IE Browser home is redirected to wrong site

[mitchellmj]

I have a machine running W98SE and IE6.0 SP1. The home button is redirected to mysearchmyway.com!

I have done the following with no luck!
virus scan
cwshreddar
spybot
adaware

Posted is hijackthis.log - Any help would be greatly appreciated!!

Logfile of HijackThis v1.97.7
Scan saved at 10:02:27 AM, on 1/8/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\PSSVC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\3COM_DMI\3CDMINIC.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORT9X.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORPC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WUSER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WSASRV.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\IEDRIVER.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\REALMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\HIHACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ptweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ptweb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Airpax
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =

http://ptweb/ie/airpax.ins

F1 - win.ini: load=WUSER.EXE
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [iedriver] C:\WINDOWS\SYSTEM\IEDRIVER.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\REALMON.EXE -s
O4 - HKLM\..\RunServices: [AutoShutdown] C:\WINDOWS\pssvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [3Com DMI Agent] C:\WINDOWS\SYSTEM\3com_dmi\3CDMINIC.EXE
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust Antivirus\InoRT9x.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Notify.lnk = C:\NOVELL\GroupWise\Notify.exe
O4 - Startup: GroupWise Notify.lnk = C:\NOVELL\GroupWise\Notify.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=ptweb

Thanks,
MJM

 

[kippy13]

Have you checked your internet settings and configured a new home page? tools internet options hopepage?
Have u updated the dats for all of applications that you used?

"Sometimes I do not know but I try hard"- R.F. Haughty 1923

 

[mitchellmj]

Yes to both questions - also uninstalled and reinstalled IE

 

[kippy13]

Have u ran a search for the LMHOSTS and HOSTS file?
Just check what entried exist in them(you can open them in notepad)
The domain name doesnt seem to exits(its up for sale) so it seems very strange.
Have you the latest dats for your antivirus scanner?
Does ptweb ring a bell with you?
if not then delete these keys:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ptweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ptweb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Airpax
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =

http://ptweb/ie/airpax.ins

O14 - IERESET.INF: START_PAGE_URL=ptweb

"Sometimes I do not know but I try hard"- R.F. Haughty 1923

 

[mitchellmj]

Yes, I have looked at host files nothing looks strange in them
Yes, the antivirus dats are up to date
PTWEB is our intranet and the home page defualt address

 

[kippy13]

I am stumpted with this one!
I cant even see any information on mysearchmyway.com on any search engine.
Run a search on your hard drive for any files ending with *.hta or *.js. If you find any, open them in notepad or some other text editor and look for the URLs that you have been hijacked to. Any file with those URLs, delete them. Also delete all *.tmp files on your drive; some of them contain malicious code (for e.g. browser hijacks or malware (re)installations). Besides, deleting *.tmp files doesn't hurt, unlike dll's which are also used sometimes for this purpose.
Have you tried uninstalling desktop weather?
I am clutching at straws after this.
Also try disabling active x controls in internet explorer.

"Sometimes I do not know but I try hard"- R.F. Haughty 1923

 

[carrr]

This is adware:

O4 - HKLM\..\Run: [iedriver] C:\WINDOWS\SYSTEM\IEDRIVER.exe

More info on it here:

http://www.kephyr.com/spywarescanner/library/iedriver/index.phtml

You should remove it using Hijack This!

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[kippy13]

Thanks Carr.
Wasnt too sure what that entry did.

"Sometimes I do not know but I try hard"- R.F. Haughty 1923

 

[NasibKalsi]

It is very normal to hijack to any page even your computer is clean. There is no cure, but if you type a fully qualified url, it will always work.

You can set the defaulft url in safe mode. try it.
"Just a suggestion"

 

[mitchellmj]

Thanks kippy13!

I found some .js files not in the Internet temp directory and deleted them, rebooted and things work fine now.