Solved

ANNOYING SEARCH PAGE PLS HELP

Posted on 2004-08-07
21
2,736 Views
Last Modified: 2010-04-12
I HAVE A PROBLEM WITH MY IE IT KEEPS GOING TO A SEARCH PAGE EVERY TIME I MISSTYPE A URL OR A WHEN I TRY TO GO TO CERTAIN PAGES IT APPEARS AND DOES NOT ALLOW ME TO GO TO THE PAGES I WANT I HAVE TRIED EVERYTHING I HAVE TRIED CCSHREDER, ADWARE SOFTWARE, TROJAN REMOVER AND NOTHING SEEMS TO WORK WHAT CAN I DO TO GET RID OF THIS ANNOYING SEARCH PAGE I DONT POST THE URL FOR IT CAUSE IM AT WORK BUT WILL POST AS SOON AS I GET HOME TODAY..... THANKS IN ADVANCED
0
Comment
Question by:JMA12
  • 8
  • 5
  • 3
  • +4
21 Comments
 
LVL 22

Expert Comment

by:DarkoLord
Comment Utility
First turn your Caps Lock off :))

Then go to http://www.safer-networking.org/en/index.html and download SpyBot SD (and dont forget to update it)

Darko
0
 
LVL 4

Expert Comment

by:shard26
Comment Utility
As Darko said this is definately a SpyWare issue. You may have to edit your registry. See if there is anything peculiar in these keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchProperties]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchProperties\en-us]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]

0
 

Author Comment

by:JMA12
Comment Utility
I HAVE CHECKED MY REGYSTRY AND REMOVED SOM THINGS THAT WERE NOT SUPPOSED TO BE THERE AND I DO HAVE SPY BOT BUT SOME REASON EVERY TIME I START MY PC THAT PAGE APPEARS AGAIN SO I DONT KNOW WHAT ELSE TO DO.
0
 

Expert Comment

by:pinballistic
Comment Utility
Download Hijackthis.exe update it, run it, and take a good look at the registry entries it shows you.  Be careful, but delete obvious junk.  You can upload the resulting file if you need help with it.  Good luck.

Pin
0
 
LVL 10

Expert Comment

by:stafi
Comment Utility
try to get a softwere called " pestpatrol " if this one will not help you ...  they give a free scan on:

http://www.pestscan.com/ScanOrTrial.asp

0
 

Author Comment

by:JMA12
Comment Utility
0
 
LVL 22

Expert Comment

by:DarkoLord
Comment Utility
Post your entire hijackthis log

Darko
0
 

Author Comment

by:JMA12
Comment Utility
well when i run hijackthis i dont really get much i just run it again and get this new ones
R0-HCKU\Software\Microsoft\Internet Explorer\Main,Start Page=htt://www.indowws.cc/hp.htm?id=9
02-BHO:(no name)--{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}--C:WINDOWS\SYSTEM32\esiadnbmt4bjg.dll
04-HKLM\..\Run:[romahere]C:\WINDOWS\SYSTEM32\matrixhere.exe
04-HKLM\..\Run:[pnpsvc_lock]C:\WINDOWS\SYSTEM32\432489.exe
04-HKLM\..\Run:[msngr]"C\Program Files\MSN Messenger\msngr.exe" /background
04-HKLM\..\Run:[romahere]C:\WINDOWS\SYSTEM32\matrixhere.exe
04-Global Startup: winlogin.exe
015-trusted zone:*.greg-search.com
015-trusted zone:*.greg-search.com
04-Global Startup: winlogin.exe

i have deleted this ones as well but they keep coming back.

0
 
LVL 3

Expert Comment

by:saito1
Comment Utility
first tools -> internet options -> delete files (include offline files)
make sure there is no files and cookies

then download & run the program from

http://www.mlin.net/StartupCPL.shtml

and remove every unnecessary program that you will see in tabs in startupcpl program.

this will solve your problem..


0
 
LVL 22

Expert Comment

by:DarkoLord
Comment Utility
Okay this is the best utility to show programs that run on startup:

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Use it and paste the results here


Darko
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:JMA12
Comment Utility
This is what i got when i runed this http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml hope this helps.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify                  

+ cscdll      Offline Network Agent      Microsoft Corporation      C:\WINDOWS\system32\cscdll.dll

+ ScCertProp      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ Schedule      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ SensLogn      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ termsrv      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ wlballoon      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit                  

+ C:\WINDOWS\system32\userinit.exe      Userinit Logon Application      Microsoft Corporation      C:\WINDOWS\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell                  

+ Explorer.exe      Windows Explorer      Microsoft Corporation      C:\WINDOWS\explorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run                  

+ pnpsvc_lock                  C:\WINDOWS\System32\1695177.exe

+ romahere                  C:\WINDOWS\system32\matrixhere.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx                  

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components                  

+ Address Book 6      Outlook Express Setup Library      Microsoft Corporation      C:\Program Files\OUTLOOK EXPRESS\setup50.exe

+ Browser Customizations      Microsoft Internet Explorer Customization DLL      Microsoft Corporation      C:\WINDOWS\system32\iedkcs32.dll

+ Internet Explorer      Windows NT User Data Migration Tool      Microsoft Corporation      C:\WINDOWS\system32\shmgrate.exe

+ Internet Explorer 6      IE 5.0 Per-User Install Utility      Microsoft Corporation      C:\WINDOWS\system32\ie4uinit.exe

+ Microsoft Outlook Express 6      Outlook Express Setup Library      Microsoft Corporation      C:\Program Files\OUTLOOK EXPRESS\setup50.exe

+ Microsoft Windows Media Player      ADVPACK      Microsoft Corporation      C:\WINDOWS\system32\advpack.dll

+ NetMeeting 3.01      ADVPACK      Microsoft Corporation      C:\WINDOWS\system32\advpack.dll

+ Outlook Express      Windows NT User Data Migration Tool      Microsoft Corporation      C:\WINDOWS\system32\shmgrate.exe

+ Themes Setup      Microsoft(C) Register Server      Microsoft Corporation      C:\WINDOWS\system32\regsvr32.exe

+ Windows Desktop Update      Microsoft(C) Register Server      Microsoft Corporation      C:\WINDOWS\system32\regsvr32.exe

+ Windows Media Player      Microsoft Windows Media Player Setup Utility      Microsoft Corporation      C:\WINDOWS\inf\unregmp2.exe

+ Windows Messenger 4.7      ADVPACK      Microsoft Corporation      C:\WINDOWS\system32\advpack.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler                  

+ Browseui preloader      Shell Browser UI Library      Microsoft Corporation      C:\WINDOWS\system32\browseui.dll

+ Component Categories cache daemon      Shell Browser UI Library      Microsoft Corporation      C:\WINDOWS\system32\browseui.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad                  

+ CDBurn      Windows Shell Common Dll      Microsoft Corporation      C:\WINDOWS\system32\shell32.dll

+ PostBootReminder      Windows Shell Common Dll      Microsoft Corporation      C:\WINDOWS\system32\shell32.dll

+ SysTray      Systray shell service object      Microsoft Corporation      C:\WINDOWS\system32\stobject.dll

+ WebCheck      Web Site Monitor      Microsoft Corporation      C:\WINDOWS\system32\webcheck.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Run                  

+ romahere                  C:\WINDOWS\system32\matrixhere.exe

Task Scheduler                  

+ Symantec NetDetect.job      Symantec NetDetect      Symantec Corporation      C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Sorry for jumping in on this question...

There still is a lot of garbage on your computer running.
Close all browser windows and programs, then please run hijackthis as suggested by DarkoLord, click "scan" and then "save log"
Post the ENTIRE contents of that logfile (you may mask your domainname if you're on a domain, but please leave the rest, including all headers!)

Then we will be able to see exactly what the problem with your computer is...

Greetings,

LucF
0
 

Author Comment

by:JMA12
Comment Utility
Its ok if anyone jumps in all i want is to get rid this stupid page and need all the help i can get.
Well i just runed hijackthis again and this is all i get. i did killed some processes should i dont know if any one needs to look at those as well.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Familia Alecio\Desktop\Joel Mmovies\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\1ecg1ruc7s2.dll
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\513177.exe
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: avz67he7uftu.tlb
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
I still don't see a full logfile, how about the headers etc? (version information etc)
Please reboot the computer, then the first thing you do should be running hijackthis, don't kill any processes before running.

And just to be sure, use the latest version of hijackthis => http://aumha.org/downloads/hijackthis.exe

LucF
0
 
LVL 3

Expert Comment

by:saito1
Comment Utility
Dear JMA12,

did you make what I wrote above ? it will solve your problem...
0
 
LVL 22

Expert Comment

by:DarkoLord
Comment Utility
Go to the safe mode and delete these files:
1ecg1ruc7s2.dll
matirxhere.exe
513177.exe
matrixhere.exe
image.dll

Then reboot and you should get some error messages that file(s) doesn't exist... fire up the registry editor and delete al keys/values which contain those filenames

Darko
0
 

Author Comment

by:JMA12
Comment Utility
Saito1 yes i did try what u posted and it did not work i still have that stupid page.
LucF i downloaded that updated version and it was the same i had but i still downloaded any ways and here is what i came up with as soon as i started my pc:
Logfile of HijackThis v1.98.2
Scan saved at 4:41:47 PM, on 08/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Documents and Settings\Familia Alecio\Desktop\Joel Mmovies\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\4kjv3ecwczlfh.dll
O15 - Trusted Zone: *.greg-search.com
O20 - AppInit_DLLs: avz67he7uftu.tlb

im about to try the last post that Darklord posted see it that works.
0
 

Author Comment

by:JMA12
Comment Utility
Darkloard
to delete the files in safe mode do i just to a search for them or is there another way to find them and delete, i located matirxhere.exe, 513177.exe, matrixhere.exe i deleted those files but the other the 1ecg1ruc7s2.dll i could not locate as for image.dll i did locate that one but is a nero file should i still delete it?
0
 
LVL 22

Accepted Solution

by:
DarkoLord earned 500 total points
Comment Utility
Well from your last post it looks like the file is renamed to: 4kjv3ecwczlfh.dll
if you don't find it look for such file with a strange filename...

well you can try to rename image.dll just to be sure (although I am sure that there is a spyware that uses same filename)..

Darko
0
 

Author Comment

by:JMA12
Comment Utility
Well i dont what Darklord told me i just deleted those files on safe mode went to the regestry took a while but i think i got all those files and so far it has been 2 hours and have not seen that page hopefully it will stay like this thanks to everyone that helped me out i apreciate it.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
You're welcome :)

If you see any of those lines in hijackthis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\4kjv3ecwczlfh.dll
O15 - Trusted Zone: *.greg-search.com
O20 - AppInit_DLLs: avz67he7uftu.tlb
You should get rid of them, none of them are the way they should be.

LucF
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Application Deployment 2 247
Windows 2000  Domain controller 3 487
Windows 7 7 255
Windows  Active Directory  Quesiton 8 107
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now