eric55
asked on
browser hijacked
i had spyware and i got it all cleaned out i ran spybot ad ware and microsofts & the one on yahoo toolbar they all come up that i'm clean the problem is my home page keeps going to this search page as much as i change it it goes right back
how can i fix this
thank you
how can i fix this
thank you
Which search page does it go to?
You must go through Add Remove Programs and uninstall anything that doesn't belong. Secondly, use hijackthis from www.download.com and kill anything that isn't recognized. If neither of these work, download the new antispyware from microsoft and use it to restore and protect your default settings.
If you do use hijackthis, feel free to post the log it creates here so that we can look it over for you and advise.
eatmeimadanish
He did mention that he has used Microsoft's
I would recommend downloading Avast and install it
Reboot to Safe Mode and run Avast and SPybot S&D again
Of course all this AFTER you run the hijackthis from http://www.hijackthis.de
He did mention that he has used Microsoft's
I would recommend downloading Avast and install it
Reboot to Safe Mode and run Avast and SPybot S&D again
Of course all this AFTER you run the hijackthis from http://www.hijackthis.de
This is the tool you could try:
http://downloads-zdnet.com.com/Browser-Hijack-Recover-BHR-/3000-8022_2-10374063.html
http://downloads-zdnet.com.com/Browser-Hijack-Recover-BHR-/3000-8022_2-10374063.html
I have used Spybot and a few others, and have found Microsoft Antispyware tool the best tool to use. After running Spybot and then MS AntiSpyware remover I still found more spyware that needed to be removed.
http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en
http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en
is it called VX2 by any chance?
it's your host file, it's not usually mintioned or required in fixing spyware problems but it really does work on spyware that remains on your host file and reinstall them selves after you clean em out.
I had a particularly nasty one with the same issue. This is a pain but...
1. install spysweeper (trial), adaware SE and hijackthis and Norton 2004 (I believe a 90day trial exists) all with current definitions.
2. uninstall all applications that do not belong from add/remove hardware.
3. set your homepage in spysweeper
4. clean everything using each scan from the above applications
5. clear temp internet files
6. reset web settings in internet explorer
7. reboot
8. rerun steps 3 to 7
also check the registry for items in the "run" and "runonce" categories
I did this at least three times to clear everything and this was the only combination of software that got rid of it.
1. install spysweeper (trial), adaware SE and hijackthis and Norton 2004 (I believe a 90day trial exists) all with current definitions.
2. uninstall all applications that do not belong from add/remove hardware.
3. set your homepage in spysweeper
4. clean everything using each scan from the above applications
5. clear temp internet files
6. reset web settings in internet explorer
7. reboot
8. rerun steps 3 to 7
also check the registry for items in the "run" and "runonce" categories
I did this at least three times to clear everything and this was the only combination of software that got rid of it.
I personally used Hijack this. But you really want to know wht you're doing, so maybe post the log here for analysis?
This is mine which I consider to be "fairly clean".
Logfile of HijackThis v1.99.1
Scan saved at 10:44:21 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd. exe
C:\Program Files\Java\j2re1.4.2_06\bi n\jusched. exe
C:\Program Files\Musicmatch\Musicmatc h Jukebox\mmtask.exe
C:\Program Files\Java\j2re1.4.2_06\bi n\jucheck. exe
C:\Program Files\Real\RealPlayer\Real Play.exe
C:\WINDOWS\system32\dla\tf swctrl.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Logitech\SetPoint\ke m.exe
C:\PROGRAM FILES\LOGITECH\SETPOINT\KH ALMNPR.EXE
C:\Program Files\G6 FTP Server\G6FTPSrv.exe
C:\Program Files\Trillian\trillian.ex e
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\RealVNC\WinVNC\WinVN C.exe
C:\Program Files\Logitech\SetPoint\Me diaPlayerM gr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~4\Offic e\OUTLOOK. EXE
C:\WINDOWS\msagent\AgentSv r.exe
C:\Documents and Settings\Michael Collard\Application Data\Microsoft\Internet Explorer\Quick Launch\putty.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\MICHAE~1\LOCAL S~1\Temp\~ AceTemp\hi jackthis\H ijackThis. exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8 AB8210D6D7 5} - C:\Program Files\MyWaySA\SrchAsDe\1.b in\deSrcAs .dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8 AB8210D6D7 5} - C:\Program Files\MyWaySA\SrchAsDe\1.b in\deSrcAs .dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-9 05236F6F65 5} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bi n\jusched. exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatc h Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real Play.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVN C.exe" -servicehelper
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf swctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dump rep 0 -u
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: BPFTP Server.lnk = C:\Program Files\G6 FTP Server\G6FTPSrv.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.ex e
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: MK> CLICK HERE TO HELP SUPPORT DEVELOPMENT! - C:\Program Files\IE Context Menu Toolset\donate.html
O8 - Extra context menu item: MK> Dictionary Lookup - C:\Program Files\IE Context Menu Toolset\dictionary.html
O8 - Extra context menu item: MK> Force All Links To Open In A New Window - C:\Program Files\IE Context Menu Toolset\open_links_new_win dow.html
O8 - Extra context menu item: MK> Show Hidden Inputs - C:\Program Files\IE Context Menu Toolset\show_hidden_inputs .html
O8 - Extra context menu item: MK> Show Link Targets - C:\Program Files\IE Context Menu Toolset\show_link_targets. html
O8 - Extra context menu item: MK> Toggle DIV/SPAN Borders - C:\Program Files\IE Context Menu Toolset\toggle_div_span_bo rders.html
O8 - Extra context menu item: MK> Toggle Link Highlights - C:\Program Files\IE Context Menu Toolset\highlight_links.ht ml
O8 - Extra context menu item: MK> Toggle Table Borders - C:\Program Files\IE Context Menu Toolset\toggle_table_borde rs.html
O8 - Extra context menu item: MK> View Archived Page - C:\Program Files\IE Context Menu Toolset\archived_page.html
O8 - Extra context menu item: MK> ZOOM --> in <-- - C:\Program Files\IE Context Menu Toolset\zoom.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.h tm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_06\bi n\npjpi142 _06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_06\bi n\npjpi142 _06.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5 C8D4460577 F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5 C8D4460577 F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\system32\Shdocv w.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
O20 - Winlogon Notify: LBTServ - C:\Program Files\Common Files\Logitech\Bluetooth\l btserv.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC S\Sync\Net Svc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVN C.exe" -service (file missing)
This is mine which I consider to be "fairly clean".
Logfile of HijackThis v1.99.1
Scan saved at 10:44:21 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.
C:\Program Files\Java\j2re1.4.2_06\bi
C:\Program Files\Musicmatch\Musicmatc
C:\Program Files\Java\j2re1.4.2_06\bi
C:\Program Files\Real\RealPlayer\Real
C:\WINDOWS\system32\dla\tf
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Logitech\SetPoint\ke
C:\PROGRAM FILES\LOGITECH\SETPOINT\KH
C:\Program Files\G6 FTP Server\G6FTPSrv.exe
C:\Program Files\Trillian\trillian.ex
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\RealVNC\WinVNC\WinVN
C:\Program Files\Logitech\SetPoint\Me
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~4\Offic
C:\WINDOWS\msagent\AgentSv
C:\Documents and Settings\Michael Collard\Application Data\Microsoft\Internet Explorer\Quick Launch\putty.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\MICHAE~1\LOCAL
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-9
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bi
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatc
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVN
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dump
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: BPFTP Server.lnk = C:\Program Files\G6 FTP Server\G6FTPSrv.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.ex
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: MK> CLICK HERE TO HELP SUPPORT DEVELOPMENT! - C:\Program Files\IE Context Menu Toolset\donate.html
O8 - Extra context menu item: MK> Dictionary Lookup - C:\Program Files\IE Context Menu Toolset\dictionary.html
O8 - Extra context menu item: MK> Force All Links To Open In A New Window - C:\Program Files\IE Context Menu Toolset\open_links_new_win
O8 - Extra context menu item: MK> Show Hidden Inputs - C:\Program Files\IE Context Menu Toolset\show_hidden_inputs
O8 - Extra context menu item: MK> Show Link Targets - C:\Program Files\IE Context Menu Toolset\show_link_targets.
O8 - Extra context menu item: MK> Toggle DIV/SPAN Borders - C:\Program Files\IE Context Menu Toolset\toggle_div_span_bo
O8 - Extra context menu item: MK> Toggle Link Highlights - C:\Program Files\IE Context Menu Toolset\highlight_links.ht
O8 - Extra context menu item: MK> Toggle Table Borders - C:\Program Files\IE Context Menu Toolset\toggle_table_borde
O8 - Extra context menu item: MK> View Archived Page - C:\Program Files\IE Context Menu Toolset\archived_page.html
O8 - Extra context menu item: MK> ZOOM --> in <-- - C:\Program Files\IE Context Menu Toolset\zoom.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O20 - Winlogon Notify: LBTServ - C:\Program Files\Common Files\Logitech\Bluetooth\l
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVN
Try using adwareaway from www.adwareaway.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
CWShredder is my choice too :-) Always a good place to start.
Only if you are infected by Cool Web Search...
I went back and checked thanks to the recent posts and It was a CWS variant that I had and I did download CWSshredder to work with the others as well. It will not work alone for the new variants but in combination with the other software it will be successful. And I neglected to mention, as herculesmo said, do it all in safe mode or at least make sure only the standard windows processes are running.