Link to home
Start Free TrialLog in
Avatar of eric55
eric55

asked on

browser hijacked

i had spyware and i got it all cleaned out i ran spybot ad ware and microsofts & the one on yahoo toolbar they all come up that i'm clean the problem is my home page keeps going to this search page as much as i change it it goes right back
how can i fix this
thank you
Avatar of purplepomegranite
purplepomegranite
Flag of United Kingdom of Great Britain and Northern Ireland image

Which search page does it go to?
Avatar of eatmeimadanish
eatmeimadanish

You must go through Add Remove Programs and uninstall anything that doesn't belong.  Secondly, use hijackthis from www.download.com and kill anything that isn't recognized.  If neither of these work, download the new antispyware from microsoft and use it to restore and protect your default settings.
If you do use hijackthis, feel free to post the log it creates here so that we can look it over for you and advise.
eatmeimadanish
He did mention that he has used Microsoft's

I would recommend downloading Avast and install it
Reboot to Safe Mode and run Avast and SPybot S&D again
Of course all this AFTER you run the hijackthis from http://www.hijackthis.de
I have used Spybot and a few others, and have found Microsoft Antispyware tool the best tool to use. After running Spybot and then MS AntiSpyware remover I still found more spyware that needed to be removed.

http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en
Avatar of msice
is it called VX2 by any chance?
it's your host file, it's not usually mintioned or required in fixing spyware problems but it really does work on spyware that remains on your host file and reinstall them selves after you clean em out.

I had a particularly nasty one with the same issue.  This is a pain but...

1.  install spysweeper (trial), adaware SE and hijackthis and Norton 2004 (I believe a 90day trial exists) all with current definitions.
2.  uninstall all applications that do not belong from add/remove hardware.
3.  set your homepage in spysweeper
4.  clean everything using each scan from the above applications
5.  clear temp internet files
6.  reset web settings in internet explorer
7.  reboot
8.  rerun steps 3 to 7

also check the registry for items in the "run" and "runonce" categories

I did this at least three times to clear everything and this was the only combination of software that got rid of it.
I personally used Hijack this. But you really want to know wht you're doing, so maybe post the log here for analysis?

This is mine which I consider to be "fairly clean".



Logfile of HijackThis v1.99.1
Scan saved at 10:44:21 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\PROGRAM FILES\LOGITECH\SETPOINT\KHALMNPR.EXE
C:\Program Files\G6 FTP Server\G6FTPSrv.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Logitech\SetPoint\MediaPlayerMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Michael Collard\Application Data\Microsoft\Internet Explorer\Quick Launch\putty.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: BPFTP Server.lnk = C:\Program Files\G6 FTP Server\G6FTPSrv.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item:  MK> CLICK HERE TO HELP SUPPORT DEVELOPMENT! - C:\Program Files\IE Context Menu Toolset\donate.html
O8 - Extra context menu item:  MK> Dictionary Lookup - C:\Program Files\IE Context Menu Toolset\dictionary.html
O8 - Extra context menu item:  MK> Force All Links To Open In A New Window - C:\Program Files\IE Context Menu Toolset\open_links_new_window.html
O8 - Extra context menu item:  MK> Show Hidden Inputs - C:\Program Files\IE Context Menu Toolset\show_hidden_inputs.html
O8 - Extra context menu item:  MK> Show Link Targets - C:\Program Files\IE Context Menu Toolset\show_link_targets.html
O8 - Extra context menu item:  MK> Toggle DIV/SPAN Borders - C:\Program Files\IE Context Menu Toolset\toggle_div_span_borders.html
O8 - Extra context menu item:  MK> Toggle Link Highlights - C:\Program Files\IE Context Menu Toolset\highlight_links.html
O8 - Extra context menu item:  MK> Toggle Table Borders - C:\Program Files\IE Context Menu Toolset\toggle_table_borders.html
O8 - Extra context menu item:  MK> View Archived Page - C:\Program Files\IE Context Menu Toolset\archived_page.html
O8 - Extra context menu item:  MK> ZOOM --> in <-- - C:\Program Files\IE Context Menu Toolset\zoom.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LBTServ - C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


Try using adwareaway from www.adwareaway.com
ASKER CERTIFIED SOLUTION
Avatar of HerculesMO
HerculesMO

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
CWShredder is my choice too :-)  Always a good place to start.
Only if you are infected by Cool Web Search...
I went back and checked thanks to the recent posts and It was a CWS variant that I had and I did download CWSshredder to work with the others as well.  It will not work alone for the new variants but in combination with the other software it will be successful.  And I neglected to mention, as herculesmo said, do it all in safe mode or at least make sure only the standard windows processes are running.