:25 13824 --a------ C:\Documents and Settings\Adam\Application Data\xoszl.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-25 15:44:36 0 d-------- C:\Documents and Settings\Adam\Application Data\AdobeUM
2008-04-24 19:25:20 33 --a------ C:\Documents and Settings\Adam\Application Data\install.ini
2008-04-23 23:49:17 0 d-------- C:\Program Files\Java
2008-04-23 23:48:30 0 d-a------ C:\Program Files\Common Files
2008-04-23 23:39:11 0 d-------- C:\Program Files\Google
2008-04-23 23:02:30 78458 --ah----- C:\Documents and Settings\Adam\Application Data\ptads.bin
2008-04-23 19:36:33 0 d-------- C:\Program Files\Platform Draw Jugs
2008-03-27 00:28:05 0 d-------- C:\Documents and Settings\Adam\Application Data\Move Networks
2008-03-24 12:45:56 0 d-------- C:\Documents and Settings\Adam\Application Data\Media Player Classic
2008-03-24 12:17:35 0 d-------- C:\Program Files\DivX
2008-02-25 22:38:13 99965 --a------ C:\WINDOWS\UninstallFirefox.exe
2008-02-25 22:38:11 4536 --a----c- C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
11/26/2007 10:46 AM 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [03/09/2003 03:30 PM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"HostManager"="C:\Program Files\Common Files\AOL\1131405841\ee\AOLHostManager.exe" []
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 05:34 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [10/05/2007 06:39 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 04:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 04:22 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [08/24/2007 04:57 PM]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [11/30/2007 05:42 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [10/13/2004 11:24 AM]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [4/6/2003 2:17:18 AM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 258 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 4:05:56 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-04-25 23:38:10 ------------

Relevance 100%
Preferred Solution: AWOLA + Hijacked IE Home Page + others...

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: AWOLA + Hijacked IE Home Page + others...

Hello and welcome to TSF.

Scan with HijackThis and put a checkmark against the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32/left.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=7&ar=msnhome
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O15 - Trusted Zone: about://internet (HKCU)
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} () - http://hotsearchbar.com/toolbar2/winhot32.cab

Close all browsers and windows other than HijackThis and click on "fix checked".

I am not sure if you set this as your start page yourself or not. If not, please include it in the above fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kansas.scout.com/

===========================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
Trace and Log Files

Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.


===========================

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

============================

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:


MBAM log
C:\ComboFix.txt
New HijackThis log.

===========================

11 more replies
Relevance 68.06%

Hey guys and gals

I recently have been fighting IE with my home page defaulting back to blank page. I recently read a previous thread on this and I think I have the same problem. Here are my HJT and CWS reports, HEEEEELLLLLLP!

Thanks a lot.

Gerry
Logfile of HijackThis v1.97.7
Scan saved at 8:25:57 PM, on 5/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\LXSUPMON.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Easy\TV Capture\RemoteCtl.exe
C:\Program Files\Sierra Im... Read more

Answer:IE Home Page switching to blank page, I think I've been hijacked

7 more replies
Relevance 68.06%

I choose BBC as my home page in IE but recently another page for an unknown search engine has appeared and keeps re-appearing even if I change the default back to BBC. Any ideas? Thanks

Answer:Home Page in IE Hijacked By Unknown Search Page

download and run adaware, spybot, at click here do a search for qhosts and delete, should sole your probs.johnny.

5 more replies
Relevance 66.83%

hi,
i am brand new to this site, so please be patient with me and thank you in advance for your help. my homepage and my search from my browser were "hijacked" and replaced by another one... i was able to figure out how to correct the homepage problem on my own, but i can't fix the search page. i just want to set it back to use the default MSN search from my browser and cant seem to do it. has anyone ever heard of "martfinder". it automatically searches from my browser and is pissing me off that i cant fix it. here is a copy of hijack this log... please help me.

Logfile of HijackThis v1.94.0
Scan saved at 3:32:08 PM, on 5/30/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searchxp.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.searchxp.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://www.the-huns-yellow-pages.com/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.the-huns-yellow-pages.com/hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\... Read more

Answer:Search Page/Home Page HIJACKED

Answered here: http://forums.techguy.org/t136654/s.html
 

1 more replies
Relevance 66.83%

Guys I need help with this. see hijack this log below.

Edit by chaslang: Inline log attached
 

Answer:Home page hijacked by blank page

Welcome to Majorgeeks!

Please do not post any logs especially HijackThis inline. Also you must run the cleaning steps given below first. You have a bunch of problems including an HSA hijacker.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

Now since you have an HSA hiajcker run the steps in the below thread but start at step 2 since after doing the above you have done most of step 1.
about:Blank and HSA Hijacker - Simplified Removal

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.
 

1 more replies
Relevance 66.83%

whenever i go into explorer my home page consists of a whole page of search links - anerican. it is a white page with pl;ain blue text and has the simple heading "SEARCH FOR..." i have ran spybot adaware cw shredder and webroot spy sweeper to no avail - it just won go awaythe home page address still shows as about:blankany suggestions anyone?thanks

Answer:"search for" page has hijacked my home page

Sorry I cannot help get rid of your problem, but when you do, try 'Start Page Gaurd' - it may even prevent the current page loading anyway if you install it.Can't remember the link - try gooogle search.

10 more replies
Relevance 65.6%

My home page keeps getting hijacked and replaced by a Home Search page. I have Startpage Guard running and have tried Spybot Search and Destroy, Adaware, Spyware Blaster and Stinger as well as Norton Antivirus. All updated and run with System Restore off. Any more ideas, please?

Answer:Home search has hijacked my home page

Win XP home

10 more replies
Relevance 64.37%
Question: Home Page hijacked

In the past month I seen to have been hijacked.The 'blank page' setting is being replaced by MSN home page. Adaware suggests the culprit lays in a registry entry which I, of course, remove. However, it returns when I restart. I imagine Zone Alarm is or has been by passed and the culprit is lying undetected somewhere or finds its way from the net on a regular basis.Has anyone had this experience/knows how to eradicate it permanently?

Answer:Home Page hijacked

Have you tried spybot click here

3 more replies
Relevance 64.37%

Please can someone look at my hijack this logfile and help sort my problems. I have run my anti vrus and adaware etc but still have problems.Just found another problem, something is blocking me from connecting to the kaspersky online scanner web page.Logfile of HijackThis v1.99.1Scan saved at 12:44:19, on 18/08/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\devldr32.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exeC:\WINDOWS\System32\GEARSec.exeC:\Program Files\... Read more

Answer:Pop Ups And Home Page Hijacked

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/pa... Read more

1 more replies
Relevance 64.37%

My home page (which is normally set to yahoo) has been corrupted, and even if I Reset Web Settings and/or manually set my home page in internet options, it gets overlaid each time I bring up IE.

Please help!

My Hijack This log is as follows:

Logfile of HijackThis v1.98.2
Scan saved at 11:49:15 AM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\progra~1\c4ebreg\c4ebreg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgent.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.... Read more

Answer:Home Page has been Hijacked

16 more replies
Relevance 64.37%
Question: Home Page Hijacked

New to this so hope its OK. I followed all the steps in the tutorial. There is someting redirecting me to a security page on explorer startup with a genuine looking explorer window saying I have been infected.Logfile of HijackThis v1.99.1Scan saved at 9:30:03 AM, on 1/08/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Dell\OpenManage\Client\Iap.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\Mcshield.exeC:\Program Files\Network Associates\VirusScan\VsTskMgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\VMware\VMware Workstation\vmware-authd.exeC:\WINDO... Read more

Answer:Home Page Hijacked

More info regarding above:

The screen window popup says I have been infected with [email protected] and to click OK

5 more replies
Relevance 64.37%
Question: Home Page Hijacked

I have run adaware...spybot...NAV and Hijackthis please view my log, browser still hijackedLogfile of HijackThis v1.99.1Scan saved at 2:58:43 PM, on 6/15/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc... Read more

Answer:Home Page Hijacked

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/pa... Read more

3 more replies
Relevance 64.37%
Question: Hijacked Home Page

When we start Internet Explorer the page opens up as (res://shdocpe.dll/blank.htm) have ran ad-adware se with VX2, CW Sherdder, Trend Micro, and Spybot S&D. Spybot finds problem (DSC Exploit) fixes it but it still remains.

Logfile of HijackThis v1.97.7
Scan saved at 1:56:17 PM, on 2/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINNT\system32\ntnut32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Ant... Read more

Answer:Hijacked Home Page

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis and run it.

Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' ... Read more

3 more replies
Relevance 64.37%

It would appear that my home page has been hijacked like others. However, I have run Adaware, Spybot and removed all cookies and temporary internet files.
Despite what I do about making other Home Pages the default it still returns to either searchpage.cc/1528/ or nkvd.us/1528/
I tried to download spycatcher but it wont let me and always returns to searchpage.cc/1528
It is driving me up the wall.
How can I remove it and prevent it from happening again. I have a software firewall - does this help?

Thanks in advance from a first time enquirer.

21rivers
 

Answer:Also have hijacked Home Page

8 more replies
Relevance 64.37%
Question: Home Page Hijacked

Hi Guys,
Need some help here. I always keep netscape as my home page. Yesterday the page started defaulting to: http://quickmetasearch.com/?said=acc0001_ho.
I currently run the following programs for protection- Norton, AV Personal, Spy-bot, Ad-aware and Spyblaster, but for some reason I cannot reset my home page back to Netscape. Everytime I reset it it reverts back to this page mentioned above.
Please help me resolve this issue. Also, I have included my Hijack.log below. Please advise me if, what, and how to remove items not needed, or those that are problematic.

Thanks Scott

Logfile of HijackThis v1.99.0
Scan saved at 7:34:17 AM, on 1/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
F:\Program Files\Dassault Systemes\B11\intel_a\code\bin\CATSysDemon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System... Read more

Answer:Home Page Hijacked

16 more replies
Relevance 64.37%
Question: Home Page Hijacked

Help,

My internet home page has been taken over by a site name (http://www.securitynetpage.net/)
I can't get rid of it and pop ups are killing me.

I read the info you listed, however i am computer illiterate and can not figure it out.

I would appreciate any help possible.

Thank you,

Tom

Answer:Home Page Hijacked

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. In order to help you we need to see what's running on your computer.Click here to download HJTsetup.exeSave HJTsetup.exe to your desktop.Doubleclick on the HJTsetup.exe icon on your desktop.By default it will install to C:\Program Files\Hijack This.Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.Put a check by Create a desktop icon then click Next again.Continue to follow the rest of the prompts from there.At the final dialogue box click Finish and it will launch Hijack This.Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.Come back here to this thread and Paste the log in your next reply.DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

17 more replies
Relevance 64.37%
Question: Home page hijacked

My home page is being hijacked and is defaulting to about:blank

Any help in solving this will be appreciated!!!!

Here is my HJT log
Logfile of HijackThis v1.99.0
Scan saved at 10:13:43 PM, on 1/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yoursearch247.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursearch247.com/se.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = r... Read more

Answer:Home page hijacked

Hello weesy001 and Welcome to TSG!

Before I get you to fix anything in HijackThis, I want you to do ALL of the following.

Download SpywareBlaster from here:
http://www.majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef

Install and run SpywareBlaster. Click on "Updates" and then choose "Check for updates". Next choose "Protection" and at the top you will see different tabs which are Internet Explorer, Restricted sites and Mozilla/Firefox. Choose one of them at a time and at the bottom click "Protect Against Checked Items" (make sure that all of the items are checked). Tick the boxes above the items. Make sure you do this for all of the top tabs. Mozilla/Firefox you only need to do if you have the user profiles on your computer. You may now exit out of SpywareBlaster.

Download Spybot S&D from here:
http://users.skynet.be/fa936042/spybotsd13.exe

Install and run Spybot S&D. Choose "Search for updates". Next choose "Download updates". After that, choose "Search and Destroy" and click on "Check for problems". If Spybot finds any nasties on your computer, make sure that they are ticked and choose "Fix selected problems".

Download Ad-Aware SE from here:
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

Install and run Ad-Aware SE. On the bottom right corner of Ad-Aware you will see an option called ... Read more

2 more replies
Relevance 64.37%
Question: Home page hijacked

Our homepage has been hijacked - not even able to do a change in internet options

We get onto a porn-site - linkarama. We can't remove it with AVG (the virus seems to turn the promgram off) or Ad-aware.

Here is a copy of our log - could someone please let us know what we need to remove.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 12:22:45 PM, on 3/05/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files... Read more

Answer:Home page hijacked

16 more replies
Relevance 64.37%
Question: Hijacked Home Page

My home page keeps reverting back to some dodgy search engine. I've used Ad-aware, S&D and AVG so far so it's a lot better than it was.

Could someone have a look at the log and advise on what can be zapped......

Logfile of HijackThis v1.99.0
Scan saved at 08:55:42, on 12/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\lotus\wordpro\ltsstart.exe
C:\lotus\smartctr\smart... Read more

Answer:Hijacked Home Page

6 more replies
Relevance 64.37%
Question: Hijacked Home Page

I turned my computer on yesterday and my home page was gone.I had a blue screen with a yellow box telling me to install a AV program(Malware Protector 2008.I ran Malware Bytes Anti Malware,Super AntiSpyWare and AVG.Computer seems to work OK but how can I get rid of this screen and get my Homepage back?I could not do a system restore either.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:18 PM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Micros... Read more

Answer:Hijacked Home Page

SDFix: Version 1.191
Run by james prechel on Fri 06/13/2008 at 11:04 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting
Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\core.cache(11).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(12).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(13).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(14).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(2)(2).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(2).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(3)(2).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(3).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(4).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(5).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(6).dsk - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 11:11:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters... Read more

3 more replies
Relevance 64.37%
Question: Home page hijacked

It always give me an 'about;blank' whenever I turn on my internet explorer. Despite my several attempts to re-setting of a proper URL address, my home page will always go blank in the next IE activation. Help needed, pse.

Answer:Home page hijacked

try using spywareguard click herethis will detect if your browser will be hijacked and warn you (it just told me and i rejected the hijack).this will also stop spyware getting onto your computer in the first place.also, if you are not doing so already, use mozilla firefox as your internet browser click here

5 more replies
Relevance 64.37%

Hi all,

my home page has been hijacked by that searchv page. I downloaded adaware, hijackthis, spybot and followed all instructions you gave to the rest of the guys. When i am not connected to the net everything is cool, but after I connect and reboot it starts all over.

Here is the log from hijackthis:

Logfile of HijackThis v1.97.3
Scan saved at 21:12:31, on 14/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Diogenis Papiomytis\Desktop\HijackThis.exe

R1 - HKCU\Software\Mi... Read more

Answer:my home page hijacked!

8 more replies
Relevance 64.37%

Hi,

I'm kind of a beginner. I've succeeded in aquiring some type of a hijacker. I've tried to run Spybot and Adaware. Then i run Hijack This and delete the obvious R1 values (search page, search assistant, main default), but when I restart and open IE, the home page is hijacked again (pointing to about:blank) but the page appears to be some type of search engine.

I really don't know what to do. I must be missing something. Please help. Here is the log of my HijackThis scan. Note: I've tried to delete the first 8 R1 values listed on the scan, but they return when I re-launch IE. I have left them here so that you might better be able to help.

Logfile of HijackThis v1.97.7
Scan saved at 7:04:57 PM, on 8/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\... Read more

Answer:Home Page Hijacked, need help

9 more replies
Relevance 64.37%

The title says it all really! I can change the home page but everytime i restart the computer it goes back to click here. i read a post on here somewhere about it but cant find it!! any help?ThanksC

Answer:Home page been hijacked!!

Check out these:Spybot click hereAdAware click hereHiJack This click here

5 more replies
Relevance 64.37%

My home page was set to bestsecurityguide.com, and anytime I change it back to my original it doesnt work. Even in internet options my original homepage is listed. Also if I am on any other webpage and type in my original homepage it goes back to bestsecuirtyguide.com. Any help would be much appreciated, thanks. Here is my Hijackthis log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Pane... Read more

Answer:Home Page Hijacked..

Welcome to TSF.

Please post your entire HijackThis log next time. You left out the header information which is always needed...

Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download smitRem at http://noahdfear.geekstogo.com/click...click.php?id=1 and save the file to your desktop.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.geekstogo.com/ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet. NOTE: If you have Windows 9x/ME, you don't need to run Ewido (skip this step).

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.geekstogo.com/adawareSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of ... Read more

2 more replies
Relevance 64.37%
Question: Home page hijacked

My son's computer has a hijacked homepage. We have tried to reset it but it keeps reverting back to the hijacked page after rebooting. Can anyone please help? Thanks so much.
 

Answer:Home page hijacked

Please do this. Click here: http://www.thespykiller.co.uk/files/hijackthis_sfx.exe
to download Hijack This.

Close all open windows and open Hijack This. Click “Scan”. When the scan is finished, the scan button will change to “Save Log”. Click on “Save Log” and then save it to NotePad. Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed.
 

3 more replies
Relevance 64.37%
Question: Home Page Hijacked

My normal Home Page has been taken over ny Best Search Engine:
http://gkicp.info/index.php?aid=227

No matter what I do (I have reset my home page back to my original) but
when I reboot the Best Search Engine shows up again as my home page.

I ran SpyBot and AdAware, as well as a virus scan

How do I get rid of it?????
 

Answer:Home Page Hijacked

this topic has been covered here a lot.. do a search in the software forum for "HIJACKED"
 

2 more replies
Relevance 64.37%

My home page always gets hijacked by msn.com. Which is to say, msn.com forces itself to be my home page without my consent or approval.

How can I stop this from happening permanently?

Thanks for any tips.
 

Answer:home page hijacked by msn

If you are running a SpyWare Scanner.

Most SpyWare scanner use this a default page, and use msn.com as the default page when you click "yes" to fix the problem, it will also reset the home page to deafult.

Otherwise I don't know what it could be.
 

1 more replies
Relevance 64.37%

Hi everyone

I am unable to change my home page back to Yahoo (I've tried tools - internet options)...I've run Spybot and Adaware....I have some things that keep popping up in my favorites that I keep deleting and now some darn pop-ups have made appearences...and Heaven help me even did some Regediting ( Hey, there is a lot of info on the internet, probably somewhat dangerous if you really don't know what the heck your doing, but no harm done). I ran "Hijack This" and am posting the results....I hope you can help....but please bear with me...I am a computer idiot.

Thanks in advance for your help
Logfile of HijackThis v1.98.2
Scan saved at 7:02:03 PM, on 3/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\ipqc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOW... Read more

Answer:Hijacked home page !!

16 more replies
Relevance 64.37%
Question: Home Page Hijacked

When I open the internet my homepage is www.securitysafeguards.net- telling me there is spyware detected. When I try and change my homepage- it always goes back to this site as well as if I enter the address for the site I wanted as my homepage- it nows comes up as securitysafeguard.( ie change homepage to www.msn.com- it still comes up as securitysafeguard and if I go to file- open and enter www.msn.com- it goes to securitysafeguard also. I have Norton supposedly protecting me and ran all the recommended scans on your site ( each time coming up with alarming #s) but none resolving this issue. I am at out of ideas and since I am barely computer literate .... My little brother told me about this site. Any assistance is appreciated. Logfile of HijackThis v1.99.1Scan saved at 10:35:07 PM, on 4/1/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\P... Read more

Answer:Home Page Hijacked

Hi mikki!*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! * First we must disable the monitoring by MSAS or it can interfere with registry changes that HijackThis makes.1. Right-click on the Microsoft Anti-Spyware icon in the system tray [It's the one with the red and yellow bulls-eye.].2. Click on "Security Agents Status".3. Click on "Disable real-time protection".* Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.1. Click on the Options menu and choose Settings.2. In the left pane column click on "Real Time Protection".3. Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"4. Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).5. Click the Save button and close Microsoft AntiSpyware.* Do you use Poker applications at all? If you do that is fine, but they are known to come bundled with malware, so in my opinion you should remove them. If you do wish to remove them click on start, then control panel, and then double-click on add/remove pr... Read more

7 more replies
Relevance 64.37%

can anyone help me my home page is being hijacked in other words i get another page rather than the one i want i have run hijack this and fixed the offending item but it keeps returning as a different home page.
 

More replies
Relevance 64.37%

Hi, could you please check this new HJT log and tell me which programs to remove? I'm having problems matching up the programs to remove from my first HJT I posted yesterday. Thanks so much!

Logfile of HijackThis v1.98.2
Scan saved at 7:36:35 AM, on 8/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CREATIVE\SHARED FILES\CAMTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\WEBSHOTS\... Read more

Answer:New HJT log for hijacked home page.

What have you done so far? Ad-Aware, Spybot, CWShredder, etc....
 

3 more replies
Relevance 64.37%

I use XP and my homepage is hijacted to a weird search engine..
your help will be greatly appreciated...
thanks in advance for your help..

Logfile of HijackThis v1.99.1
Scan saved at 10:41:50 PM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\clubbox.exe
C:\WINDOWS\system32\crak32.e... Read more

Answer:my home page is hijacked

Hello, and welcome to TSF!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).



Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

dx8pdmoe.exe... Read more

1 more replies
Relevance 64.37%
Question: home page hijacked

I have Windows 98 and Internet Explorer is my browser. I'm being plagued by that "about blank/search this" homepage hijacker. I have downloaded HijackThis and put it in a folder. Can you tell me what to do next? Do I need to create a log file? How do I do that? I'm not very computer savvy and I would really appreciate some help. Thanks.
 

Answer:home page hijacked

10 more replies
Relevance 64.37%
Question: Hijacked Home Page

Hello,
My home page has been hijacked and comes up as www.selfsearch.biz. At the bottom of this page is a 'support' link to supposedly remove, but using it fails. This site can not be found in programs nor anywhere that I can think to look. I have used spybot to no avail. Please assist.
Thanks
-Dean
 

Answer:Hijacked Home Page

Go here http://tomcoyote.com/hjt/ and get install and run Hijack this; Create a HijackThis folder in [C:] and extract the download zip file that folder; Run HJT Generate a log and post it here. There's full instructions on that website.
 

3 more replies
Relevance 64.37%
Question: Home page hijacked

Having trouble with my home page changing without my knowledge. Have tried startpage guard as recomended in this forum but it does'nt seem to make any differance.Any ideas? (win98 if that's any help).

Answer:Home page hijacked

Try Ad-aware click here and Spybot click hereUpdate them before scanning.If you still have a problem try CWShredder click here

2 more replies
Relevance 64.37%

This is for a friend his home page is changed and now no matter what he does he cant get it backnow this is happeningI think I have BIG problems now with this hi-jacker trojan. It wont let me download any anti hi-jacker programsEvery time I try to down load one ....... It puts me back to the new hi-jacked page ANY MORE IDEAS ?Can anyone helpHe has xpThanks so muchBevlee

Answer:Home page is being hijacked

click here

4 more replies
Relevance 64.37%

my home page (normally msn.ca) is now (sympatico.msn.ca/) and i cannot
change it back using Internet Explorer Tools. I am attaching a Hijack this
log. Any help would be greatly appreciated
 

Answer:home page hijacked--please help

Close all windows, restart Hijack this and put a check mark against the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c00&s=consumer&LC=1009
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=1009
O1 - Hosts: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
O1 - Hosts: <!-- saved from url=(0031)http://everythingisnt.com/Hosts -->
O1 - Hosts: <HTML><HEAD>
O1 - Hosts: <META http-equiv=Content-Type content="text/html; charset=windows-1252">
O1 - Hosts: <META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
O1 - Hosts: <BODY><PRE># This Hosts file has been altered to block ad servers.
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click Fix Checked

Restart your computer

Now try
 

2 more replies
Relevance 64.37%

My homepage defaults to hebnetfinder.com. How do I remove this? I have Windows XP. Thanks.
 

Answer:Hijacked home page.

May be malware. [ 99% chance actually )

I would do a scan with SUPERAntispyware, to check. [ Then delete all infections that shows up ]

Then I would scan + save a logfile with HIJACKTHIS and put as a new thread [Copy and paste] it in the "HIJACKTHIS and MALWARE"-forum.
Good luck! =)
 

2 more replies
Relevance 64.37%

My homepage keeps being reset to "www.esearch.cc". Does anyone know what program or virus is causing this? i have run Adaware SE and Spy Bot. Thanks.
 

Answer:Home page hijacked..please help

Please go to this site and download HiJackThis by Merijn Bellekom:

***NOTE***Do not FIX anything without a log analyzer's guidance. MOST of what's listed is necessary for your computer to operate normally.

HiJackThis download link

Alternate download links:

http://www.spychecker.com/program/hijackthis.html

http://www.majorgeeks.com/download3155.html

Under "Official Downloads" HiJackThis. It's the 2nd one down.

Download and unzip to a permanent folder of your own creation.

Open HiJackThis. Click "Scan". Then, in the lower left corner, click "Save Log".

Save it to your permanent HiJackThis folder (or floppy disk if necessary).

The log will open in Notepad. Click "Edit" then "Select All".

Copy and paste the log back to this thread.
 

3 more replies
Relevance 64.37%

page comes up and says it's a guess page but asks for my password to see my mail. when i give it, it forwards me to sign in page. when i sign in it says wrong password. ask for help and it asks if i ever used a credit crd on the site. i say no and it just keeps rebooting that page. like it won't go any farther unles i say i used i credit card.
 

Answer:sbc home page has been hijacked??

Hi

First off I would be calling SBC your ISP to alert them of this as that does not sound like something an ISP would do, but seems like a spoof page to get you to enter your ISP details and Credit Card details, stop and do not enter them at all.

To start the removals process of what does sound like a malware infection and redirect, please follow the below and attach the logs requested.



Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
Make sure you check version numbers and get all updates.
Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.





When you return to make your next post, make sure you attach the following logs and tha... Read more

1 more replies
Relevance 64.37%

I use IE v.6 and something has hijacked my home page. I see that other people have had the same problem, so I ran HijackThis. The following is my log. I would appreciate it if someone would tell me what to delete.

Logfile of HijackThis v1.97.2
Scan saved at 8:45:21 AM, on 9/13/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINPUP32.EXE
C:\WINDOWS\APPLICATION DATA\CHHKFCKO.EXE
C:\PROGRAM FILES\WINDOW ACTIVE\WINACTIVE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\TEMP\FAK80F6.TMP
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM... Read more

Answer:something has hijacked my home page

6 more replies
Relevance 64.37%

I've just installed Win XP and tweaked it using a number of tips I've found here and there. Very happy with the results, but there are a couple minor but annoying side effects--I set up a home page (my.yahoo.com) in IE Internet options and it appears to be saved, but whenever I click the home button, it takes me to click here. At the same time, an unwanted toolbar (no name, just search/spyware removal/MP3 and movies/Dating, etc, etc) has appeared and I can't seem to get rid of it either.Can anyone suggest how I can jettison these nuisances?Thanks

Answer:Home Page Hijacked!

Try Ad-aware click here Spybot click here and CWShredder click hereIf they don't work, post a HJT log click here

4 more replies
Relevance 64.37%

Hello every time i turn my computer on the home page sets it self to zestyfind.com
Any help would be greatly appreciated.
Thanks
Here is my log i have ran spybot and cwshedder.
Logfile of HijackThis v1.97.6
Scan saved at 12:41:01 PM, on 1/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NVATray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Gloria\Local Settings\Temp\Temporary Directory 41 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Mic... Read more

Answer:home page hijacked???

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

CWshredder from http://www.merijn.org/cwschronicles.html
Spybot - Search & Destroy from http://security.kolla.de
AdAware 6

then
Run CWSHREDDER, check you have the current version 1.47.0 if not press check for update and let it update
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected
the patches are :
http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp
*Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates & service Packs"

then reboot &
Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and... Read more

1 more replies
Relevance 64.37%
Question: Hijacked home page

Hi, you all were quite helpful to me a while ago when my computer was hijacked by search.exe. Well, now my husband's Dell is having problems. He cannot get his regular homepage to load, it loads this instead res://mshp.dll/index.html#37049 and it takes him to a Home Search page. He cannot figure out how to get rid of this. Should I have him d/l the Hijack this program? If so, please post instructions on what to do again. Thanks in advance for your help!!
 

Answer:Hijacked home page

Best to run HiJackThis and post a scan. Follow these steps:

First, create a folder in C:\Program Files and label it HiJackThis. This is where you will download the executable file. This is also the folder where your HJT backups will be stored. Click Here to download the file.

Close all windows, including this and any other browser windows. Launch HJT and click the Scan button. When the scan is finished, the Scan button will have changed to Save Log. Click that and save the log to your HJT folder. DO NOT CHANGE ANYTHING YET. Most of the listed items are harmless or even essential. Wait for recommendations from someone trained in HJT log file interpretation.

In the saved log file window... In the toolbar at the top of the window under Edit, select Select All. Copy (Ctrl+C) the text and paste (Ctrl+V) it into a reply in this thread.
 

3 more replies
Relevance 64.37%
Question: Home Page Hijacked

HiTried to post a response on my last post (click here) but got the following message"An Error Has OccurredYou have accessed this Page incorrectly. This could be because you have mistyped a URL, or have tried to access a page that does not exists or has been removed. An email has been sent to the webmaster notifying them of this problem.essage."HJT log is below.Hope somebody can help.Thanks

Answer:Home Page Hijacked

You may be getting this error because you are trying to post too much: there is an 800 word limit per post.Post it in about 4 chunks, double spacing it or it will be practically illegible.

10 more replies
Relevance 64.37%

Hello,

Can someone help me please. I recently turned on my computer, only to find a message on my main screen. It's an ad that reads something to the effect...

SECURE YOURSELF RIGHT NOW!

REMOVE ALL SPYWARE FROM YOUR PC.
Then it requests you to click on a bar that reads "REMOVAL INSTRUCTIONS"

...That's not the only problem. The other one is when I click on Internet Explorer, my regular home page has been redirected to some other advertising page. When I go to TOOLS, INTERNET OPTIONS, my home page just soon gets re-directed to the advertising page. Also now and then, I get pop-up messages for advertising offers for various merchandise, and including spyware removal products.

I've run AD-AWARE, SPYBOT, SPY SUBTRACT and NOADWARE programs to detect and remove spyware and trojans etc. A lot of these spyware detection and removal programs find these intruders, and allegedly remove them, but the three above problems still persist. Anyone got any solutions?

Perhaps there is some spyware in my startup registry, but I don't want to tinker around with that section because I'm not a computer expert.

Another note...I noticed one entry in the start up registry that I didn't recognize, that tried to gain access to the internet (ZONE ALARM alerted me to it). I didn't allow permission. Perhaps that is one clue.

Thanks, for any help you can give me.

Answer:Help please...my home page has been hijacked.

Run HijackThis and post the saved log file in this section of the forum.Download HijackThis

2 more replies
Relevance 64.37%
Question: Home Page Hijacked

My homepage has been hijacked and I am unable to sort it.I have tried using Spybot, adaware & Hijackthis but had no joy.Could somebody help please.Thanks.

Answer:Home Page Hijacked

..i have the same prob. i have used the 3 utilities you have, and i also used zerospyware lite. still no joy.

7 more replies
Relevance 64.37%

How can i get rid of a hijacked homepage which is called rack.cc. Help!
 

Answer:Can't get rid of hijacked home page! Help!!

Hi, Welcome to TSG!!
Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

3 more replies
Relevance 64.37%
Question: home page hijacked

I have lingering spyware on a computer. It started with the home page set to about:blank. Now that is fixed, but a lot of ads still pop up, and adaware does not finish running. I run it in safe mode, but it gets to a certain point and stops. I turned off system restore, ran spybot S & D, CW Shredder, and updated Windows. I guessed at some of the hijack this results and deleted them. As a result, the internet is working and memory is back. But I still get some oddities, that make me feel certain it is not all cleaned up. Can you take a look at the log? I am sending the log from my home computer.
Thanks
Logfile of HijackThis v1.97.7
Scan saved at 6:07:58 PM, on 9/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\msdvd.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\MXOaldr.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~... Read more

Answer:home page hijacked

Howdy,

The repair list was getting longer and longer.

Fisrst, please download Winsock2 Fix, but do not run it. If, after you have done the NewDotNet repair, your internet connection is broken, you will need to run this tool to get it back up.

Next, please go here, scroll down the page to procedure #4 and follow those instructions.

Next, we need to remove Wintools..

1. Reboot the computer into Safe Mode and turn off System Restore.

2. Remove the Startup Entries in the Registry

Click on Start, Run, Type REGEDIT and Click OK

Click the pluses(+) next to the following items
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run

Right-Click on the file WinTools and click DELETE

Click the pluses(+) next to the following items
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunServices

Right-Click on the file WinTools and click DELETE

Close REGEDIT

3.Run HiJackThis (while in Safe Mode) and check these items to be fixed, followed by clicking "fix checked":

C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50099
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.as... Read more

10 more replies
Relevance 64.37%

The rotten bastards have hijacked my ome page and no matter what I do I can not retrieve the missing page. What can I do? I'm working with a Dell Pc with Microsoft Windows XP Home edition.
 

Answer:Help! They've Hijacked my home page.

Hi Clemmo. Not to panic Read this by MajorAttitude and this also. You will find a lot of answers there.
 

17 more replies
Relevance 64.37%

My browser is resetting the home page every time I boot up. The log from HijackThis follows. Thanks in advance for any help you can give me.

Brian

Edit: Inline log removed!
 

Answer:Help with hijacked home page

Welcome to MG's shawook.

You should check out this link and follow some of the info there first. If still having problems after performing some of the checks given there, repost a new HiJaak This log. Make sure if when you install Ad-Aware and SpyBot Search & Destroy you update first before running. Then cleanup what they find.
 

3 more replies
Relevance 64.37%

I can't seem to get my home page back. I have run a full system scan with ad-aware (most recent version) and hijackthis (v1.98.2). Hijack this finds the bad boy and fixes it, and the first time I go to IE it's correct, but every subsequent time I go into IE it's been hijacked again. I think I'm missing something. A little help here?
 

Answer:home page hijacked....again

11 more replies
Relevance 64.37%

My home page is not my own anymore. It comes up with a search site. How does this happen? This happened before but I still don't know how. Can someone please review my HJT log and advise what I should do? Thank you for any help or advice you can provide.

Logfile of HijackThis v1.97.7
Scan saved at 9:25:06 PM, on 2/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack this\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0... Read more

Answer:Home Page Hijacked?

Hello
Pleae download the following items

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

CWshredder from http://www.majorgeeks.com/downloads31.html

Spybot - Search & Destroy from http://security.kolla.de

AdAware 6 from http://www.lavasoft.de/software/adaware/

then
Run CWSHREDDER,

Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected
the patches are :

http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/tr...in/ms03-011.asp

then reboot &

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ....... Read more

3 more replies
Relevance 64.37%

Hi, the usual seach page issue

Logfile of HijackThis v1.97.7
Scan saved at 12:58:00 AM, on 11/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\PAVSRV50.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINNT\acoustic.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\Program Files\SpyHunter\SpyHunter.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\iis5.log:rbeqw
C:\WINNT\winek.exe
C:\Documents and Settings\Administrat... Read more

Answer:IE home page hijacked

7 more replies
Relevance 64.37%
Question: hijacked home page

here is my log what do i need to get rid off, thanks

Logfile of HijackThis v1.97.7
Scan saved at 7:29:55 PM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\TaskBar\CTLTray.exe
C:\Documents and Settings\PJ O'Laughlin\Application Data\wnos.exe
C:\WINDOWS\Syste... Read more

Answer:hijacked home page

First obtain and run the CoolwebShredder (CWShredder.exe) from the site below:

http://www.spywareinfo.com/~merijn/downloads.html

Have it "fix" any problems it detects.

Then run Hijackthis and check any of these entries which remain, close all browser windows, and select "fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)

O4 - HKLM\..\Run: [sys] regedit -s sysdllwm.reg

O4 - HKCU\..\Run: [Meor] C:\Documents and Settings\PJ O'Laughlin\Application Data\wnos.exe

^^ suspicious, if you can't vouch for it check and and fix it, then after rebooting delete the file

O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssu.exe

^^ adware, after rebooting delete this and other bolded files.

Post another Scanlog when ready.
 

1 more replies
Relevance 64.37%
Question: Home page hijacked

I have problems with my IE while browsing.My homepage gets resets often and some unwanted toolbars are openingup. Moreover popup menus are also often displayed. The following is the logfile from hijackthis. Can anyone help me in sorting out this problem. I ran mas uny spysoftware programs but still the problem creeps up.

Logfile from Hijackthis

Logfile of HijackThis v1.98.2
Scan saved at 7:21:30 PM, on 8/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\LogWatNT.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\System32\RunDll32.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\System32\zjsiukp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common ... Read more

Answer:Home page hijacked

Can anyone help me out .Please!!!!. I really got frustrated with the problems that i am facing now. Please anyone go through the log file and let me know what files are need to be deleted

4 more replies
Relevance 64.37%
Question: Home page hijacked

Hello all,

I am a victim of a hijacked homepage. Like others, I have executed Sprysweeper, Lavasoft-Adware, Sprybot and CWshredder but with no luck in destroying this. Attached is my hijacked log file. Suggestions to get rid of this is very much appreciated. Thanks.
 

Answer:Home page hijacked

16 more replies
Relevance 64.37%

Plus, there's an entry in my startup that won't allow me to delete it: winlogin
So, since I've just crawled out of the newbie phase, I thought I'd post HiJackThis, and hope someone with a little sophistication can tell me how to get rid of the hijacker from my son's computer (it aint mine). Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 1:19:06 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program FIles\TraySaver\TraySaver.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\program files\steam\steam.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\System32\DivX.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Luke\Application Data\muhr.exe
C:\WINDOWS\System32\wapisvcc.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Window~1\SOM913\hxdef073.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Documents and Settings\Luke\Desktop\LINUX\HijackThis.exe
C:\PROGRA~1\INCRED~1\bin\ImNotfy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System... Read more

Answer:Home Page Being HiJacked

First, I'd run both spybot ( http://www.safer-networking.org ) and ad-aware ( http://www.lavasoftusa.com ). After that, if the problem doesn't go away, post your HJT log again..
 

3 more replies
Relevance 64.37%
Question: Home Page Hijacked

Help; my home page has been hijacked; even when I go thru "tools" and "internet options," it doesn't save the homepage I want; it defaults to something that has been selected for me.
 

Answer:Home Page Hijacked

8 more replies
Relevance 64.37%
Question: Hijacked Home Page

Hi guys

PLEASE can someone help me as its driving me mad! I've tried a few things but cannot sort it out. My homepage has been hijacked by securityfeature.com. Im sure you're all aware of this one! Can anyone tell me how I can get rid of this? I realise its something to do with registry keys so if anyone could give me an idiots guide to where I should loo and what to do...n i c e and s l o w...id be very grateful! Thanks, Jack

ps - I dont fancy downloading anything I have to pay for! ta

Answer:Hijacked Home Page

Welcome jackcornuto Please follow the instructions in this link, then post your HijackThis! log in the correct forum (included in the instructions).http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

1 more replies
Relevance 64.37%

safetyhall hijacked Logfile of HijackThis v1.99.1
Scan saved at 11:15:37 AM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Image ActiveX Object\pmsngr.exe
C:\Program Files\Image ActiveX Object\isamonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Image ActiveX Object\pmmon.exe
C:\Program Files\Image ActiveX Object\isamini.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas403b.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\spider.exe
C:\Documents and

Settings\Compaq_Owner\Desktop\KillBox.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=

EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

Bar =

http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcyds

l/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Inte... Read more

Answer:home page hijacked have log

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning pr... Read more

2 more replies
Relevance 64.37%

I'm running Windows XP and I have McAfee Internet Security Suite 6.0. My IE home page is now set to about and is directed to a porn site. A dialer keeps interrupting my internet seeking to connect and then I get this message:

There seems to be a problem preventing you from proceeding at this time.
The error that occured was:

Download error #2

Please try again later.

When I run McAfee it shows a dialer program for WebSiteViewer that is in the program files and in registry. McAfee only lets you highlight one program at a time to clean. I highlight one and re-run and it shows clean. 5 minutes later both are back. I do the same clean proceedure except this time I try highlighting the other it works no better.

It seems like there are posts on this subject but they are all written in geek and I have no clue what to do.
 

Answer:Hijacked IE home page

7 more replies
Relevance 64.37%

I use Yahoo.Com as my home page - when I log into internet explorer, I find that my home page has been changed to coolbiz.com. I try to set Yahoo.com as my homepage; I try to reset internet defaults, but every time I log on I find myself back on this coolbiz.com. Help!

I am using XP
 

Answer:My home page has been hijacked

8 more replies
Relevance 64.37%

Google.com is my selected home page. This morning, I opened IE and although Google started, it was taken over by



Code:
sitesure.com/lang=en&country=us&.lang=en&.country=us&synd=ig&mid=59&ifpctok=8513242658915233202&parent=http://www.google.com&libs=gD7mP6I5DKA/lib/libcore.js&extern_js=/extern_js/f/CgJlbhICdXMrMAo4ACwrMBI4ACwrMBM4ACwrMBs4ACw/5qHwt4xKcyk.js&prvtof=8b2VkUqfXDCVzkFMugBtMOdsFBjpDMXG6IKZY0RXzusHnX5QnOJOdg%3D%3D
I have cleaned the registry; defragged, etc. How do I stop this from happening??? Thanks
 

Answer:IE Home Page being hijacked

Please start here: http://forums.majorgeeks.com/showthread.php?t=35407
 

3 more replies
Relevance 64.37%
Question: Home Page Hijacked

After doing a recent update to Win 8, my home page on Fire Fox has been hijacked, and I can't get rid of it. I've restored to system to the day prior to when the new page appeared, I've deleted cookies, I've reset the homepage within Fire Fox, I've run Avast and Malwarebyte; it's still there. Does anyone have any ideas about how to get rid of this annoyance. Thanks.

Answer:Home Page Hijacked

You might try running aswcleaner AdwCleaner Download

9 more replies
Relevance 64.37%

Can't get to my Google home page and all my fav web sites. Every tab brings up Ask.com. Help!

Answer:Home Page Hijacked by Ask.com

Greetings jcoult and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.If you would allow me to call you by your first name I would prefer to do that.===================================================Ground Rules:First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems... Read more

3 more replies
Relevance 64.37%

Hi there,

I'm having the same problem with the Coolbiz hijack.

Here's my Hijack This log - can someone tell me what i need to do?

Cheers,

JTintin

Logfile of HijackThis v1.98.2
Scan saved at 3:38:45 PM, on 26/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\jamie\Application Data\x?ra?f.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGR... Read more

Answer:My home page has been hijacked

Hi jtintin

Welcome to TSG!

I have split your post off into your own thread. In the future if you have a Question/Problem please start a "New Thread". It get's too confusing trying to address two different people's problem in the same thread and you may get overlooked.

Please continue in this thread.
 

2 more replies
Relevance 64.37%
Question: Hijacked home page

I need a log read please.
my homepage keeps changing, also when I log in to winxp
My computer does a serch for a copy file that it can't find.
please help.

Logfile of HijackThis v1.97.7
Scan saved at 8:41:55 PM, on 11/26/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RLAIRZCNCR.EXE
C:\Program Files\PERFECT SERIES\SCROLL MOUSE\4.0\MOUSE32A.EXE
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\EEGFKVU.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\winlogon.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\LINKSYS\Configuration Utility\PRISMSTA.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Crystalsyd\Local Settings\Temp\Temporary Directory 7 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = htt... Read more

Answer:Hijacked home page

K, u see this file?
C:\WINDOWS\svchost.exeClick to expand...

Shouldn't be there.

U c this file?
C:\windows\winlogon.exeClick to expand...

never herad of it (in that place) in my life.

I recommend, well firstly run http://housecall.trendmicro.com , if that doesn't find anything or it doesn't work, run http://www.pandasoftware.com/activescan/ .

Then download & UPDATE spybot S&D from here: http://security.kolla.de
 

1 more replies
Relevance 64.37%

Each time I open Internet Exlplorer my home page is redirected to Microsoft and their IE8 pitch. I've run Super-Anti Spyware, Malware, Ad-Aware, Spy-bot and Norton and I'm clean. My setting for the home page has not been changed in Internet Properties. If I click on the home page icon on the IE bar I am sent to my selected home page. What's up???
 

Answer:Is my Home Page Hijacked?

Welcome! to MajorGeeks.com!

Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions.

If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
TDSSserv Non-Plug & Play Driver Disable

If something does not run, write down the info to explain to us later but keep on going.
Do not assume that because one step does not work that they all will not.
READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:


If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in Safe Mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
To avoid additional delay i... Read more

1 more replies
Relevance 64.37%
Question: Home Page Hijacked

I have my homepage constantly changing to 'SEARCH...' page.

here is my log from HijackThis

Please help
Logfile of HijackThis v1.97.7
Scan saved at 23:15:55, on 10/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\win32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\VCOM\Fix-It\MXTask.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\VCOM\Fix-It\Fix-It.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Internet Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cbnb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\cbnb.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In... Read more

Answer:Home Page Hijacked

12 more replies
Relevance 64.37%

My home page has been hijacked by some XXX web site. Can you help me get rid of this problem? I am including a copy of the Hijack this scan which I have just completed.

Logfile of HijackThis v1.97.7
Scan saved at 9:08:29 PM, on 4/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\RAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\RAPIDBLASTER\RB32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\APPLICATION DATA\BIUO.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\MSOFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\BARGAIN BUDDY\BIN\BARGAINS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE... Read more

Answer:My Home Page has been hijacked

7 more replies
Relevance 64.37%
Question: Hijacked home page

I start by apologizing as you have probably heard the same cry for help a million times but i am a desperate man at my wits end and i am about to scream , i have had my home page hijacked by a media site called BIG FEET INTERNET MEDIA i cannot ever use google as this site always comes up please help me a currently run spy bot adaware etc but it never gets rid or finds it please help
 

Answer:Hijacked home page

No need to apologize.


I would suggest you download HijackThis and then go to This Site, if you can, and run the on-line scanner.

Run HJT from its own folder and post a log here ... we'll take a look and see if we can help.


Welcome to the Forums.


 

12 more replies
Relevance 64.37%
Question: Home Page Hijacked

I have a computer who has been Hijacked. Attached is a Hijack this log file. Any help would be greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 8:02:25 AM, on 1/17/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\AWHOST32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DIGITAL IMAGE\MONITOR.EXE
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
C:\WINDOWS\TEMP\TD_0004.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globaltoolbar.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globaltoolbar.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globaltoolbar.com/ie_search.html
R1 - HKCU\Software\Mi... Read more

Answer:Home Page Hijacked

Hi Inthenash, and welcome to TSG..

You’ve been hijacked by CoolWebSearch. Please go here and download, unzip then run CoolWebShredder.

CWS installs via the byte verifier exploit in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

Next, plaese run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button… (some may not be there once you've run the above program)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globaltoolbar.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jetseeker.com/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globaltoolbar.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globaltoolbar.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globaltoolbar.com/ie_search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globaltoolbar.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\M... Read more

3 more replies
Relevance 64.37%
Question: Hijacked home page

Hi guys,

I see from a lot of posts on here that a lot of people are having the same problem. so i have run HJT,the results are listed below for you to look at and advise me accordingly.

Thanks for your help

Paul

Logfile of HijackThis v1.97.7
Scan saved at 15:40:53, on 18/04/04
Platform: Windows 95 a (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PILOT MOUSE\4DMAIN.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCREDIMAIL.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/as/*http:/... Read more

Answer:Hijacked home page

Hi......you need to remove Kazaa,thats the source of your problems.
And SpywareNuker is also very bad and does nothing but INSTALL spy/adware.

Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windowsincluding this one and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/a...com/search?p=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 66.250.171.136 auto.search.msn.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKCU\..\Run: [5-1-25-55] c:\windows\5-1-25-55.exe -m
O4 - HKCU\..\Run: [5-11-1-44] c:\windows\5-11-1-44.exe -m
O4 - HKCU\..\Run: [5-11-1-20] c:\windows\5-11-1-20.exe -m
O4 - HKCU\..\Run: [5-1-26-2] c:\windows\5-1-26-2.exe -m
O4 - HKCU\..\Run: [5-1-26-82] c:\windows\5-1-26-82.exe -m
O4 - HKCU\..\Run:... Read more

3 more replies
Relevance 64.37%

here is my hijack this log, this is the worst hijack i have saw, tried to get it myself, even put a program in my add remove programs but wont go away, home search assistent, well here it is thanks for the help

Logfile of HijackThis v1.97.7
Scan saved at 8:23:43 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\sysvj.exe
C:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Creative\TaskBar\CTLTray.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\Common Files\Symantec ... Read more

Answer:bad hijacked home page

7 more replies
Relevance 64.37%
Question: Home page Hijacked

Help Please, a website has made itself as my homepage and I am not able to get rid of it. Can anyone advise what I should do to get rid of this problem?Thanks folks.

Answer:Home page Hijacked

Try Ad-aware click here and Spybot click here

1 more replies
Relevance 64.37%

I cannot get rid of this URL from my home page!

res://mshp.dll/index.html#37049

How do I get rid of it via the registry?

Any help would be greatfull
 

Answer:I Home Page is hijacked

Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch.
 

2 more replies
Relevance 64.37%

this always on my home page

http://syshomepage.com/security/xp/

i downloaded hijack this and this is the results

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:14:10, on 11/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield... Read more

Answer:home page hijacked by

Hello moushakiss,

To get expert help with malware removal see the link below. Follow the steps

http://www.techsupportforum.com/secu...oval-help.html

After completing the steps you will be advised to post a log for one of the experts to examine. Please Please use the link provided to post the log not back here.

Be patient and it may take some time for someone to assist you as that is a busy forum.

1 more replies
Relevance 64.37%

How can I get rid of start page line as listed on my regedit? I tried to modify, no good, delete, no good, rename still it will not stay changed. Here is my "hijack this log", if anyone can help me I would greatly appreciate it. Thanks, marty.

Edit by chaslang: Unrequested inline log removed
 

Answer:home page got hijacked!!

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. Please run the steps below.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions exactly as written:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).


Are you referring to these lines:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\W... Read more

4 more replies
Relevance 64.37%

Was following the directions given to another member on how to get rid of that security @#@@# page, that has taken over my home page, but i cant find it now. Was even trying to figure out who jumped into whos thread. In any case, please help here is my hijackthis from note pad.

Logfile of HijackThis v1.99.1
Scan saved at 10:35:21 PM, on 5/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Norton Personal Firewall\NISUM.EXE
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\dcomcfg.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Dell\Solution Center\service.exe
E:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\WINDOWS\system32\ctfmon.exe
E:\PROGRA~1\G... Read more

Answer:Hijacked home page !!!!!!!

6 more replies
Relevance 64.37%
Question: Home Page hijacked

Please help my home page has been hijacked. This is a copy of the log.Logfile of HijackThis v1.99.1Scan saved at 1:26:02 PM, on 3/31/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\hidserv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeC:\WINNT\system32\regsvc.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\stisvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:�... Read more

Answer:Home Page hijacked

Download cwshredder 2.12 from here:http://cwshredder.net/bin/CWShredder.exeRun the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.When its done run hijackthis again post a new log

1 more replies
Relevance 64.37%

My internet explorer hompage has been hijacked by "coolsearch". This is what jikackthis said...

Logfile of HijackThis v1.98.0
Scan saved at 10:33:35 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\BridgeDeCor.e... Read more

Answer:Someone help, PLEASE, hijacked home Page

6 more replies
Relevance 64.37%

Hello, my IE home page is set to http://hao.360.cn/?src=lm&ls=n0bf36f1f97. Even if I set it to blank page, it will be reset to hao.360.cn after i reboot my machine. I believe my pc is infected. Please help. Thanks.
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-03-2015 01
Ran by Jimmy (administrator) on JIMMY-PC on 05-03-2015 23:23:42
Running from C:\Users\Jimmy\Downloads
Loaded Profiles: Jimmy (Available profiles: Jimmy & 1 & 2)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\AstSrv.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterServi... Read more

Answer:IE home page is hijacked

can anyone help?

8 more replies
Relevance 64.37%
Question: Home Page hijacked

Hi,

I have a problem where everytime i open internet explorer it takes me to a page called home search and i cant change it back to my normal one, i have tried running adaware and it still does this.

thanks for your help
 

Answer:Home Page hijacked

7 more replies
Relevance 64.37%
Question: Home Page Hijacked

No matter how many times I reset my home page to Yahoo.com, Something is constantly setting it to google.com.

How can I stop this and get control of my home page again?

If you know the answer, could you please e-mail me at tordave at yahoo dot com


Thank you

Answer:Home Page Hijacked

Hi and welcome to TSF.

Apologies for any delay in replying, but we have been rather busy lately, and, of course, all our helpers are volunteers.

Since it has been a few days since you first posted, please follow these instructions if you still need assistance.

Download Deckard's System Scanner (DSS) to your Desktop . Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - minimised > extra.txt and maximised > main.txt.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt back in this thread (do not attach it).
Please attach extra.txt to your post.


To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\Deckard\System Scanner\extra.txt

Click Upload.

I will monitor this thread for your reply.

Thank you for your patience.

4 more replies
Relevance 64.37%

http://www.404ads.net:8000/redirect.php?q=...w%2Emsn%2Ecom%2F&u=9026D181C11F4477BD87BF8D64270FF3&r=fcyqhm&c=us&t=20041130161811is where I am directed, what is my solution - my first sweep in my hijack log did not yiled resultsCan anyone assist me?Icewater

Answer:need help with hijacked home page

Hi icewater,Sorry about the delay in responding to your post. If you are still requiring help please do the following:You are running HijackThis from a temporary folder. When run from a temporary folder, the backups HijackThis
makes may accidentally get deleted, so please put HijackThis into a permanent folder.
Full instructions on how to do this can be found here:Detailed Explanation
Brief instructions to create a permanent folder are:Click My Computer, then C:\In the menu bar, File->New->Folder.That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".Now you have C:\HJT\ folder. Put your HijackThis.exe there.Run HijackThis, click on the scan button
Click on the Save Log button and save the log.
Notepad will open with a copy of the logfile.
Right click, select all, right click, select copy.
Come the this thread use the Add Reply button and right click & paste the contents into the reply box.
Click the Add Reply button to complete your post.

1 more replies
Relevance 64.37%
Question: Home Page Hijacked

My homepage was hijacked and displays a screen that says Privacy Violation Detected and tells me to download a program. It won't let me change my homepage. Also, on the desktop there is a red circular icon with an ! in it and it just tells me my computer is infected.Anyways, here's the log ...Logfile of HijackThis v1.99.1Scan saved at 10:17:56 AM, on 7/12/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\sistray.EXEC:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exeC:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Microsoft IntelliType Pro\type32.exeC:\Program Files\Microsoft IntelliPoint\point32.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Java\jre1.5.0_02\bin\jusched.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINDOWS\System32�... Read more

Answer:Home Page Hijacked

Hello,Any reason why your windows isn't up to date? You don't have even ServicePack1 installed! Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.Because your system is already infected, updating now CAN cause problems, so let's get you updated when everything is fixed again.You don't have an antivirus and firewall either. I strongly suggest you install an antivirus and firewall first!AVG, Bitdefender OR Avast are good FREE antivirus.Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!Zonealarm, Kerio OR Sygate are FREE firewalls. Understanding and using firewalls:http://www.bleepingcomputer.com/forums/ind...showtutorial=60It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.It is also important you don't miss a step and perform everything in the right order!!Download smitRem.zip and save the file to your desktop.Right click on the file and extract it to it's own folder on the desktop.Place a shortcut to Panda ActiveScan on your desktop.Please download the trial version of Ewido Security Suite here:http://www.ewido.net/en/download/Please read Ewido Setup InstructionsInstall it, and update the definiti... Read more

2 more replies
Relevance 64.37%
Question: hijacked home page

Help!

My home page has also been hijacked. The page that comes up is: res://pmpfi.dll/index.html#37049. Right after this page is displayed, a pop-up ad for "only the best" comes up. I've tried running Spybot search and destroy and Spysweeper, but can't get rid of these two. Thanks in advance...
 

More replies
Relevance 64.37%

After downloading ie8 my home page keeps changing to MSN.com with a second tab that is for the Bing web page. No matter how many times I have reset my home page each time I start my pc up it reverts back to this MSN & Bing pages. It also at the same time adds a bunch of MSN short cuts into my favorites. I am running Vista Home Premium. I have even shut off system restore and it still boots up with the Hijacking. If I go back to ie7 there is no more problem but as soon as I upgrade to ie8 the problem is back. I have run AVG, Ada-Ware, Spybot and Malwarebytes and nothing comes up. Below is the HijackThis log. Any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:28 AM, on 09/10/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\kbd.exe
C:\WINDOWS\RtHDVCpl.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program... Read more

Answer:Home page hijacked by MSN

Well I have been patient. I made some changes and so here is the problem with a different bent though.
After installing ie8 (completely) and assuring my home page was still what I wanted I shut my computer down for the night. Upon resarting I clicked on the Explorer button and the following came up http://www.google.com/toolbar/ie8/done.html I then went to my home page but noticed that google had placed things in my favorites folder so I deleted them. Off and on when ever I would go on the internet this same google page would come up. I then thinking it had something to do with ie8 and being very annoyed by it I uninstalled ie8. But the was surprised that I continued to get this google page every once in awhile of when staring my computer and then clicking on explore. I have gone into my registry and removed everything even closely related to either google or ie8 but I am still being hijacked by google. I have tried thre different anti virus programs and also some spyware programs but with no luck.
 

1 more replies
Relevance 64.37%

Hello,

I used to have Google as my home page but now I have something that I never asked for. The URL of this site is res://tnegb.dll/index.html#37049
On a separate matter my PC has recently started to take ages to load programs on startup(After entering my password) When it finally loads I get a number of dialogue boxes

1. sysnw32.exe has encountered a problem and needs to close. We are sorry for any inconvenience. Please tell Microsoft about this problem. Send / Dont Send

2. Neten32.exe has encountered a problem and needs to close. We are sorry for any inconvenience. Please tell Microsoft about this problem. Send / Dont Send

3. When I go on the Internet I get another dialogue box saying please wait while windows configures Microsoft office XP standard for students and teachers. It eventually clears but it never used to do this?

I have a firewall enabled and Norton anti virus 2002 running which I regularly liveupdate.

I suspect a lot of these problems have arisen because my wife has been using Kazaa over the last few months to download music.

I would be grateful if someone could help me to resolve these issues.
 

Answer:Home Page- Hijacked

14 more replies