Dear experts,
I have a problem with the home page setting of IE6.
Instead of
www.google.de, some Coolwebsearch (CWS) page is my home page now.
tried a lot with
Spybot
ad aware 6
and at the end with the latest version of CWShredder.
nothing seems to working. everytime I set the home page as
www.google.de , it chaged to about:blank with some spam search site,
tried to run the OS (Win XP) in safe mode and do the above methods, but fails
log file generated with hijack this is given below,
Logfile of HijackThis v1.97.7
Scan saved at 1:56:27 AM, on 4/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WIN98\System32\smss.exe
C:\WIN98\system32\winlogon
.exe
C:\WIN98\system32\services
.exe
C:\WIN98\system32\lsass.ex
e
C:\WIN98\system32\svchost.
exe
C:\WIN98\System32\svchost.
exe
C:\WIN98\system32\spoolsv.
exe
C:\WIN98\System32\inetsrv\
inetinfo.e
xe
C:\WIN98\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Internet download\Softwares and patches\log-generator.exe
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Bar = res://C:\WIN98\System32\pf
h.dll/sp.h
tml (obfuscated)
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Page = res://C:\WIN98\System32\pf
h.dll/sp.h
tml (obfuscated)
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL = about:blank
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Search,SearchAssi
stant = res://C:\WIN98\System32\pf
h.dll/sp.h
tml (obfuscated)
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Bar = res://C:\WIN98\System32\pf
h.dll/sp.h
tml (obfuscated)
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Page = res://C:\WIN98\System32\pf
h.dll/sp.h
tml (obfuscated)
R0 - HKLM\Software\Microsoft\In
ternet Explorer\Search,SearchAssi
stant = res://C:\WIN98\System32\pf
h.dll/sp.h
tml (obfuscated)
R1 - HKCU\Software\Microsoft\In
ternet Explorer\SearchURL,(Defaul
t) =
http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Wi
ndows\Curr
entVersion
\Internet Settings,AutoConfigURL = proxy.olydorf.swh.mhn.de
R1 - HKCU\Software\Microsoft\Wi
ndows\Curr
entVersion
\Internet Settings,ProxyServer = proxy.olydorf.swh.mhn.de:8
080
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,SearchAssist
ant = ,
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-D
D56626C6C4
2} - C:\WIN98\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH
elper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0
B27DDD11DB
2} - C:\Program Files\SpywareGuard\dlprote
ct.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
06D7942484
F} - C:\PROGRA~1\SPYBOT~1\SDHel
per.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-C
F10577473F
7} - c:\program files\google\googletoolbar
3.dll
O2 - BHO: (no name) - {B5366465-D066-4C74-A4D9-3
6FCB4BA5FE
C} - C:\WIN98\System32\pfh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
0A0C908246
7} - C:\WIN98\System32\msdxm.oc
x
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
09027A5CD4
F} - c:\program files\google\googletoolbar
3.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
exe
O6 - HKCU\Software\Policies\Mic
rosoft\Int
ernet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Mic
rosoft\Int
ernet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Mic
rosoft\Int
ernet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
3.dll/cmse
arch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar
3.dll/cmba
cklinks.ht
ml
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
3.dll/cmca
che.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
\Office10\
EXCEL.EXE/
3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar
3.dll/cmsi
milar.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5
D2C442ADFD
E} -
http://a1408.g.akamai.net/7/1408/9955/20031016/akamai.info.apple.com/iTunes4/WW/win/061-0848.20031022.TtzS4/iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
0C04F9A3B6
1} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-1
6A91B2EA10
3} (WScanCtl Class) -
http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
009F29E09E
1} (ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
4455354000
0} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\T
cpip\..\{F
6F7BFC2-B6
C4-4DB7-84
3C-0859E60
56639}: Domain = stusta.swh.mhn.de
O17 - HKLM\System\CCS\Services\T
cpip\..\{F
6F7BFC2-B6
C4-4DB7-84
3C-0859E60
56639}: NameServer = 10.150.128.2,10.150.127.2
O17 - HKLM\System\CS1\Services\T
cpip\Param
eters: SearchList = stusta.swh.mhn.de
O17 - HKLM\System\CS2\Services\T
cpip\Param
eters: SearchList = stusta.swh.mhn.de
O17 - HKLM\System\CCS\Services\T
cpip\Param
eters: SearchList = stusta.swh.mhn.de
Please give your suggestions to coup with this problem,
regards,
Afzal
They have apparently addressed this, I tried to run it and Cool Web Search was blocking it (somebodies sneaky).
However, when I restarted, it came up with a dialogue telling me what was happening, then it ran only it had renamed
itself to random name - success.
Also, what d_may said above - Microsoft is dropping support for it's Java Virtual Machine.
Good luck!