Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE homepage resetting?


  • This topic is locked This topic is locked
7 replies to this topic

#1 NavaiyanSmurf

NavaiyanSmurf

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 01 June 2004 - 01:58 PM

Can someone tell me how to fix the problem of a resetting homepage for IE. I was hit by a virus, I had downloaded Spyware, that had fixed most of the problem, but my homepage continues to reset itself to a general info&sales webpage after shutdown or restarting my computer. Help.

:thumbsup:

Edited by NavaiyanSmurf, 01 June 2004 - 02:03 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:28 PM

Posted 01 June 2004 - 02:27 PM

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

HijackThis - Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

#3 NavaiyanSmurf

NavaiyanSmurf
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 02 June 2004 - 03:52 PM

How do I know I can trust you?

#4 NavaiyanSmurf

NavaiyanSmurf
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 02 June 2004 - 03:58 PM

Logfile of HijackThis v1.97.7
Scan saved at 5:01:59 PM, on 6/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
C:\WINNT\system32\objsel.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://opti.riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://opti.riviera.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://opti.riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://opti.riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://mshp.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3F724F2E-98B6-4378-97A9-1A1A8685652E} - C:\WINNT\mrhop.dll
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINNT\winst\winst32.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINNT\system32\StopzillaBH0.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINNT\ienp\mssearch.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINNT\winst\msiesh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hdocvws] C:\WINNT\system32\hdocvws.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [objsel] C:\WINNT\system32\objsel.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD9EEB01-C492-456D-8C7D-C7ED245A1A05}: NameServer = 205.188.146.146

#5 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 02 June 2004 - 04:22 PM

Step 1: Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

After you download the program, unzip it into a directory like c:\cwshredder. We will use it later on.

Step 2: I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://opti.riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://opti.riviera.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://opti.riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://opti.riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://mshp.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {3F724F2E-98B6-4378-97A9-1A1A8685652E} - C:\WINNT\mrhop.dll
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINNT\winst\winst32.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINNT\ienp\mssearch.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINNT\winst\msiesh.dll
O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [hdocvws] C:\WINNT\system32\hdocvws.exe
O4 - HKCU\..\Run: [objsel] C:\WINNT\system32\objsel.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install

Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories
C:\WINNT\twaintec.dll
C:\WINNT\mrhop.dll
C:\WINNT\winst\
C:\WINNT\ienp\
C:\WINNT\image.dll
C:\WINNT\alchem.exe
C:\WINNT\sysupd.exe
C:\WINNT\system32\hdocvws.exe
C:\WINNT\system32\objsel.exe

Step 3: Now run the cwshredder.exe program that i had you download previously. Make sure all windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder

Once that is completed you should reboot your computer to go back to normal mode and post a new log.

#6 NavaiyanSmurf

NavaiyanSmurf
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 06 June 2004 - 01:17 PM

Thank you for the additional help, but I am having another issue. The link that you had supplied does not work. The page cannot be found according to my service provider.

Can you supply me with another link?

Edited by NavaiyanSmurf, 06 June 2004 - 01:17 PM.


#7 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:08:28 PM

Posted 06 June 2004 - 01:40 PM

oops i what link were you looking for
or which one wasn't working for you

Edited by Lobos, 06 June 2004 - 01:43 PM.

<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD

#8 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:06:28 PM

Posted 06 June 2004 - 01:46 PM

I found out what link wasn't working try this one


Click here to down load CWShredder by Merijn Bellekom, the creator of Hijack This
<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users