Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

home page problem

Status
Not open for further replies.
inusrat

inusrat

Programmer
Feb 28, 2004
308
CA
Hi,

I don't how to get rid of this problem. I change my home page on IE, but when I open browser it goes back to this website's home page. Sometime when I try to hit a website, instead of geting there I get this page saying "Your computer vunerable try our spyware product".

I don't know where they have downloaded a file which keeps doing it. I ran ad-aware, also deleted all the cookies, but still same problem. It is only hapening in IE not in NS.

Thanks

 
Sort by date Sort by votes
You need more than just Ad Aware these days. Have a look at the spyware/hijacking FAQs in this forum.

Or download HiJack This (there are links in the FAQs of this forum) , close all browser windows and email, run HiJack This, don't fix anything unless you know exactly what you're fixing, then post your HJT logfile back here for one of the many qualified eyes to view and advise you on what to remove.

There are many links in the FAQs of this forum on how to minimize your risk after cleanup as well.

good luck,

Jeff

MCSE,CCNA,ASE
 
Upvote 0 Downvote
Oh and whatever you do don't click anything on the page saying your computer is vulnerable, etc...that's probably more problems waiting to happen...

Jeff

MCSE,CCNA,ASE
 
Upvote 0 Downvote
It has come to a point that no matter what URL i type in I get the page saying "Access to this site is not allowed!
This is because your PC infected by Spyware!!!
Click here for Spyware Remover". I guess I will have to use NS to download HiJack .........

 
Upvote 0 Downvote
This sounds like a coolweb search problem.

You should go through step 3 of faq608-4650 before posting a hijackthis log.



-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
If you are using windows XP
Download registrar lite here:
Install it and then launch reglite
Navigate to:
HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
You should see a key called Appinit_DLLs there
Double Click on it and if you see a dll in the value this is more than likely your problem. Write down the name of that DLL
It is more than likely invisible in the system32 folder.
To get rid of it you need to boot to the recovery console
To do this insert your Windows XP CD and boot to it
After you get the 3 choices "Install" "Repair" "Exit"
Hit "R" for repair
Then when you are in the recovery console choose "1"
if you have an admin password put it in ... if not just hit enter.
Then you will want to go to system32 folder ... to do this type cd system32 if you see the prompt C:\windows or C:\winnt ... if you dont see either of the prompts type cd windows or winnt depending on what your system root directory is..
When you are in the system32 folder type dir ... the space bar will page down a full page ( this is faster )
If you see the DLL that was in the Appinit_DLLs value hit escape to bring the prompt back
now type "attrib -r nameofthedll.dll" (this being the name of the dll you saw in the value of Appinit_DLLs)
This will remove the read only attribute.
Now you want to delete it.
to do this type "del nameofthedll.dll"
Now reboot to safe mode. To get to safe mode hit F8 a couple times before you see the Windows XP splash screen
Choose Safe Mode.
Open up reglite again and go to the appinit_DLLs key and double click it and delete the value inside it and hit apply. Now run adaware and spybot. Then run hijackthis and delete the R1 and R0 values if they do not look familiar to you or are not a link to the manufacturer of your computer. Then through the control panel go to internet options and change the home page to what ever you want. When you are finished with these steps reboot your computer to regular mode and the hijacker should be gone
I hope this helps
Art
 
Upvote 0 Downvote
Ok researched this a little more. It seems to be an older hijacker. Download CWShredder from under spyware tools. Then reboot your computer to safe mode.
Run CWShredder and see if this helps you. also to get rid of the ehttp.cc prefix you need to change a registry value
Delete registry values:
Browse to 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ URL \ DefaultPrefix'
Replace ' with '
also see if this key is in there
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ AddClass
if it is:
Delete value 'AddClass'
or
Hkey_Local_Machine \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ Addclass
Delete this value also if it exists

Search for addclass.exe and if it is found on the hard drive delete it
if your hijackthis has entries like this:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Karoo
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
O1 - Hosts: 66.118.163.109 auto.search.msn.com

O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE

O13 - DefaultPrefix: O13 -
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} -

O19 - User stylesheet: C:\WINDOWS\my.css
O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)

Check the items I quoted above in HijackThis, close all windows except HijackThis and click Fix checked.
Search for my.css or what ever might be in the user stylesheet section of hijackthis and delete it.
I hope this helps
Art
 
Upvote 0 Downvote
Thanks for your detailed message. I am actually using windows 2000 server.
I don't know if instruction you have mentioned for XP will work for
w2k server. I scan my machine with some software which are not free, they all
mentioned I have spyware on my machine, I don't if i buy one which one should i buy.
I have adware. Adware 6.0 tell me there is no spyware left.
I ran hijackthis and it tells me the following.

Logfile of HijackThis v1.97.7
Scan saved at 2:00:32 PM, on 9/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Administrator\Application Data\csro.exe
C:\WINNT\system32\?hkntfs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\system32\dllhost.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = (obfuscated)

N3 - Netscape 7: user_pref("browser.startup.homepage", " (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\uwchvhpc.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\uwchvhpc.slt\prefs.js)

O2 - BHO: (no name) - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINNT\dpe.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [NeroCheck]

C:\WINNT\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Zone Labs Client]

C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKCU\..\Run: [Yahoo! Pager]

C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [Iawr] C:\Documents and Settings\Administrator\Application Data\csro.exe

O4 - HKCU\..\Run: [Smu] C:\WINNT\system32\?hkntfs.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O13 - DefaultPrefix:

O13 -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
 
Upvote 0 Downvote
Run CWShredder
then:
Delete the following entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = (obfuscated)

O2 - BHO: (no name) - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL

O2 - BHO: (no name) - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINNT\dpe.dll

O13 - DefaultPrefix:

O13 -
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab

I am not sure what these 2 entries are
O4 - HKCU\..\Run: [Iawr] C:\Documents and Settings\Administrator\Application Data\csro.exe

O4 - HKCU\..\Run: [Smu] C:\WINNT\system32\?hkntfs.exe
If you dont need them remove them

Reboot then delete the folder where this is located
C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
then delete x.cab, dpe.dll
Goto the Control panel and then Internet Options and change your homepage back

Browse to 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ URL \ DefaultPrefix'
Replace ' with 'unless it is already http://

I hope this helps
Art
 
Upvote 0 Downvote
I deleted all the files that yon mentioned, except the following

you said
"Reboot then delete the folder where this is located
C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL"

I could not find the file ADVANC~1.DLL, but there is a folder C:\PROGRA~1\ADVANC~1\, and it has following . Do you want me to delete the whole "ADVANC~1" folder??

Directory of C:\PROGRA~1\ADVANC~1

09/26/2004 09:41a <DIR> .
09/26/2004 09:41a <DIR> ..
07/23/2003 03:45p 181 addtolist.js
04/06/2000 09:09p 73,785 atl.dll
12/19/2003 11:40p 35 BAR.INI
10/28/2003 01:10a 13,494 BAR2.BMP
09/24/2004 01:07p 32,457 BARINFO.DLL
07/23/2003 03:45p 948 beep.wav
07/23/2003 03:45p 1,408 bloop.wav
03/12/2004 02:20a 362 help.txt
02/19/2004 12:16p 157,184 HomePageProtect.exe
09/24/2004 01:07p 10,483 INSTALL.LOG
07/23/2003 03:45p 555,008 Jammer.exe
12/06/2001 04:21p 21,180 sound.wav
08/27/2001 05:19p 54,272 ssl.exe
02/14/2004 03:37p 14,336 unlock.exe
07/26/2002 05:02p 153,088 UNWISE.EXE
15 File(s) 1,088,221 bytes
2 Dir(s) 28,469,682,176 bytes free



You said
"then delete x.cab, dpe.dll"
I did search for dpe.dll but could not find it.
I found x.cab, but when I clicked on it and winzip got launched, I don't think I should delete it?

You said
"Browse to 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ URL \ DefaultPrefix' "

How do you get there?
I used window explorer and also ran search for "HKEY_LOCAL_MACHINE" I could not find any folder HKEY_LOCAL_MACHINE.

Things which I have alreday done, looks like took care of the problem, Thanks. Please let me know about the above.

thanks




 
Upvote 0 Downvote
Sorry I should have clarified a little more. It was very late when I wrote that post. I actually just noticed you have IIS so dont delete x.Cab. As for the other dpe.dll, this might have been fixed already with cwshredder or the other spyware tools you have used on your system. Also if you did not install yourself Advanced Searchbar, uninstall it. I can not really find any hard evidence if it is Spyware or not. I installed it on one of my test systems and things seemed to run OK. I do not like the feature of Alexa search on it though :) I should have clarified myself when telling you to browse to the Kkey_Local_Machine..... you need to use Regedit. To launch Regedit click start|Run and then type regedit and enter. Just check to see if the default prefix is set to if it is not double click (Default) and change the value to http:// again I am sorry I did not clarify this better in the previous posts(It was late and I was tired)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
777
Yoko Littner
Yoko Littner
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
269
2ffat
2ffat
1DMF
  • Locked
  • Question
AVAST latest free version causing nothing but problems 2
2
Replies
20
Views
475
1DMF
1DMF
diogenes10
  • Locked
  • Question
Jotti vs Virus Total for problem detections?
Replies
0
Views
94
diogenes10
diogenes10
RichinMN
  • Locked
  • Question
Problems with Iobit Advanced SystemCare v. 6.0 update??
Replies
9
Views
163
BadBigBen
BadBigBen

Part and Inventory Search

Sponsor

Back
Top