Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2767
  • Last Modified:

ANNOYING SEARCH PAGE PLS HELP

I HAVE A PROBLEM WITH MY IE IT KEEPS GOING TO A SEARCH PAGE EVERY TIME I MISSTYPE A URL OR A WHEN I TRY TO GO TO CERTAIN PAGES IT APPEARS AND DOES NOT ALLOW ME TO GO TO THE PAGES I WANT I HAVE TRIED EVERYTHING I HAVE TRIED CCSHREDER, ADWARE SOFTWARE, TROJAN REMOVER AND NOTHING SEEMS TO WORK WHAT CAN I DO TO GET RID OF THIS ANNOYING SEARCH PAGE I DONT POST THE URL FOR IT CAUSE IM AT WORK BUT WILL POST AS SOON AS I GET HOME TODAY..... THANKS IN ADVANCED
0
JMA12
Asked:
JMA12
  • 8
  • 5
  • 3
  • +4
1 Solution
 
DarkoLordCommented:
First turn your Caps Lock off :))

Then go to http://www.safer-networking.org/en/index.html and download SpyBot SD (and dont forget to update it)

Darko
0
 
shard26Commented:
As Darko said this is definately a SpyWare issue. You may have to edit your registry. See if there is anything peculiar in these keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchProperties]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchProperties\en-us]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]

0
 
JMA12Author Commented:
I HAVE CHECKED MY REGYSTRY AND REMOVED SOM THINGS THAT WERE NOT SUPPOSED TO BE THERE AND I DO HAVE SPY BOT BUT SOME REASON EVERY TIME I START MY PC THAT PAGE APPEARS AGAIN SO I DONT KNOW WHAT ELSE TO DO.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
pinballisticCommented:
Download Hijackthis.exe update it, run it, and take a good look at the registry entries it shows you.  Be careful, but delete obvious junk.  You can upload the resulting file if you need help with it.  Good luck.

Pin
0
 
stafiCommented:
try to get a softwere called " pestpatrol " if this one will not help you ...  they give a free scan on:

http://www.pestscan.com/ScanOrTrial.asp

0
 
JMA12Author Commented:
0
 
DarkoLordCommented:
Post your entire hijackthis log

Darko
0
 
JMA12Author Commented:
well when i run hijackthis i dont really get much i just run it again and get this new ones
R0-HCKU\Software\Microsoft\Internet Explorer\Main,Start Page=htt://www.indowws.cc/hp.htm?id=9
02-BHO:(no name)--{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}--C:WINDOWS\SYSTEM32\esiadnbmt4bjg.dll
04-HKLM\..\Run:[romahere]C:\WINDOWS\SYSTEM32\matrixhere.exe
04-HKLM\..\Run:[pnpsvc_lock]C:\WINDOWS\SYSTEM32\432489.exe
04-HKLM\..\Run:[msngr]"C\Program Files\MSN Messenger\msngr.exe" /background
04-HKLM\..\Run:[romahere]C:\WINDOWS\SYSTEM32\matrixhere.exe
04-Global Startup: winlogin.exe
015-trusted zone:*.greg-search.com
015-trusted zone:*.greg-search.com
04-Global Startup: winlogin.exe

i have deleted this ones as well but they keep coming back.

0
 
saito1Commented:
first tools -> internet options -> delete files (include offline files)
make sure there is no files and cookies

then download & run the program from

http://www.mlin.net/StartupCPL.shtml

and remove every unnecessary program that you will see in tabs in startupcpl program.

this will solve your problem..


0
 
DarkoLordCommented:
Okay this is the best utility to show programs that run on startup:

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Use it and paste the results here


Darko
0
 
JMA12Author Commented:
This is what i got when i runed this http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml hope this helps.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify                  

+ cscdll      Offline Network Agent      Microsoft Corporation      C:\WINDOWS\system32\cscdll.dll

+ ScCertProp      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ Schedule      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ SensLogn      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ termsrv      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ wlballoon      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit                  

+ C:\WINDOWS\system32\userinit.exe      Userinit Logon Application      Microsoft Corporation      C:\WINDOWS\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell                  

+ Explorer.exe      Windows Explorer      Microsoft Corporation      C:\WINDOWS\explorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run                  

+ pnpsvc_lock                  C:\WINDOWS\System32\1695177.exe

+ romahere                  C:\WINDOWS\system32\matrixhere.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx                  

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components                  

+ Address Book 6      Outlook Express Setup Library      Microsoft Corporation      C:\Program Files\OUTLOOK EXPRESS\setup50.exe

+ Browser Customizations      Microsoft Internet Explorer Customization DLL      Microsoft Corporation      C:\WINDOWS\system32\iedkcs32.dll

+ Internet Explorer      Windows NT User Data Migration Tool      Microsoft Corporation      C:\WINDOWS\system32\shmgrate.exe

+ Internet Explorer 6      IE 5.0 Per-User Install Utility      Microsoft Corporation      C:\WINDOWS\system32\ie4uinit.exe

+ Microsoft Outlook Express 6      Outlook Express Setup Library      Microsoft Corporation      C:\Program Files\OUTLOOK EXPRESS\setup50.exe

+ Microsoft Windows Media Player      ADVPACK      Microsoft Corporation      C:\WINDOWS\system32\advpack.dll

+ NetMeeting 3.01      ADVPACK      Microsoft Corporation      C:\WINDOWS\system32\advpack.dll

+ Outlook Express      Windows NT User Data Migration Tool      Microsoft Corporation      C:\WINDOWS\system32\shmgrate.exe

+ Themes Setup      Microsoft(C) Register Server      Microsoft Corporation      C:\WINDOWS\system32\regsvr32.exe

+ Windows Desktop Update      Microsoft(C) Register Server      Microsoft Corporation      C:\WINDOWS\system32\regsvr32.exe

+ Windows Media Player      Microsoft Windows Media Player Setup Utility      Microsoft Corporation      C:\WINDOWS\inf\unregmp2.exe

+ Windows Messenger 4.7      ADVPACK      Microsoft Corporation      C:\WINDOWS\system32\advpack.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler                  

+ Browseui preloader      Shell Browser UI Library      Microsoft Corporation      C:\WINDOWS\system32\browseui.dll

+ Component Categories cache daemon      Shell Browser UI Library      Microsoft Corporation      C:\WINDOWS\system32\browseui.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad                  

+ CDBurn      Windows Shell Common Dll      Microsoft Corporation      C:\WINDOWS\system32\shell32.dll

+ PostBootReminder      Windows Shell Common Dll      Microsoft Corporation      C:\WINDOWS\system32\shell32.dll

+ SysTray      Systray shell service object      Microsoft Corporation      C:\WINDOWS\system32\stobject.dll

+ WebCheck      Web Site Monitor      Microsoft Corporation      C:\WINDOWS\system32\webcheck.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Run                  

+ romahere                  C:\WINDOWS\system32\matrixhere.exe

Task Scheduler                  

+ Symantec NetDetect.job      Symantec NetDetect      Symantec Corporation      C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
0
 
LucFCommented:
Sorry for jumping in on this question...

There still is a lot of garbage on your computer running.
Close all browser windows and programs, then please run hijackthis as suggested by DarkoLord, click "scan" and then "save log"
Post the ENTIRE contents of that logfile (you may mask your domainname if you're on a domain, but please leave the rest, including all headers!)

Then we will be able to see exactly what the problem with your computer is...

Greetings,

LucF
0
 
JMA12Author Commented:
Its ok if anyone jumps in all i want is to get rid this stupid page and need all the help i can get.
Well i just runed hijackthis again and this is all i get. i did killed some processes should i dont know if any one needs to look at those as well.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Familia Alecio\Desktop\Joel Mmovies\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\1ecg1ruc7s2.dll
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\513177.exe
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: avz67he7uftu.tlb
0
 
LucFCommented:
I still don't see a full logfile, how about the headers etc? (version information etc)
Please reboot the computer, then the first thing you do should be running hijackthis, don't kill any processes before running.

And just to be sure, use the latest version of hijackthis => http://aumha.org/downloads/hijackthis.exe

LucF
0
 
saito1Commented:
Dear JMA12,

did you make what I wrote above ? it will solve your problem...
0
 
DarkoLordCommented:
Go to the safe mode and delete these files:
1ecg1ruc7s2.dll
matirxhere.exe
513177.exe
matrixhere.exe
image.dll

Then reboot and you should get some error messages that file(s) doesn't exist... fire up the registry editor and delete al keys/values which contain those filenames

Darko
0
 
JMA12Author Commented:
Saito1 yes i did try what u posted and it did not work i still have that stupid page.
LucF i downloaded that updated version and it was the same i had but i still downloaded any ways and here is what i came up with as soon as i started my pc:
Logfile of HijackThis v1.98.2
Scan saved at 4:41:47 PM, on 08/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Documents and Settings\Familia Alecio\Desktop\Joel Mmovies\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\4kjv3ecwczlfh.dll
O15 - Trusted Zone: *.greg-search.com
O20 - AppInit_DLLs: avz67he7uftu.tlb

im about to try the last post that Darklord posted see it that works.
0
 
JMA12Author Commented:
Darkloard
to delete the files in safe mode do i just to a search for them or is there another way to find them and delete, i located matirxhere.exe, 513177.exe, matrixhere.exe i deleted those files but the other the 1ecg1ruc7s2.dll i could not locate as for image.dll i did locate that one but is a nero file should i still delete it?
0
 
DarkoLordCommented:
Well from your last post it looks like the file is renamed to: 4kjv3ecwczlfh.dll
if you don't find it look for such file with a strange filename...

well you can try to rename image.dll just to be sure (although I am sure that there is a spyware that uses same filename)..

Darko
0
 
JMA12Author Commented:
Well i dont what Darklord told me i just deleted those files on safe mode went to the regestry took a while but i think i got all those files and so far it has been 2 hours and have not seen that page hopefully it will stay like this thanks to everyone that helped me out i apreciate it.
0
 
LucFCommented:
You're welcome :)

If you see any of those lines in hijackthis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\4kjv3ecwczlfh.dll
O15 - Trusted Zone: *.greg-search.com
O20 - AppInit_DLLs: avz67he7uftu.tlb
You should get rid of them, none of them are the way they should be.

LucF
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 8
  • 5
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now