Tech Problem Aggregator

desktop and home page hijacked

Q: desktop and home page hijacked

Hi guys and gals,
was on the web yesterday, one wrong move and... bam.
my desk top has turned black with a big yellow warning, also my home page was hijacked.
ran spy bot, and ad-aware se, managed to get my home page back, desk top still messed up, computer is running slow also. downloaded hjt here are the results, any help is appreciated.Logfile of HijackThis v1.99.1
Scan saved at 9:30:53 PM, on 12/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\acs.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\WEBROOT\POP-UP~1\VAPopupKiller.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\hgdcb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {EBCD8008-FEBD-4686-8D00-F9B950F2DB5C} - C:\WINNT\system32\llpj.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Office] C:\WINNT\system32\msoff.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [PopUpWasher] C:\PROGRA~1\WEBROOT\POP-UP~1\PopUpWasher.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\{EADBC0FB-87FF-44F0-B38B-6D9E347F2913}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
O4 - Global Startup: D-Link REG Utility.lnk = C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: hgdcb - C:\WINNT\system32\hgdcb.dll
O21 - SSODL: UUrnDrmySQaFg - {D498DAE8-7E32-7042-0309-6250B3E27046} - C:\WINNT\system32\glih.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

A: desktop and home page hijacked

7 more replies
Answer Match 79.38%

EDIT: After doing the Panda scan, it appears my IE home page is no longer hijacked, but my desktop still is and the other problems still persist, although I haven't seen a Norton alert since after I restarted my computer after the Panda online scan, which hasn't been too long now. However, before restarting my computer but after the Panda scan, I was getting the Norton alerts described below.

Hello,

Just today my PC has been under attack from a bombardment of virus popups, my desktop being hijacked, and slowdowns. My Norton Antivirus has automatically deleted some stuff, and I did a scan with that as well as Panda Online scanner, AVG Antivirus and Ad-Aware. I'm still getting some Norton alerts, and my desktop and IE home page are still hijacked. Most noticeably, my PC is running slow, and oddly some things aren't working properly, like I can't open notepad (used Word to view the logs below), and when I right-click on my desktop and hit properties, no window comes up. To combat this, I tried going to the Control Panel and double-clicking Display, but again no window came up. Then out of curiousity, I tried the other Control Panel functions, and none of them were popping up windows when I double clicked them. This is really annoying, and I hope some of you great people can help me out!

The main alerts I've been getting from Norton are W32.Virut.B!dam (http://securityresponse.symantec.com...030710-0506-99), which is scary, since the description s... Read more

A:My PC is infected, running slow, and my desktop and IE home page are hijacked

16 more replies
Answer Match 68.04%

Hey guys and gals

I recently have been fighting IE with my home page defaulting back to blank page. I recently read a previous thread on this and I think I have the same problem. Here are my HJT and CWS reports, HEEEEELLLLLLP!

Thanks a lot.

Gerry
Logfile of HijackThis v1.97.7
Scan saved at 8:25:57 PM, on 5/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\LXSUPMON.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Easy\TV Capture\RemoteCtl.exe
C:\Program Files\Sierra Im... Read more

A:IE Home Page switching to blank page, I think I've been hijacked

7 more replies
Answer Match 66.78%

hi,
i am brand new to this site, so please be patient with me and thank you in advance for your help. my homepage and my search from my browser were "hijacked" and replaced by another one... i was able to figure out how to correct the homepage problem on my own, but i can't fix the search page. i just want to set it back to use the default MSN search from my browser and cant seem to do it. has anyone ever heard of "martfinder". it automatically searches from my browser and is pissing me off that i cant fix it. here is a copy of hijack this log... please help me.

Logfile of HijackThis v1.94.0
Scan saved at 3:32:08 PM, on 5/30/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searchxp.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.searchxp.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://www.the-huns-yellow-pages.com/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.the-huns-yellow-pages.com/hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\... Read more

A:Search Page/Home Page HIJACKED

Answered here: http://forums.techguy.org/t136654/s.html
 

1 more replies
Answer Match 64.26%

Hi Guys,
Need some help here. I always keep netscape as my home page. Yesterday the page started defaulting to: http://quickmetasearch.com/?said=acc0001_ho.
I currently run the following programs for protection- Norton, AV Personal, Spy-bot, Ad-aware and Spyblaster, but for some reason I cannot reset my home page back to Netscape. Everytime I reset it it reverts back to this page mentioned above.
Please help me resolve this issue. Also, I have included my Hijack.log below. Please advise me if, what, and how to remove items not needed, or those that are problematic.

Thanks Scott

Logfile of HijackThis v1.99.0
Scan saved at 7:34:17 AM, on 1/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
F:\Program Files\Dassault Systemes\B11\intel_a\code\bin\CATSysDemon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System... Read more

A:Home Page Hijacked

16 more replies
Answer Match 64.26%

Hello all,

I am a victim of a hijacked homepage. Like others, I have executed Sprysweeper, Lavasoft-Adware, Sprybot and CWshredder but with no luck in destroying this. Attached is my hijacked log file. Suggestions to get rid of this is very much appreciated. Thanks.
 

A:Home page hijacked

16 more replies
Answer Match 64.26%

Hello All,

I have tried everything and look everywhere I know, but some how My friend's computer Internet home page is being changed automatically. You can put it to what you want and then the very next time you close and open it, it will change to a different home page, one time it will be a web--search.com and the next time it will be a gay porn site. I have ran fifty viruses scans and empty all the temp files. I can't find the reason it doing this. Please Help! Thank You.
 

A:Home Page Being Hijacked

Hi chell c, Welcome to TSG!!

Create a permanent folder on your hard drive like c:\program files\hjt.
Download Hijackthis again and click "Save", direct it to the permanent folder you created. Double click on hijackthis.exe and select Do a system scan and save a logfile. This log will open in notepad. Copy and paste the log back here for review.
Don't make any changes until instructed to do so.
 

1 more replies
Answer Match 64.26%

My home page is being hijacked and is defaulting to about:blank

Any help in solving this will be appreciated!!!!

Here is my HJT log
Logfile of HijackThis v1.99.0
Scan saved at 10:13:43 PM, on 1/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yoursearch247.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursearch247.com/se.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = r... Read more

A:Home page hijacked

Hello weesy001 and Welcome to TSG!

Before I get you to fix anything in HijackThis, I want you to do ALL of the following.

Download SpywareBlaster from here:
http://www.majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef

Install and run SpywareBlaster. Click on "Updates" and then choose "Check for updates". Next choose "Protection" and at the top you will see different tabs which are Internet Explorer, Restricted sites and Mozilla/Firefox. Choose one of them at a time and at the bottom click "Protect Against Checked Items" (make sure that all of the items are checked). Tick the boxes above the items. Make sure you do this for all of the top tabs. Mozilla/Firefox you only need to do if you have the user profiles on your computer. You may now exit out of SpywareBlaster.

Download Spybot S&D from here:
http://users.skynet.be/fa936042/spybotsd13.exe

Install and run Spybot S&D. Choose "Search for updates". Next choose "Download updates". After that, choose "Search and Destroy" and click on "Check for problems". If Spybot finds any nasties on your computer, make sure that they are ticked and choose "Fix selected problems".

Download Ad-Aware SE from here:
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

Install and run Ad-Aware SE. On the bottom right corner of Ad-Aware you will see an option called ... Read more

2 more replies
Answer Match 64.26%

Hi, my homepage has defaulted to about:blank, and I may have been infected with adware/spyware. Would some be able to analyse my Hijack This log and advise? Thanks, TriggyLogfile of HijackThis v1.99.1Scan saved at 00:50:58, on 11/09/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wdfmgr.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\BroadJump\Client Foundation\CFD.exeC:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exeC:\WINDOWS\System32\msrexe.exeC:\Program Files\a2\a2guard.exeC:\Program Files\interMute\SpySubtract\SpySub.exeC:\Program Files\ntl\broadband medic\bin\mpbtn.exeC:\WINDOWS ... Read more

A:Home Page Hijacked

Hello TRIGGY and welcome to the BC HijackThis forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.Please perform the following steps:Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).Download SpSeHjfix.zip and unzip it to it's own folder. Do not run it yet.Download CleanUp! and install it. Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.Start in Safe Mode Using the F8 method:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Disconnect from the net and Close ALL OPEN PROGRAMS.Run SpSeHjfix and click on Start Disinfection.
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder that SpSeHjfix is located in.Now run CWShredder and click on the Fix -> button.Reboot and repeat the above process.I see no anti-virus installed on this machine. Without an anti-virus application this machine is susceptible to every virus and infection out in the computing world today. Here are 3 free ant... Read more

1 more replies
Answer Match 64.26%

I use IE v.6 and something has hijacked my home page. I see that other people have had the same problem, so I ran HijackThis. The following is my log. I would appreciate it if someone would tell me what to delete.

Logfile of HijackThis v1.97.2
Scan saved at 8:45:21 AM, on 9/13/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINPUP32.EXE
C:\WINDOWS\APPLICATION DATA\CHHKFCKO.EXE
C:\PROGRAM FILES\WINDOW ACTIVE\WINACTIVE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\TEMP\FAK80F6.TMP
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM... Read more

A:something has hijacked my home page

6 more replies
Answer Match 64.26%

My name is gilesr A while back my home page got hijacked. We have run Pest Patrol retail copy and our ISP spyware, and Avast anitvirus. There are no problems now other than we cannot get our home page back. I have gone into the registry and fixed some stuff that the spyware changed and tried to reset the page in internet explorer. I have windows 98 first edition. My ISP is SBC yahoo DSL. If we click on home page, it brings the home page back up but will not bring it up initially when we get on the internet. Is this worth messing with any more to try to fix the home page?
 

A:Hijacked home page

SpywareBlaster 3.3 http://majorgeeks.com/download2859.html
AdAware SE 1.05 http://www.majorgeeks.com/download506.html
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
DL them (they are free), install them, check each for their
definition updates and then run AdAware and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize

Do these and reboot before the next step.

Then get HiJack This http://thespykiller.co.uk/files/hijackthis_sfx.exe - double click the DL file
And let it extract to its default folder C:\Program FIles\HiJackThis, run it from there, DO NOT fix anything, post the log here.
 

2 more replies
Answer Match 64.26%

When we start Internet Explorer the page opens up as (res://shdocpe.dll/blank.htm) have ran ad-adware se with VX2, CW Sherdder, Trend Micro, and Spybot S&D. Spybot finds problem (DSC Exploit) fixes it but it still remains.

Logfile of HijackThis v1.97.7
Scan saved at 1:56:17 PM, on 2/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINNT\system32\ntnut32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Ant... Read more

A:Hijacked Home Page

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis and run it.

Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' ... Read more

3 more replies
Answer Match 64.26%

No matter how many times I set my homepage to yahoo.com, for some reason it keeps resetting to google.com.

How can I stop this???

P L E A S E ? ? ?

A:Home Page Hijacked - Help?

Hi tordave, welcome to TSF...

do you have any anti-spy programs installed such as SpySweeper, Spybot Search and Destroy, Super Ad Blocker etc?? If yes, it's likely to be protecting your homepage from being changed which is a usual tactic of some spywares. Check those settings as you may need to disable something or even change the homepage via its GUI.

Post back if that helps or not please.

3 more replies
Answer Match 64.26%

Can't get to my Google home page and all my fav web sites. Every tab brings up Ask.com. Help!

A:Home Page Hijacked by Ask.com

Greetings jcoult and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.If you would allow me to call you by your first name I would prefer to do that.===================================================Ground Rules:First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems... Read more

3 more replies
Answer Match 64.26%

Daughter's PC is XP with SP2. She has dial up service and recently things changed. Internet Explorer comes up automatically with a home page other than what is designated as the selected home page. If you go to some other site, it will go as directed, but after 20-30 seconds it will revert back to its preferred page. This goes on continuously, preventing any stays at other web sites. Have already run SpyBot, Adaware and the Microsoft spyware program. They cleaned up things but problem remains. Can you help? Her computer literacy is limited, so I am trying to help her out. Here's the log taken right after running the anti-spyware programs mentioned above.Logfile of HijackThis v1.99.1Scan saved at 4:02:17 PM, on 9/10/05Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exeC:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXEC:\P... Read more

A:Home Page hijacked. Help

Hello aggienuke and welcome to the BC HijackThis forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.Step #1Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).Download CCleaner and install it but do not run it yet.Step #2Restart in Safe ModeRestart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Step #3Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://totalinternet.snap.com:8005/channel...ernet-0,00.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://totalinternet.snap.com:8005/channel...ernet-0,00.htmlO2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeNow close ALL open windows except HijackThis and click the Fix Checked button to finish the repa... Read more

1 more replies
Answer Match 64.26%

Hello,

Can someone help me please. I recently turned on my computer, only to find a message on my main screen. It's an ad that reads something to the effect...

SECURE YOURSELF RIGHT NOW!

REMOVE ALL SPYWARE FROM YOUR PC.
Then it requests you to click on a bar that reads "REMOVAL INSTRUCTIONS"

...That's not the only problem. The other one is when I click on Internet Explorer, my regular home page has been redirected to some other advertising page. When I go to TOOLS, INTERNET OPTIONS, my home page just soon gets re-directed to the advertising page. Also now and then, I get pop-up messages for advertising offers for various merchandise, and including spyware removal products.

I've run AD-AWARE, SPYBOT, SPY SUBTRACT and NOADWARE programs to detect and remove spyware and trojans etc. A lot of these spyware detection and removal programs find these intruders, and allegedly remove them, but the three above problems still persist. Anyone got any solutions?

Perhaps there is some spyware in my startup registry, but I don't want to tinker around with that section because I'm not a computer expert.

Another note...I noticed one entry in the start up registry that I didn't recognize, that tried to gain access to the internet (ZONE ALARM alerted me to it). I didn't allow permission. Perhaps that is one clue.

Thanks, for any help you can give me.

A:Help please...my home page has been hijacked.

Run HijackThis and post the saved log file in this section of the forum.Download HijackThis

2 more replies
Answer Match 64.26%

safetyhall hijacked Logfile of HijackThis v1.99.1
Scan saved at 11:15:37 AM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Image ActiveX Object\pmsngr.exe
C:\Program Files\Image ActiveX Object\isamonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Image ActiveX Object\pmmon.exe
C:\Program Files\Image ActiveX Object\isamini.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas403b.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\spider.exe
C:\Documents and

Settings\Compaq_Owner\Desktop\KillBox.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=

EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

Bar =

http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcyds

l/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Inte... Read more

A:home page hijacked have log

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning pr... Read more

2 more replies
Answer Match 64.26%

Hi guys,

I see from a lot of posts on here that a lot of people are having the same problem. so i have run HJT,the results are listed below for you to look at and advise me accordingly.

Thanks for your help

Paul

Logfile of HijackThis v1.97.7
Scan saved at 15:40:53, on 18/04/04
Platform: Windows 95 a (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PILOT MOUSE\4DMAIN.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCREDIMAIL.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/as/*http:/... Read more

A:Hijacked home page

Hi......you need to remove Kazaa,thats the source of your problems.
And SpywareNuker is also very bad and does nothing but INSTALL spy/adware.

Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windowsincluding this one and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/a...com/search?p=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 66.250.171.136 auto.search.msn.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKCU\..\Run: [5-1-25-55] c:\windows\5-1-25-55.exe -m
O4 - HKCU\..\Run: [5-11-1-44] c:\windows\5-11-1-44.exe -m
O4 - HKCU\..\Run: [5-11-1-20] c:\windows\5-11-1-20.exe -m
O4 - HKCU\..\Run: [5-1-26-2] c:\windows\5-1-26-2.exe -m
O4 - HKCU\..\Run: [5-1-26-82] c:\windows\5-1-26-82.exe -m
O4 - HKCU\..\Run:... Read more

3 more replies
Answer Match 64.26%

It would appear that my home page has been hijacked like others. However, I have run Adaware, Spybot and removed all cookies and temporary internet files.
Despite what I do about making other Home Pages the default it still returns to either searchpage.cc/1528/ or nkvd.us/1528/
I tried to download spycatcher but it wont let me and always returns to searchpage.cc/1528
It is driving me up the wall.
How can I remove it and prevent it from happening again. I have a software firewall - does this help?

Thanks in advance from a first time enquirer.

21rivers
 

A:Also have hijacked Home Page

8 more replies
Answer Match 64.26%

I have problems with my IE while browsing.My homepage gets resets often and some unwanted toolbars are openingup. Moreover popup menus are also often displayed. The following is the logfile from hijackthis. Can anyone help me in sorting out this problem. I ran mas uny spysoftware programs but still the problem creeps up.

Logfile from Hijackthis

Logfile of HijackThis v1.98.2
Scan saved at 7:21:30 PM, on 8/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\LogWatNT.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\System32\RunDll32.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\System32\zjsiukp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common ... Read more

A:Home page hijacked

Can anyone help me out .Please!!!!. I really got frustrated with the problems that i am facing now. Please anyone go through the log file and let me know what files are need to be deleted

4 more replies
Answer Match 64.26%

Okay I read a hundred other messages from people with the same problem as me but the answer is always to go run HT and post the log results.

My home page was hijacked and I can't change them back because the buttons in the Internet Options dialogue box are blanked out. How can I change it back?
-------------------------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 5:32:19 PM, on 7/19/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Inoculan\INOJOBSV.EXE
C:\WINNT\LogWatNT.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Inoculan\realmon.exe
C:\FaxSrCli\Notify.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\EXRW... Read more

A:hijacked home page

Hi aintlion

Welcome to TSG! :

A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.
Also please do this:

Click here to download FindNFix.

Extract it (it should autoextract to C:\FindnFix when you double click it)

Go to the C:\FindnFix folder and doubleclick on !LOG!.BAT and let it run. It will generate a log.txt file. Copy and paste log.txt back here in your next reply.
 

3 more replies
Answer Match 64.26%

Was following the directions given to another member on how to get rid of that security @#@@# page, that has taken over my home page, but i cant find it now. Was even trying to figure out who jumped into whos thread. In any case, please help here is my hijackthis from note pad.

Logfile of HijackThis v1.99.1
Scan saved at 10:35:21 PM, on 5/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Norton Personal Firewall\NISUM.EXE
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\dcomcfg.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Dell\Solution Center\service.exe
E:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\WINDOWS\system32\ctfmon.exe
E:\PROGRA~1\G... Read more

A:Hijacked home page !!!!!!!

6 more replies
Answer Match 64.26%

I need a log read please.
my homepage keeps changing, also when I log in to winxp
My computer does a serch for a copy file that it can't find.
please help.

Logfile of HijackThis v1.97.7
Scan saved at 8:41:55 PM, on 11/26/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RLAIRZCNCR.EXE
C:\Program Files\PERFECT SERIES\SCROLL MOUSE\4.0\MOUSE32A.EXE
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\EEGFKVU.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\winlogon.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\LINKSYS\Configuration Utility\PRISMSTA.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Crystalsyd\Local Settings\Temp\Temporary Directory 7 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = htt... Read more

A:Hijacked home page

K, u see this file?
C:\WINDOWS\svchost.exeClick to expand...

Shouldn't be there.

U c this file?
C:\windows\winlogon.exeClick to expand...

never herad of it (in that place) in my life.

I recommend, well firstly run http://housecall.trendmicro.com , if that doesn't find anything or it doesn't work, run http://www.pandasoftware.com/activescan/ .

Then download & UPDATE spybot S&D from here: http://security.kolla.de
 

1 more replies
Answer Match 64.26%

this always on my home page

http://syshomepage.com/security/xp/

i downloaded hijack this and this is the results

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:14:10, on 11/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield... Read more

A:home page hijacked by

Hello moushakiss,

To get expert help with malware removal see the link below. Follow the steps

http://www.techsupportforum.com/secu...oval-help.html

After completing the steps you will be advised to post a log for one of the experts to examine. Please Please use the link provided to post the log not back here.

Be patient and it may take some time for someone to assist you as that is a busy forum.

1 more replies
Answer Match 64.26%

My home page is not my own anymore. It comes up with a search site. How does this happen? This happened before but I still don't know how. Can someone please review my HJT log and advise what I should do? Thank you for any help or advice you can provide.

Logfile of HijackThis v1.97.7
Scan saved at 9:25:06 PM, on 2/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack this\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0... Read more

A:Home Page Hijacked?

Hello
Pleae download the following items

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

CWshredder from http://www.majorgeeks.com/downloads31.html

Spybot - Search & Destroy from http://security.kolla.de

AdAware 6 from http://www.lavasoft.de/software/adaware/

then
Run CWSHREDDER,

Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected
the patches are :

http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/tr...in/ms03-011.asp

then reboot &

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ....... Read more

3 more replies
Answer Match 64.26%

New to this so hope its OK. I followed all the steps in the tutorial. There is someting redirecting me to a security page on explorer startup with a genuine looking explorer window saying I have been infected.Logfile of HijackThis v1.99.1Scan saved at 9:30:03 AM, on 1/08/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Dell\OpenManage\Client\Iap.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\Mcshield.exeC:\Program Files\Network Associates\VirusScan\VsTskMgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\VMware\VMware Workstation\vmware-authd.exeC:\WINDO... Read more

A:Home Page Hijacked

More info regarding above:

The screen window popup says I have been infected with [email protected] and to click OK

5 more replies
Answer Match 64.26%

My home page (which is normally set to yahoo) has been corrupted, and even if I Reset Web Settings and/or manually set my home page in internet options, it gets overlaid each time I bring up IE.

Please help!

My Hijack This log is as follows:

Logfile of HijackThis v1.98.2
Scan saved at 11:49:15 AM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\progra~1\c4ebreg\c4ebreg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgent.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.... Read more

A:Home Page has been Hijacked

16 more replies
Answer Match 64.26%

below is the log file from hijack this any help would be great.
Logfile of HijackThis v1.97.7
Scan saved at 2:43:03 PM, on 10/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\myCIO\Agent\swAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\myCIO\VScan\McShield.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\WINNT\myCIO\Agent\myAgttry.exe
C:\2xplorer\2xExplorer.exe
C:\yo9\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.specprint.com
R0 - HKLM\Software\Microsoft\Internet Explo... Read more

A:home page hijacked

Try this Analyze HijackThis Log site to analyze your log and recommend fixes.

5 more replies
Answer Match 64.26%

Hello, my IE home page is set to http://hao.360.cn/?src=lm&ls=n0bf36f1f97. Even if I set it to blank page, it will be reset to hao.360.cn after i reboot my machine. I believe my pc is infected. Please help. Thanks.
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-03-2015 01
Ran by Jimmy (administrator) on JIMMY-PC on 05-03-2015 23:23:42
Running from C:\Users\Jimmy\Downloads
Loaded Profiles: Jimmy (Available profiles: Jimmy & 1 & 2)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\AstSrv.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterServi... Read more

A:IE home page is hijacked

can anyone help?

8 more replies
Answer Match 64.26%

Help; my home page has been hijacked; even when I go thru "tools" and "internet options," it doesn't save the homepage I want; it defaults to something that has been selected for me.
 

A:Home Page Hijacked

8 more replies
Answer Match 64.26%

Help!

My home page has also been hijacked. The page that comes up is: res://pmpfi.dll/index.html#37049. Right after this page is displayed, a pop-up ad for "only the best" comes up. I've tried running Spybot search and destroy and Spysweeper, but can't get rid of these two. Thanks in advance...
 

More replies
Answer Match 64.26%

my home page has been hijacked by 123 mania how do i stop this
 

A:home page hijacked

Hi, and welcome to tsg - please add a reply to your post if you still have a problem with your PC include any updated info.

post a hijackthis log
HIJACK THIS:
Try not to reboot
Currently the Spyware identified by the security experts and especially the morphing and breeding .exe`s in the new variants of CWS, after every re-boot required by Ad-Aware and Spybot etc, just spawns more and more files for the poster to find and delete. This is making the advice the security experts give just too hard to follow.
One of the security experts recently had one log with over a hundred files, they guy had to format c: drive.

Download and copy hijackthis to its own folder , it makes backups so keeping them separate and available can be useful.

Note the Spyware tools websites are very often under attack and so I have provided more than 1 location to download from:

http://www.tomcoyote.org/hjt/
http://209.133.47.200/~merijn/downloads.html
http://www.thespykiller.co.uk/
http://www.sherrylynn.us/privacypolicy

Close all open windows and open Hijack This. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”.
Click on “Save Log” and then save it to NotePad.
Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.
DO NOT FIX ANYTHING wait advice from one of the many security experts in this forum.

I currently do not have the skill/competence to advise and poor advice can be far more damaging to ... Read more

1 more replies
Answer Match 64.26%

Here's the log Logfile of HijackThis v1.99.1Scan saved at 11:11:45 PM, on 8/16/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\csrss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\system32\svchost.exec:\progra~1\mcafee.com\vso\mcvsescn.exeC:\WINNT\system32\wscntfy.exeC:\WINNT\System32\alg.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\NETGEAR\WG511v2\wlancfg5.exec:\progra~1\mcafee.com\vso\mcvsftsn.exeC:\Program Files\NETGEAR\WG511v2\wlancfg5.exeC:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exeC:\WINNT\explorer.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINNT\netgd.exeC:\WINNT\system32\netjh.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft&... Read more

A:Home page hijacked

Hi siobhani and Welcome to the Bleeping Computer!If you are still requiring help,please Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!Under the "General" TabMake Sure Normal Startup is Checked!!Click Apply>>Close>>Follow the Prompts to Restart!Post a fresh HijackThis log and we will see what we see!

1 more replies
Answer Match 64.26%

How can i get rid of a hijacked homepage which is called rack.cc. Help!
 

A:Can't get rid of hijacked home page! Help!!

Hi, Welcome to TSG!!
Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

3 more replies
Answer Match 64.26%

My problem started a while ago when my IE homepage kept defaulting to a different page. I was able to delete that page name but I still can't change the homepage address. I currently use Firefox so I was able to ignore the problem until recently.Now, when I turn on the computer, it immediately takes me to the defaulted IE page and I get the error message: The application or DLL apiuv32.exe - Bad Image C:\WINDOWS\system32\appjp.dll is not a valid Windows image. Please check this against your installation diskette.Can someone help me out of this maze?I ran Hijackthis and here is the log:Logfile of HijackThis v1.99.1Scan saved at 9:53:46 PM, on 7/25/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\EPSON\ESM2\eEBSVC.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS&#... Read more

A:Home page hijacked

Hi John and welcome to Bleeping. The following fix is based on the files present in your log 'currently'. This infection tends to 'morph' quite a bit so it may take a few rounds.Please continue to use Firefox until we've cleaned you up. The online virus scan at the end is Firefox compatible. Step 1Download Killbox from here to your desktop.Download and install About Buster 5.0 following the instructions here.Update the program with the latest definitions and then close it.Do NOT scan with About Buster yet.Download, install and setup Ewido Security Suite by following the instructions here.Update the program with the latest definitions and then close without scanning.Download and install Cleanup! from here.Download CWSServicemove.zip from here and unzip it to your desktop. Do NOT run this until told.Ensure you're familiar with rebooting into Safe Mode. Copy the below steps to notepad and save them to your desktop. Close Internet Explorer and disconnect from the internet.Step 2Run HJT again and checkmark the boxes next to the following:-R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pjtgf.dll/sp.html#55135R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pjtgf.dll/sp.html#55135R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677R1 - HKLM&#... Read more

12 more replies
Answer Match 64.26%

About blank has hijacked my home page . Everytime I try to log into hotmail it goes to this annoying directory page . Can some one look at this junk and let me know what I can or cannot delete ? THX DON C:\WINDOWS\PACKAGER.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = [email protected]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51... Read more

A:Hijacked home page .

13 more replies
Answer Match 64.26%

No matter how many times I reset my home page to Yahoo.com, Something is constantly setting it to google.com.

How can I stop this and get control of my home page again?

If you know the answer, could you please e-mail me at tordave at yahoo dot com


Thank you

A:Home Page Hijacked

Hi and welcome to TSF.

Apologies for any delay in replying, but we have been rather busy lately, and, of course, all our helpers are volunteers.

Since it has been a few days since you first posted, please follow these instructions if you still need assistance.

Download Deckard's System Scanner (DSS) to your Desktop . Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - minimised > extra.txt and maximised > main.txt.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt back in this thread (do not attach it).
Please attach extra.txt to your post.


To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\Deckard\System Scanner\extra.txt

Click Upload.

I will monitor this thread for your reply.

Thank you for your patience.

4 more replies
Answer Match 64.26%

I'm running Windows XP and I have McAfee Internet Security Suite 6.0. My IE home page is now set to about and is directed to a porn site. A dialer keeps interrupting my internet seeking to connect and then I get this message:

There seems to be a problem preventing you from proceeding at this time.
The error that occured was:

Download error #2

Please try again later.

When I run McAfee it shows a dialer program for WebSiteViewer that is in the program files and in registry. McAfee only lets you highlight one program at a time to clean. I highlight one and re-run and it shows clean. 5 minutes later both are back. I do the same clean proceedure except this time I try highlighting the other it works no better.

It seems like there are posts on this subject but they are all written in geek and I have no clue what to do.
 

A:Hijacked IE home page

7 more replies
Answer Match 64.26%

I have my homepage constantly changing to 'SEARCH...' page.

here is my log from HijackThis

Please help
Logfile of HijackThis v1.97.7
Scan saved at 23:15:55, on 10/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\win32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\VCOM\Fix-It\MXTask.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\VCOM\Fix-It\Fix-It.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Internet Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cbnb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\cbnb.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In... Read more

A:Home Page Hijacked

12 more replies
Answer Match 64.26%

i have been following the messages regarding hijacked home pages and have run the hijackthis and adware (as well as pest patrol) to remove my hijacker. i have been unable to complete an aboutbuster scan because it quits after about a fourth of the way through the scan with a "runtime error 13 type mismatch". what does that mean and how can i get rid of it. desprately want to rid myself of this virus, trojan, hijacker, or whatever the heck it is. my hijcak this scans do not resemble anything as bad as i have seen logged here. typically only one O4 noname and a couple R0-3. please advice. thanks
 

A:hijacked home page

Hello,
PLease go to www.thespykiller.co.uk and go to Downloads, and download HijackThis. Save it to a permanent folder, and open it. Click on "scan" and nothing else. It will create a log. Click on "save log", this will convert it to a notepad doc. Cut and paste the contents of the log into this thread so we can look at it.
 

2 more replies
Answer Match 64.26%

My home page has been hijacked by some XXX web site. Can you help me get rid of this problem? I am including a copy of the Hijack this scan which I have just completed.

Logfile of HijackThis v1.97.7
Scan saved at 9:08:29 PM, on 4/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\RAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\RAPIDBLASTER\RB32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\APPLICATION DATA\BIUO.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\MSOFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\BARGAIN BUDDY\BIN\BARGAINS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE... Read more

A:My Home Page has been hijacked

7 more replies
Answer Match 64.26%

My home page has been hijacked, have tried ad-aware, spy subtract, cws shredder (in safe mode too) with no joy.

Here is my hjt log, please help

Logfile of HijackThis v1.99.1
Scan saved at 18:29:33, on 05/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\nmstt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\paytime.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\STEWAR~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Pa... Read more

A:Help please, home page hijacked

7 more replies
Answer Match 64.26%

Unable to set home page, keeps going to starsearches. Please advise.
 

A:Home Page hijacked

15 more replies
Answer Match 64.26%

My IE home page is hijacked and i just cannot get rid of it. I tried majority of the spyware removal programs, one of them succeeds in changing the page back to the blank page, however after the restart of the pc, the scene is back to normal. I tried using the HijackThis utility and below is the log file. Kindly assist me is removing the startup file which is goofing up the ie page.

Logfile of HijackThis v1.99.0
Scan saved at 5:32:00 PM, on 1/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\NovaPortal.com\NovaPortal Single User\NPSU.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\System32\hkcmd.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Plaxo\2.0.2.3\InstallStub.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\Program Files\Microsoft Office\Offi... Read more

A:My IE Home page is Hijacked

What's the novaportal line referring to? I'm afraid to go look...
 

1 more replies
Answer Match 64.26%

My homepage defaults to hebnetfinder.com. How do I remove this? I have Windows XP. Thanks.
 

A:Hijacked home page.

May be malware. [ 99% chance actually )

I would do a scan with SUPERAntispyware, to check. [ Then delete all infections that shows up ]

Then I would scan + save a logfile with HIJACKTHIS and put as a new thread [Copy and paste] it in the "HIJACKTHIS and MALWARE"-forum.
Good luck! =)
 

2 more replies
Answer Match 64.26%

Hi all,

my home page has been hijacked by that searchv page. I downloaded adaware, hijackthis, spybot and followed all instructions you gave to the rest of the guys. When i am not connected to the net everything is cool, but after I connect and reboot it starts all over.

Here is the log from hijackthis:

Logfile of HijackThis v1.97.3
Scan saved at 21:12:31, on 14/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Diogenis Papiomytis\Desktop\HijackThis.exe

R1 - HKCU\Software\Mi... Read more

A:my home page hijacked!

8 more replies
Answer Match 64.26%

I'm trying to help someone get their home page back. I have run an Ad-Aware scan, a Spybot scan, virus scan from TrendMicro and am using McAfee Version 8.0. Please take a look at my HJT Log; it's really funky:Logfile of HijackThis v1.98.2Scan saved at 1:52:15 PM, on 10/25/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\ePOAgent\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\VsTskMgr.exeC:\WINNT\System32\mnmsrvc.exeC:\WINNT\System32\nvsvc32.exeC:\WINNT\System32\rundll32.exeC:\WINNT\Explorer.EXEC:\WINNT\GWMDMMSG.exeC:\ePOAgent\UpdaterUI.exeC:\Program Files\Network Associates\VirusScan\SHSTAT.EXEC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Microsoft Office\Office10\msoffice.exeC:\WINNT\sysls.exeC:\WINNT\sdkqu32.exeC:\HiJackThis\HijackThis.exeC:\Program Files\Internet Explorer\iexplore.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C: ... Read more

A:Hijacked Home Page

Hi mickkelly,You have a nasty CoolWebSearch infection which requires precise steps to fix:Please download GetService.zipExtract it to a new folder in the desktop. Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder. It will then open getservice.txt for you.getservice.txt will list all active Services. Copy and paste the contents of getservice.txt in your next reply here along with a new HijackThis log. From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work

6 more replies
Answer Match 64.26%

My homepage keeps being reset to "www.esearch.cc". Does anyone know what program or virus is causing this? i have run Adaware SE and Spy Bot. Thanks.
 

A:Home page hijacked..please help

Please go to this site and download HiJackThis by Merijn Bellekom:

***NOTE***Do not FIX anything without a log analyzer's guidance. MOST of what's listed is necessary for your computer to operate normally.

HiJackThis download link

Alternate download links:

http://www.spychecker.com/program/hijackthis.html

http://www.majorgeeks.com/download3155.html

Under "Official Downloads" HiJackThis. It's the 2nd one down.

Download and unzip to a permanent folder of your own creation.

Open HiJackThis. Click "Scan". Then, in the lower left corner, click "Save Log".

Save it to your permanent HiJackThis folder (or floppy disk if necessary).

The log will open in Notepad. Click "Edit" then "Select All".

Copy and paste the log back to this thread.
 

3 more replies
Answer Match 64.26%

My son's computer has a hijacked homepage. We have tried to reset it but it keeps reverting back to the hijacked page after rebooting. Can anyone please help? Thanks so much.
 

A:Home page hijacked

Please do this. Click here: http://www.thespykiller.co.uk/files/hijackthis_sfx.exe
to download Hijack This.

Close all open windows and open Hijack This. Click “Scan”. When the scan is finished, the scan button will change to “Save Log”. Click on “Save Log” and then save it to NotePad. Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed.
 

3 more replies
Answer Match 64.26%

After doing a recent update to Win 8, my home page on Fire Fox has been hijacked, and I can't get rid of it. I've restored to system to the day prior to when the new page appeared, I've deleted cookies, I've reset the homepage within Fire Fox, I've run Avast and Malwarebyte; it's still there. Does anyone have any ideas about how to get rid of this annoyance. Thanks.

A:Home Page Hijacked

You might try running aswcleaner AdwCleaner Download

9 more replies
Answer Match 64.26%
Answer Match 64.26%

I have run adaware...spybot...NAV and Hijackthis please view my log, browser still hijackedLogfile of HijackThis v1.99.1Scan saved at 2:58:43 PM, on 6/15/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc... Read more

A:Home Page Hijacked

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/pa... Read more

3 more replies
Answer Match 64.26%

My homepage was hijacked and displays a screen that says Privacy Violation Detected and tells me to download a program. It won't let me change my homepage. Also, on the desktop there is a red circular icon with an ! in it and it just tells me my computer is infected.Anyways, here's the log ...Logfile of HijackThis v1.99.1Scan saved at 10:17:56 AM, on 7/12/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\sistray.EXEC:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exeC:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Microsoft IntelliType Pro\type32.exeC:\Program Files\Microsoft IntelliPoint\point32.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Java\jre1.5.0_02\bin\jusched.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINDOWS\System32�... Read more

A:Home Page Hijacked

Hello,Any reason why your windows isn't up to date? You don't have even ServicePack1 installed! Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.Because your system is already infected, updating now CAN cause problems, so let's get you updated when everything is fixed again.You don't have an antivirus and firewall either. I strongly suggest you install an antivirus and firewall first!AVG, Bitdefender OR Avast are good FREE antivirus.Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!Zonealarm, Kerio OR Sygate are FREE firewalls. Understanding and using firewalls:http://www.bleepingcomputer.com/forums/ind...showtutorial=60It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.It is also important you don't miss a step and perform everything in the right order!!Download smitRem.zip and save the file to your desktop.Right click on the file and extract it to it's own folder on the desktop.Place a shortcut to Panda ActiveScan on your desktop.Please download the trial version of Ewido Security Suite here:http://www.ewido.net/en/download/Please read Ewido Setup InstructionsInstall it, and update the definiti... Read more

2 more replies
Answer Match 64.26%

Please help looking a friends system and it seems that his home page has been hijacked. When ever you open internet everything but the home page comes up.

Logfile of HijackThis v1.99.1
Scan saved at 9:35:31 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Gold Codec\isamonitor.exe
C:\Program Files\Gold Codec\isamini.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HighJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://malwarewipe.com/?rid=246
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 ... Read more

A:Home page hijacked

10 more replies
Answer Match 64.26%

When I open the internet my homepage is www.securitysafeguards.net- telling me there is spyware detected. When I try and change my homepage- it always goes back to this site as well as if I enter the address for the site I wanted as my homepage- it nows comes up as securitysafeguard.( ie change homepage to www.msn.com- it still comes up as securitysafeguard and if I go to file- open and enter www.msn.com- it goes to securitysafeguard also. I have Norton supposedly protecting me and ran all the recommended scans on your site ( each time coming up with alarming #s) but none resolving this issue. I am at out of ideas and since I am barely computer literate .... My little brother told me about this site. Any assistance is appreciated. Logfile of HijackThis v1.99.1Scan saved at 10:35:07 PM, on 4/1/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\P... Read more

A:Home Page Hijacked

Hi mikki!*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! * First we must disable the monitoring by MSAS or it can interfere with registry changes that HijackThis makes.1. Right-click on the Microsoft Anti-Spyware icon in the system tray [It's the one with the red and yellow bulls-eye.].2. Click on "Security Agents Status".3. Click on "Disable real-time protection".* Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.1. Click on the Options menu and choose Settings.2. In the left pane column click on "Real Time Protection".3. Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"4. Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).5. Click the Save button and close Microsoft AntiSpyware.* Do you use Poker applications at all? If you do that is fine, but they are known to come bundled with malware, so in my opinion you should remove them. If you do wish to remove them click on start, then control panel, and then double-click on add/remove pr... Read more

7 more replies
Answer Match 64.26%

Please can someone look at my hijack this logfile and help sort my problems. I have run my anti vrus and adaware etc but still have problems.Just found another problem, something is blocking me from connecting to the kaspersky online scanner web page.Logfile of HijackThis v1.99.1Scan saved at 12:44:19, on 18/08/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\devldr32.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exeC:\WINDOWS\System32\GEARSec.exeC:\Program Files\... Read more

A:Pop Ups And Home Page Hijacked

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/pa... Read more

1 more replies
Answer Match 64.26%

My home page keeps going back to about:blank. It's driving me nuts. Whenever I go to internet tools and change the settings back, it changes right back on it's own. Any help?
 

A:Home Page Hijacked

Welcome to TSG!!
Create a permanent folder on your hard drive for Hijackthis, like My Documents\HJT
Click on this link: http://www.spywareinfo.com/~merijn/files/HijackThis.exe and download hijackthis. Save the file into the folder you have created.

Scan your machine, then click on Save Log.

Post a copy back here and someone will be happy to review it.

Don't make any changes until instructed to do so.
 

2 more replies
Answer Match 64.26%

HI! I am a new member and need your help! My homepage has been hijacked with about:blank. I have tried several spyware removal programs but to no avail. I ran hijack this and have listed the log below. I have reviewed the many other postings about this annoying problem, but want to be sure that my situation isn't any different than the other postings. Can you please help? I am operating my PC with XP Professional. Thanks in advance! Logfile of HijackThis v1.99.1Scan saved at 9:06:16 AM, on 3/12/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\PROGRA~1\Iomega\System32\AppServices.exeC:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton Internet Security\NISUM.EXEC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Adaptec... Read more

A:Help with hijacked home page

I wouldn't be too sure of help..seems that us newbie's are sent to the back of the queue or overlooked.

Natalie

3 more replies
Answer Match 64.26%

My home page always gets hijacked by msn.com. Which is to say, msn.com forces itself to be my home page without my consent or approval.

How can I stop this from happening permanently?

Thanks for any tips.
 

A:home page hijacked by msn

If you are running a SpyWare Scanner.

Most SpyWare scanner use this a default page, and use msn.com as the default page when you click "yes" to fix the problem, it will also reset the home page to deafult.

Otherwise I don't know what it could be.
 

1 more replies
Answer Match 64.26%

After downloading ie8 my home page keeps changing to MSN.com with a second tab that is for the Bing web page. No matter how many times I have reset my home page each time I start my pc up it reverts back to this MSN & Bing pages. It also at the same time adds a bunch of MSN short cuts into my favorites. I am running Vista Home Premium. I have even shut off system restore and it still boots up with the Hijacking. If I go back to ie7 there is no more problem but as soon as I upgrade to ie8 the problem is back. I have run AVG, Ada-Ware, Spybot and Malwarebytes and nothing comes up. Below is the HijackThis log. Any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:28 AM, on 09/10/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\kbd.exe
C:\WINDOWS\RtHDVCpl.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program... Read more

A:Home page hijacked by MSN

Well I have been patient. I made some changes and so here is the problem with a different bent though.
After installing ie8 (completely) and assuring my home page was still what I wanted I shut my computer down for the night. Upon resarting I clicked on the Explorer button and the following came up http://www.google.com/toolbar/ie8/done.html I then went to my home page but noticed that google had placed things in my favorites folder so I deleted them. Off and on when ever I would go on the internet this same google page would come up. I then thinking it had something to do with ie8 and being very annoyed by it I uninstalled ie8. But the was surprised that I continued to get this google page every once in awhile of when staring my computer and then clicking on explore. I have gone into my registry and removed everything even closely related to either google or ie8 but I am still being hijacked by google. I have tried thre different anti virus programs and also some spyware programs but with no luck.
 

1 more replies
Answer Match 64.26%

My internet explorer hompage has been hijacked by "coolsearch". This is what jikackthis said...

Logfile of HijackThis v1.98.0
Scan saved at 10:33:35 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\BridgeDeCor.e... Read more

A:Someone help, PLEASE, hijacked home Page

6 more replies
Answer Match 64.26%

Hello,

I used to have Google as my home page but now I have something that I never asked for. The URL of this site is res://tnegb.dll/index.html#37049
On a separate matter my PC has recently started to take ages to load programs on startup(After entering my password) When it finally loads I get a number of dialogue boxes

1. sysnw32.exe has encountered a problem and needs to close. We are sorry for any inconvenience. Please tell Microsoft about this problem. Send / Dont Send

2. Neten32.exe has encountered a problem and needs to close. We are sorry for any inconvenience. Please tell Microsoft about this problem. Send / Dont Send

3. When I go on the Internet I get another dialogue box saying please wait while windows configures Microsoft office XP standard for students and teachers. It eventually clears but it never used to do this?

I have a firewall enabled and Norton anti virus 2002 running which I regularly liveupdate.

I suspect a lot of these problems have arisen because my wife has been using Kazaa over the last few months to download music.

I would be grateful if someone could help me to resolve these issues.
 

A:Home Page- Hijacked

14 more replies
Answer Match 64.26%

Hi,

I have a problem where everytime i open internet explorer it takes me to a page called home search and i cant change it back to my normal one, i have tried running adaware and it still does this.

thanks for your help
 

A:Home Page hijacked

7 more replies
Answer Match 64.26%

My home page was set to bestsecurityguide.com, and anytime I change it back to my original it doesnt work. Even in internet options my original homepage is listed. Also if I am on any other webpage and type in my original homepage it goes back to bestsecuirtyguide.com. Any help would be much appreciated, thanks. Here is my Hijackthis log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Pane... Read more

A:Home Page Hijacked..

Welcome to TSF.

Please post your entire HijackThis log next time. You left out the header information which is always needed...

Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download smitRem at http://noahdfear.geekstogo.com/click...click.php?id=1 and save the file to your desktop.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.geekstogo.com/ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet. NOTE: If you have Windows 9x/ME, you don't need to run Ewido (skip this step).

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.geekstogo.com/adawareSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of ... Read more

2 more replies
Answer Match 64.26%

Hi, you all were quite helpful to me a while ago when my computer was hijacked by search.exe. Well, now my husband's Dell is having problems. He cannot get his regular homepage to load, it loads this instead res://mshp.dll/index.html#37049 and it takes him to a Home Search page. He cannot figure out how to get rid of this. Should I have him d/l the Hijack this program? If so, please post instructions on what to do again. Thanks in advance for your help!!
 

A:Hijacked home page

Best to run HiJackThis and post a scan. Follow these steps:

First, create a folder in C:\Program Files and label it HiJackThis. This is where you will download the executable file. This is also the folder where your HJT backups will be stored. Click Here to download the file.

Close all windows, including this and any other browser windows. Launch HJT and click the Scan button. When the scan is finished, the Scan button will have changed to Save Log. Click that and save the log to your HJT folder. DO NOT CHANGE ANYTHING YET. Most of the listed items are harmless or even essential. Wait for recommendations from someone trained in HJT log file interpretation.

In the saved log file window... In the toolbar at the top of the window under Edit, select Select All. Copy (Ctrl+C) the text and paste (Ctrl+V) it into a reply in this thread.
 

3 more replies
Answer Match 64.26%

here is my hijack this log, this is the worst hijack i have saw, tried to get it myself, even put a program in my add remove programs but wont go away, home search assistent, well here it is thanks for the help

Logfile of HijackThis v1.97.7
Scan saved at 8:23:43 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\sysvj.exe
C:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Creative\TaskBar\CTLTray.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\Common Files\Symantec ... Read more

A:bad hijacked home page

7 more replies
Answer Match 64.26%

Hi guys

PLEASE can someone help me as its driving me mad! I've tried a few things but cannot sort it out. My homepage has been hijacked by securityfeature.com. Im sure you're all aware of this one! Can anyone tell me how I can get rid of this? I realise its something to do with registry keys so if anyone could give me an idiots guide to where I should loo and what to do...n i c e and s l o w...id be very grateful! Thanks, Jack

ps - I dont fancy downloading anything I have to pay for! ta

A:Hijacked Home Page

Welcome jackcornuto Please follow the instructions in this link, then post your HijackThis! log in the correct forum (included in the instructions).http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

1 more replies
Answer Match 64.26%

I use XP and my homepage is hijacted to a weird search engine..
your help will be greatly appreciated...
thanks in advance for your help..

Logfile of HijackThis v1.99.1
Scan saved at 10:41:50 PM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\clubbox.exe
C:\WINDOWS\system32\crak32.e... Read more

A:my home page is hijacked

Hello, and welcome to TSF!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).



Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

dx8pdmoe.exe... Read more

1 more replies
Answer Match 64.26%

Help,

My internet home page has been taken over by a site name (http://www.securitynetpage.net/)
I can't get rid of it and pop ups are killing me.

I read the info you listed, however i am computer illiterate and can not figure it out.

I would appreciate any help possible.

Thank you,

Tom

A:Home Page Hijacked

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. In order to help you we need to see what's running on your computer.Click here to download HJTsetup.exeSave HJTsetup.exe to your desktop.Doubleclick on the HJTsetup.exe icon on your desktop.By default it will install to C:\Program Files\Hijack This.Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.Put a check by Create a desktop icon then click Next again.Continue to follow the rest of the prompts from there.At the final dialogue box click Finish and it will launch Hijack This.Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.Come back here to this thread and Paste the log in your next reply.DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

17 more replies
Answer Match 64.26%

I need help badly. My home page has been hijacked.
Here is my log.
Just let me know what I should do
Thanks

Logfile of HijackThis v1.98.0
Scan saved at 5:01:05 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\addje32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Solution Center\service.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\netxe32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jeff\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nopmr.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nopmr.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nopmr.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nopm... Read more

A:Please Help with My HIJACKED Home Page!

Good grief! What madness is this? What are all those .exes doing there?

This is a job for Spybot S&D, at the very least.

http://www.safer-networking.org/en/mirrors/index.html

Download from one of those mirrors, install, run, click 'Check for Problems', obliterate whatever is found, then post a new log.
 

2 more replies
Answer Match 64.26%

I have Windows 7 home premium installed on an HP PC and a pest named safesear.ch keeps hijacking Internet Explorer and Firefox. I have used every adware and virus removal tool I can think of, and still can't get rid of it. I turned Explorer on and off and now it is being hijacked by Google. Firefox is still being hijacked by safesear.ch. The home page box is grayed out in both browsers and in Internet Options on the Control Panel. I did a system restore and it went away for a while but came back. I did another system restore and it has done no good. I even went into the registry and changed the key as Microsoft suggested in one of their forums.This is driving me crazy. Do I have to reformat to get rid of this thing?Thank you for any suggestions.George

A:Home page hijacked

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware (MBAM) to your desktop.NOTE. If you already have MBAM 2.0 installed scr... Read more

1 more replies
Answer Match 64.26%

Hi there,

I'm having the same problem with the Coolbiz hijack.

Here's my Hijack This log - can someone tell me what i need to do?

Cheers,

JTintin

Logfile of HijackThis v1.98.2
Scan saved at 3:38:45 PM, on 26/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\jamie\Application Data\x?ra?f.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGR... Read more

A:My home page has been hijacked

Hi jtintin

Welcome to TSG!

I have split your post off into your own thread. In the future if you have a Question/Problem please start a "New Thread". It get's too confusing trying to address two different people's problem in the same thread and you may get overlooked.

Please continue in this thread.
 

2 more replies
Answer Match 64.26%

I have Windows 98 and Internet Explorer is my browser. I'm being plagued by that "about blank/search this" homepage hijacker. I have downloaded HijackThis and put it in a folder. Can you tell me what to do next? Do I need to create a log file? How do I do that? I'm not very computer savvy and I would really appreciate some help. Thanks.
 

A:home page hijacked

10 more replies
Answer Match 64.26%

I turned my computer on yesterday and my home page was gone.I had a blue screen with a yellow box telling me to install a AV program(Malware Protector 2008.I ran Malware Bytes Anti Malware,Super AntiSpyWare and AVG.Computer seems to work OK but how can I get rid of this screen and get my Homepage back?I could not do a system restore either.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:18 PM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Micros... Read more

A:Hijacked Home Page

SDFix: Version 1.191
Run by james prechel on Fri 06/13/2008 at 11:04 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting
Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\core.cache(11).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(12).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(13).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(14).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(2)(2).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(2).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(3)(2).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(3).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(4).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(5).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(6).dsk - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 11:11:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters... Read more

3 more replies
Answer Match 64.26%

Logfile of HijackThis v1.98.0
Scan saved at 11:31:40 AM, on 07/02/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\winwh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\netcx32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explor... Read more

A:Need Help Home Page Hijacked, Here Is Log

bump
 

1 more replies
Answer Match 64.26%

http://www.404ads.net:8000/redirect.php?q=...w%2Emsn%2Ecom%2F&u=9026D181C11F4477BD87BF8D64270FF3&r=fcyqhm&c=us&t=20041130161811is where I am directed, what is my solution - my first sweep in my hijack log did not yiled resultsCan anyone assist me?Icewater

A:need help with hijacked home page

Hi icewater,Sorry about the delay in responding to your post. If you are still requiring help please do the following:You are running HijackThis from a temporary folder. When run from a temporary folder, the backups HijackThis
makes may accidentally get deleted, so please put HijackThis into a permanent folder.
Full instructions on how to do this can be found here:Detailed Explanation
Brief instructions to create a permanent folder are:Click My Computer, then C:\In the menu bar, File->New->Folder.That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".Now you have C:\HJT\ folder. Put your HijackThis.exe there.Run HijackThis, click on the scan button
Click on the Save Log button and save the log.
Notepad will open with a copy of the logfile.
Right click, select all, right click, select copy.
Come the this thread use the Add Reply button and right click & paste the contents into the reply box.
Click the Add Reply button to complete your post.

1 more replies
Answer Match 64.26%

My Home Page has been hijacked and I'm not sure how to solve the problem.

My Home page goes to a "Internet Security" page that is trying to sell me 1 of 3 programs:
Pest Trap
Malware
Spy Guard

I have not purchased any of the 3.

Any advice?

From reading some other members I already went to hijack this and got the following log.

Logfile of HijackThis v1.99.1
Scan saved at 5:47:07 PM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program File... Read more

A:Home Page Hijacked

11 more replies
Answer Match 64.26%

Hi, could you please check this new HJT log and tell me which programs to remove? I'm having problems matching up the programs to remove from my first HJT I posted yesterday. Thanks so much!

Logfile of HijackThis v1.98.2
Scan saved at 7:36:35 AM, on 8/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CREATIVE\SHARED FILES\CAMTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\WEBSHOTS\... Read more

A:New HJT log for hijacked home page.

What have you done so far? Ad-Aware, Spybot, CWShredder, etc....
 

3 more replies
Answer Match 64.26%

Please help my home page has been hijacked. This is a copy of the log.Logfile of HijackThis v1.99.1Scan saved at 1:26:02 PM, on 3/31/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\hidserv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeC:\WINNT\system32\regsvc.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\stisvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:�... Read more

A:Home Page hijacked

Download cwshredder 2.12 from here:http://cwshredder.net/bin/CWShredder.exeRun the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.When its done run hijackthis again post a new log

1 more replies
Answer Match 64.26%

Hi, the usual seach page issue

Logfile of HijackThis v1.97.7
Scan saved at 12:58:00 AM, on 11/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\PAVSRV50.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINNT\acoustic.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\Program Files\SpyHunter\SpyHunter.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\iis5.log:rbeqw
C:\WINNT\winek.exe
C:\Documents and Settings\Administrat... Read more

A:IE home page hijacked

7 more replies
Answer Match 64.26%

Hello,
My home page has been hijacked and comes up as www.selfsearch.biz. At the bottom of this page is a 'support' link to supposedly remove, but using it fails. This site can not be found in programs nor anywhere that I can think to look. I have used spybot to no avail. Please assist.
Thanks
-Dean
 

A:Hijacked Home Page

Go here http://tomcoyote.com/hjt/ and get install and run Hijack this; Create a HijackThis folder in [C:] and extract the download zip file that folder; Run HJT Generate a log and post it here. There's full instructions on that website.
 

3 more replies
Answer Match 64.26%

My home page keeps reverting back to some dodgy search engine. I've used Ad-aware, S&D and AVG so far so it's a lot better than it was.

Could someone have a look at the log and advise on what can be zapped......

Logfile of HijackThis v1.99.0
Scan saved at 08:55:42, on 12/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\lotus\wordpro\ltsstart.exe
C:\lotus\smartctr\smart... Read more

A:Hijacked Home Page

6 more replies
Answer Match 64.26%

I can't seem to get my home page back. I have run a full system scan with ad-aware (most recent version) and hijackthis (v1.98.2). Hijack this finds the bad boy and fixes it, and the first time I go to IE it's correct, but every subsequent time I go into IE it's been hijacked again. I think I'm missing something. A little help here?
 

A:home page hijacked....again

11 more replies
Answer Match 64.26%

I cannot get rid of this URL from my home page!

res://mshp.dll/index.html#37049

How do I get rid of it via the registry?

Any help would be greatfull
 

A:I Home Page is hijacked

Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch.
 

2 more replies
Answer Match 64.26%

my home page (normally msn.ca) is now (sympatico.msn.ca/) and i cannot
change it back using Internet Explorer Tools. I am attaching a Hijack this
log. Any help would be greatly appreciated
 

A:home page hijacked--please help

Close all windows, restart Hijack this and put a check mark against the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c00&s=consumer&LC=1009
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=1009
O1 - Hosts: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
O1 - Hosts: <!-- saved from url=(0031)http://everythingisnt.com/Hosts -->
O1 - Hosts: <HTML><HEAD>
O1 - Hosts: <META http-equiv=Content-Type content="text/html; charset=windows-1252">
O1 - Hosts: <META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
O1 - Hosts: <BODY><PRE># This Hosts file has been altered to block ad servers.
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click Fix Checked

Restart your computer

Now try
 

2 more replies
Answer Match 64.26%

can anyone help me my home page is being hijacked in other words i get another page rather than the one i want i have run hijack this and fixed the offending item but it keeps returning as a different home page.
 

More replies
Answer Match 64.26%

After running HijackThis this is what came up. I followed instructions, clicked on Fix Checked box, all the problems were fixed. I exited out of HijackThis and Internet Explorer. Upon reentering Internet Explorer the home page that hijacked my computer comes up again. I ran HijackThis again and the same infected files come up again, (keep in mind I supposedly fixed the problem the last time I ran Hijack This). This obviously isn't working. I tried to reset web settings but that doesn't work. I ran Spybot, SpyFerret, AdAware and Norton but the problem is still not fixed. Please help.

Logfile of HijackThis v1.98.2
Scan saved at 8:11:35 PM, on 9/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crqg.exe
C:\WINDOWS\Nh... Read more

A:Home page hijacked, pop-ups from "Only the Best"

The first thing I need you to do is download the file from here:Getservices.zip - Get list of XP/2000/NT ServicesExtract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post along with a brand new hijackthis log.

3 more replies
Answer Match 64.26%

Plus, there's an entry in my startup that won't allow me to delete it: winlogin
So, since I've just crawled out of the newbie phase, I thought I'd post HiJackThis, and hope someone with a little sophistication can tell me how to get rid of the hijacker from my son's computer (it aint mine). Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 1:19:06 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program FIles\TraySaver\TraySaver.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\program files\steam\steam.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\System32\DivX.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Luke\Application Data\muhr.exe
C:\WINDOWS\System32\wapisvcc.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Window~1\SOM913\hxdef073.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Documents and Settings\Luke\Desktop\LINUX\HijackThis.exe
C:\PROGRA~1\INCRED~1\bin\ImNotfy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System... Read more

A:Home Page Being HiJacked

First, I'd run both spybot ( http://www.safer-networking.org ) and ad-aware ( http://www.lavasoftusa.com ). After that, if the problem doesn't go away, post your HJT log again..
 

3 more replies
Answer Match 64.26%

Hello every time i turn my computer on the home page sets it self to zestyfind.com
Any help would be greatly appreciated.
Thanks
Here is my log i have ran spybot and cwshedder.
Logfile of HijackThis v1.97.6
Scan saved at 12:41:01 PM, on 1/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NVATray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Gloria\Local Settings\Temp\Temporary Directory 41 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Mic... Read more

A:home page hijacked???

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

CWshredder from http://www.merijn.org/cwschronicles.html
Spybot - Search & Destroy from http://security.kolla.de
AdAware 6

then
Run CWSHREDDER, check you have the current version 1.47.0 if not press check for update and let it update
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected
the patches are :
http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp
*Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates & service Packs"

then reboot &
Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and... Read more

1 more replies
Answer Match 64.26%

here is my log what do i need to get rid off, thanks

Logfile of HijackThis v1.97.7
Scan saved at 7:29:55 PM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\TaskBar\CTLTray.exe
C:\Documents and Settings\PJ O'Laughlin\Application Data\wnos.exe
C:\WINDOWS\Syste... Read more

A:hijacked home page

First obtain and run the CoolwebShredder (CWShredder.exe) from the site below:

http://www.spywareinfo.com/~merijn/downloads.html

Have it "fix" any problems it detects.

Then run Hijackthis and check any of these entries which remain, close all browser windows, and select "fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)

O4 - HKLM\..\Run: [sys] regedit -s sysdllwm.reg

O4 - HKCU\..\Run: [Meor] C:\Documents and Settings\PJ O'Laughlin\Application Data\wnos.exe

^^ suspicious, if you can't vouch for it check and and fix it, then after rebooting delete the file

O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssu.exe

^^ adware, after rebooting delete this and other bolded files.

Post another Scanlog when ready.
 

1 more replies
Answer Match 64.26%

Hi,

I'm kind of a beginner. I've succeeded in aquiring some type of a hijacker. I've tried to run Spybot and Adaware. Then i run Hijack This and delete the obvious R1 values (search page, search assistant, main default), but when I restart and open IE, the home page is hijacked again (pointing to about:blank) but the page appears to be some type of search engine.

I really don't know what to do. I must be missing something. Please help. Here is the log of my HijackThis scan. Note: I've tried to delete the first 8 R1 values listed on the scan, but they return when I re-launch IE. I have left them here so that you might better be able to help.

Logfile of HijackThis v1.97.7
Scan saved at 7:04:57 PM, on 8/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\... Read more

A:Home Page Hijacked, need help

9 more replies