Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Change Homepage


  • Please log in to reply
4 replies to this topic

#1 MasterC

MasterC

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 18 August 2006 - 02:18 AM

Hi just wanted to start by saying I am new to the forums yet have used them for many things in the past. I am a IT major going to ITT Tech. 3 months away from my associates in CNS. So I do understand technical terms to a decent extent.

As for the problem I will start by saying what I have done recently in hopes that I can get this one fixed. Last night somehow surfing around the net I got hit by SpywareQuake. I started removal by running Adaware and Searchbot SD and Norton antivirus. That seems to get rid of some of it but I was still having a lot of pop up homepage hijacked and programs running with alerts. I searched this forum and found this topic…. http://www.bleepingcomputer.com/forums/lof...ndex.php/t47826 and followed the automatic removal steps very carefully. I successfully removed all traces of the virus/spyware and the check from the website scan came up clean.

Now on to the problem.

Before I was hit by this problem my fiancé told me that she could not change her homepage away from http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome after reseting all the internet options real quick I still could not change it on HER desktop. Mine was set to www.google.com and never really tried to change it after she brought the problem to my attention so I do not know if I could change it or not before I got hit by the virus. The virus removal tool I supposed did a force reset on all internet explorer options cause when I logged into my desktop after doing the steps my background was blue and all my internet options were set to normal. Now I cant change my home page back to google.com.

After reading a few topics I have done the following… reset internet options and deleted all cookies temp files and history. Ran hijack this and removed anything that looked remotely off. Checked spybot, adaware and Norton for any setting that could have prevented me from doing this change. Looked in registry but could not fine the internet explorer folders oddly. (could have been looking in wrong place) None of these steps worked. I have seen others with this problem so I don’t know what it could be.

The following is my hijack this log file. Please help as I am completely stumped. If you need more info please let me know.

Logfile of HijackThis v1.99.1
Scan saved at 3:15:58 AM, on 8/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Razer\CopperHead\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Razer\CopperHead\razertra.exe
C:\Program Files\Razer\CopperHead\razerofa.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\MasterC\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\CopperHead\razerhid.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139385860046
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Thanks Again in advance to all those that lend a hand...

BC AdBot (Login to Remove)

 


#2 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 19 August 2006 - 12:38 AM

Hello MasterC ,

We are currently studying your log and will be back to you as soon as possible. Thank you for your patience.

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#3 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 20 August 2006 - 07:11 AM

Hi MasterC, and welcome to BleepingComputer.
My name is Rosty and I'm going to help you with your log.

Ran hijack this and removed anything that looked remotely off

Can you please tell what you have removed?

Last night somehow surfing around the net I got hit by SpywareQuake.

Seems that this one is already gone. Are you still receiving taskbar security warnings?

Now I cant change my home page back to google.com.


Please do following steps:

To change the Home page, open Internet Explorer
Go to Tools > Internet Options
In the Home Page Address box, enter an address, such as:
http://www.msn.com/ or http://www.google.com or the homepage you want
Press: Apply
Press: OK

Next,update Java!

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.
Please let us know how it went!

Kind regards,

Rosty.

Edited by Rosty, 20 August 2006 - 12:30 PM.

Posted Image
Proud member of ASAP since 2007

#4 MasterC

MasterC
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 27 August 2006 - 10:34 PM

[quote]Ran hijack this and removed anything that looked remotely off[/quote]
Can you please tell what you have removed?

I dont remember off hand but i did however open up my backups with notepad and view their contents heres here they are copy/pasted...

O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll<---this is part of the files that gave me Spyquake---must have been left over from removal
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll (file missing) <---this is part of the files that gave me Spyquake---must have been left over from removal
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)<---no idea what this is but file was missing so i removed it prob MSN file
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab <---my fiance a webcam host didnt seem important to have
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204<----had microsoft in it so removed

Could have been more but i did not see anymore backups so thats all i got for this question

[quote]Last night somehow surfing around the net I got hit by SpywareQuake.[/quote]
Seems that this one is already gone. Are you still receiving taskbar security warnings?

yes the Spywarequake stuff seems to be depleted

[quote]Now I cant change my home page back to google.com.[/quote]

Please do following steps:

To change the Home page, open Internet Explorer
Go to Tools > Internet Options
In the Home Page Address box, enter an address, such as:
http://www.msn.com/ or http://www.google.com or the homepage you want
Press: Apply
Press: OK
[/quote]


Did that like 100 times no luck. When I replace the homepage with ANY other page and hit apply then ok when i go back into the internet options its right back to the one its locked on. Read update below for more info that may help.

[quote]Next,update Java![/quote]

Done and Done (no change in homepage though)





Ok I have some updates to share that I find very interesting....
Yesterday I continued to research for many hours on fixing this issue. It has got to be something small in my opinion. I read a few registry posts and decided to take a look at my registry and see whats up.


First, I navigated a bit making myself more aware of the internet explorer registry options in the
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main AND
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

Before making any changes i made a backup by clicking file export and selected location.

Now even though the other user on the computer was having same problem I started with...
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

I noticed there were many keys for certain pages like start page and search page etc
I eventually tried to change these keys with no luck so I backed up the registry and deleted them. Then I could not evenopen internet explorer so I did a system restore cause the backup was done wrong. Everything is back to normal to the state where I cant change the homepage….however I can change it in safe mode which I later found out. None of my startups are doing it though. So confused…

#5 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 29 August 2006 - 02:13 PM

Hi MasterC, thanks for the reply.

Can you please tell me what what you have changed in the Registry keys, and have you reimports the back-up whether IE is still down..?

Could have been more but i did not see anymore backups so thats all i got for this question


I see already one line that is legit, will you please do the following:

Restore the backups:

* Open HiJackThis
* Click on "View the list of Backups"
* Place a check mark next to everything in that window
* Click Restore
* Click Yes
* Reboot your computer
* Run HiJackThis and post a new HiJackThis log for review.

Kind regards,

Rosty.
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users