|
-
September 10th, 2003, 02:55 PM
#1
 Please help Home Page refuses to stick
Here is my situation,
when I get on my user prfile then on the internet there is a homepage that comes up that I dont want.(Global Finder.com)
I have tried to remove if in htese methods,
!. restore internet defaults.
2 use current
3use blank
4. clean boot.
the suggestions made on the microspft website on internet explorer.
5. modified all teh default web pages in regedit
6.deleted all aspects of global finder off of the computeer and regedit.
7. Norton 2004 anti virus scan
all whched helped but as soon as i restarted the computer global finder was back.
I have tried everything just short of a sledge hammer on this machine and don't know what else to do.
I am a little more than irked at this point.
I have spent well over 10 hrs trying to fix this.
can anyone help me fix this ?
thanks brad
-
September 10th, 2003, 03:21 PM
#2
brhunt3--Do you use a spyware detection program (like AdAware or SpybotS&D)? If not you should. A scan with either of them should find GlobalFinder and offer to delete it for you.
AdAware
http://www.lavasoft.de/support/download/
SpybotS&D
http://security.kolla.de/
Or you could use HiJackThis
http://www.spywareinfo.com/~merijn/
Read the tutorial for this program
http://www.spywareinfo.com/~merijn/htlogtutorial.html
or, if you want help from others, you can post the scan log at the www.spywareinfo.com forum
Last edited by Welshjim; September 10th, 2003 at 03:23 PM.
Jim
WIN7 Ultimate SP1 64bit, IE 11, NTFS,
cable, MS Security Essentials, Windows 7 firewall
-
September 10th, 2003, 11:18 PM
#3
 help me
Thanks for the help Jim, I have onemore question hre is the log from hijack this do you see anything I should remove? I have already removed the most obvious things needed. thanks again brad
here it is:
Logfile of HijackThis v1.97.0
Scan saved at 10:15:19 PM, on 9/10/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex...t2/tv_enua.exe
O16 - DPF: {1C854D5E-66D9-11D3-81DD-00A0C9B62983} (TestX Class) - http://www.3dgreetings.com/Plugin/3D...gs/PlayerX.CAB
O16 - DPF: {4F711283-1F7D-11D3-8193-00A0C9B62983} (GreetingX Class) - http://www.3dgreetings.com/Archive/PlayerX.CAB
O16 - DPF: {1FA643B0-F90E-11D3-BA0B-00C04F384A92} (HomeTsrCtrl Class) - http://image.excite.com/sputnik/dyna...tionchange.dll
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://www.liveupdate.com/controls/getcab2.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...43/yacscom.cab
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://dialxs.nl/exe/sextieners010.exe
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/w...ace/wtinst.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://www.3dgreetings.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/079a62849af0294...tzip/RdxIE.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.ichat.com/custom/nativeclient/msichat.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://my.nwc.edu/nps/portal/gadgets.../LocalExec.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...863.4914814815
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://usa-scripts.downloadv3.com/bi...ML_US_pack.cab
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
thanks again.
-
September 10th, 2003, 11:45 PM
#4
 grrrrr!
per my reply above i restarted windows and global crossing was back. trying the next program now that make all three tried. Hope this last one works. Brad
-
September 11th, 2003, 03:29 PM
#5
brhunt3--
per my reply above i restarted windows and global crossing was back
Not clear which of the programs of the ones I suggested that you have run. And even if you have scanned with all of them, if you have not deleted anything, then you have not changed the presence of the Global Finder spyware.
I am no expert on interpreting HiJackThis scan logs. That is why I suggested you post it on the spywareinfo.com forum. Or you can try your own interpretation using the HiJackThis tutorial
http://www.spywareinfo.com/~merijn/htlogtutorial.html#r
to which I also referred you.
Just based on reading it, I would think that first R0 entry looks suspicious. And so does the 016 entry for dialxs.nl . The 016 entry
http://207.188.7.150/079a62849af029...etzip/RdxIE.cab
is associated with the spyware that Grokster carries with it. If you disable it, Grokster may no longer work, but I do not know if there is a connection between Grokster spyware and homepage Hijacking.
But these are just guesses.
However, to get to the root of the matter, I did some more searching at www.google.com on Global Finder and find that the fellow who wrote HiJackThis also offers a removal tool for the Global Finder hijack
http://www.spywareinfo.com/~merijn/cwschronicles.html
It seems Global Finder is a variant of CoolWebSearch. The tool (CWShredder) is near the bottom under epilogue. You really do not need to read the stuff that preceeds, but it provides lots of background.
Hope this does the trick.
Run this removal tool. If it works, run HiJackThis again and tell us what differences you see in the new HiJackThis log. Then we will all know what the bad actors are.
Last edited by Welshjim; September 11th, 2003 at 03:43 PM.
Jim
WIN7 Ultimate SP1 64bit, IE 11, NTFS,
cable, MS Security Essentials, Windows 7 firewall
-
September 11th, 2003, 03:39 PM
#6
 Yay!!!
Hey jkim, I tried all three programs, and with the use of all three, I am happy to report that the global finder has been rmoved from my computer. Thanks again for all your help.
brad
-
September 11th, 2003, 03:46 PM
#7
brhunt3--Glad to hear the good news. Would appreciate it if you would tell us what you did and/or run HiJackThis again and post the log as suggested at the end of my last post.
Jim
WIN7 Ultimate SP1 64bit, IE 11, NTFS,
cable, MS Security Essentials, Windows 7 firewall
-
September 11th, 2003, 04:00 PM
#8
 Here it is
Well, it took using sybot to rid of some and then hijack to get rid of some more and adawre to finish it off.
here is my newest log.
Logfile of HijackThis v1.97.0
Scan saved at 2:52:18 PM, on 9/11/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\Tools_95\Register\REMIND.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DBSERVER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\OUTLOOK.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kwof.com/
F1 - win.ini: load=C:\TOOLS_95\REGISTER\remind.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ATTRedUpate] C:\PROGRAM FILES\COMMON FILES\MEDIACOM\MIGCFG\PROGRAMS\AutoUpdate.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [Gravis AppAware Loader] C:\WINDOWS\SYSTEM\DBServer.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Finish Installing....lnk = C:\WINDOWS\INF\unregmp2.exe
O4 - Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - User Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Finish Installing....lnk = C:\WINDOWS\INF\unregmp2.exe
O4 - User Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - User Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex...t2/tv_enua.exe
O16 - DPF: {1C854D5E-66D9-11D3-81DD-00A0C9B62983} (TestX Class) - http://www.3dgreetings.com/Plugin/3D...gs/PlayerX.CAB
O16 - DPF: {4F711283-1F7D-11D3-8193-00A0C9B62983} (GreetingX Class) - http://www.3dgreetings.com/Archive/PlayerX.CAB
O16 - DPF: {1FA643B0-F90E-11D3-BA0B-00C04F384A92} (HomeTsrCtrl Class) - http://image.excite.com/sputnik/dyna...tionchange.dll
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://www.liveupdate.com/controls/getcab2.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...43/yacscom.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://www.3dgreetings.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/079a62849af0294...tzip/RdxIE.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.ichat.com/custom/nativeclient/msichat.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://my.nwc.edu/nps/portal/gadgets.../LocalExec.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...863.4914814815
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
thanks again Brad
-
September 11th, 2003, 06:13 PM
#9
brhunt3--Thanks. Interesting.
I see you have TkBellExe running, courtesy of Real Player. See about half way down this page
http://wireless.editthispage.com/2002/08/15
Does not sound good. I am surprised the two spyware programs have not picked this up and the Grokster file I mentioned before.
P.S. Interesting, too, that you have so many more Running Processes. Perhaps that is because you started up more programs in between the two HiJackThis scans.
Jim
WIN7 Ultimate SP1 64bit, IE 11, NTFS,
cable, MS Security Essentials, Windows 7 firewall
-
September 11th, 2003, 10:58 PM
#10
Thanks again
Thanks again jim, I fixed them all. The tkbele things says it will come back again when real player is used again, so I don't how worried I am about it. thanks again Brad.
-
September 13th, 2003, 06:55 AM
#11
This is Gator related junk.......spyware ... part of the GAIN network, you receive pop up ads and other nuisances along with it...& inserts ads into web sites that look like they're supposed to be there.
Close all other browser windows.
Put a check in the box next to:
O4 - Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - User Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - User Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
click "Fix Checked". Reboot
You should check in Add/Remove programs for Precision Time & Date Manager...& remove.
Then check by going to C:\Program Files.......delete the PrecisionTime & DateManager folders if they are still there......(Gator related [*-deleted word-*] does an awful job of uninstalling.)
An alternative to Precision Time, is the free atomic clock by world time server.
http://www.worldtimeserver.com/atomic-clock/
(*** Polite language only please *** - WSUA 3. a.)
Last edited by discogail; September 13th, 2003 at 07:01 AM.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
