Hijacked ?

[stargazer777]

OK, I don't know what happened out of the blue, but I keep reprogramming my MSIE home site as www.msn.com, and even just a minute later, after I close and reopen MSIE, my assigned home page goes back to http://uni--search.com/.

Who are these jerks and how do I destroy the "connection" that keeps hijacking my assigned home site ?

I have scrubbed everything with SpyBot S&D but that didn't change a thing .... I also have ZoneAlarm and AVG antivirus running.


Royally ticked off in VA,
- Dave

[P3-450]

Hi, please download and update Adaware then run a scan.


Download Hijackthis from <<HERE>> download the self-extracting version.

Run a scan then copy and paste your log in this thread.

[stargazer777]

Thank you, P3-450 .... Hijack This found and fixed 3 items containing the name of the offending site. I had Hijack This "fix" them, and now MSIE keeps the home site I assign. Great little prog there ....

- Dave in VA

[P3-450]

Great

If you want you can paste your Hijackthis log here and I could take a look at if for you, just incase there is anything else there that needs removing.

[stargazer777]

Uh-oh ..... I spoke too soon. The offending site I mentioned IS appearing again when I fire up MSIE. Going to try Hijack This again, and also Ad Aware .... sigh

P.S. As an afterthought, I reassigned my usual home site to MSIE and then *rebooted*, but that didn't help either ... it's still going back to that &%@$#%$@ site

- Dave

[P3-450]

Please post your Hijackthis log.

[stargazer777]

UPDATE:

Installed and ran AdAware, didn't see offending site listed on Critical List, but still deleted many .... STILL no change, STILL getting that stupid &@^#%$^@ site ...

- Dave

[stargazer777]

Hi all,

Sorry ... in my extreme frustration, I forgot to post the AdAware log file ..... here it is, attached ....

By the way, I have instructed both Spybot S&D *and* AdAware to delete the items containing the name of the offending site, and somehow they manage to reappear again !! GRRRRRRRRR ....

- Dave

Logfile of HijackThis v1.99.0
Scan saved at 5:45:38 PM, on 1/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\Logi_MwX.Exe
C:\WINDOWS2\System32\WService.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS2\System32\devldr32.exe
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\Logitech\iTouch\kbdtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS2\system32\ZoneLabs\vsmon.exe
C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS2\System32\IETie.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS2\Downloaded Program Files\SbCIe02a.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS2\Downloaded Program Files\SbCIe02a.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.47/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C83C5C97-CD0D-4C5D-B1F8-EBB7E44F6FD4}: NameServer = 192.168.2.1,38.9.212.2
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS2\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTab Service - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe

[crunchie]

stargazer777. We ask that hijackthis logs not be attached to posts . http://discussions.virtualdr.com/sho...hreadid=179233
I have taken the liberty of posting it correctly for you .

[stargazer777]

OK, I screwed up .... when I edited the last message, I didn't realize I would "lose" the attachment. Here is an "instant replay", with attachment included ....
------------------------------------------------------
Hi all,

Sorry ... in my extreme frustration, I forgot to post the AdAware log file ..... here it is, attached ....

By the way, I have instructed both Spybot S&D *and* AdAware to delete the items containing the name of the offending site, and somehow they manage to reappear again !! GRRRRRRRRR ....

- Dave

[stargazer777]

Sorry, Crunchie ..... two screwups in 5 minutes, must be a record ... Anyway, my heart was in the right place, just not my brain .... sigh

Well, it IS 3:20 AM .... heh .....

- Dave

[crunchie]

Cool . It's 4.20 PM here. BTW. I deleted the original attachment after I pasted your log in .

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS2\Downloaded Program Files\SbCIe02a.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS2\web\related.htm

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?

Reboot and post another log. If you are still awake .

[stargazer777]

Crunchie (and all) -

I followed your instructions in your previous post. Then I did another virus scan, and came up with the items in the screen shot (attached to this post). Right clicking and asking for details brought up info which indicated that this item (the first of the three) DOES INDEED change the MSIE home page.

HOWEVER, I cannot figure out how to get rid of this garbage. AVG AntiVirus does not seem to offer a "fix" option, and does NOT seem to indicate that it fixed or quarantined anything. Any ideas ?


- Dave

[crunchie]

Try this.

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

Please go here & install ALL critical updates required for your system.

[stargazer777]

Well, thank you for the comments and ideas. I followed what you said, including the .TMP files. I also followed the idea of another site that recommended searching for .HTA files and moving them to a different folder.

I have repeatedly cleaned out temp files, cookies, etc. and also questionable History items. I have run half a dozen spyware/adware/trojan/hijacker finder/eradicator programs and STILL this stupid homepage keeps putting itself back.

I wouldn't care so much if it were easy to remove, but whoever programmed this little demon has a truly demented mind.

I am about to give up, wipe my C: partition and reinstall WinXP