Solved

ANNOYING SEARCH PAGE PLS HELP

Posted on 2004-08-07
21
2,740 Views
Last Modified: 2010-04-12
I HAVE A PROBLEM WITH MY IE IT KEEPS GOING TO A SEARCH PAGE EVERY TIME I MISSTYPE A URL OR A WHEN I TRY TO GO TO CERTAIN PAGES IT APPEARS AND DOES NOT ALLOW ME TO GO TO THE PAGES I WANT I HAVE TRIED EVERYTHING I HAVE TRIED CCSHREDER, ADWARE SOFTWARE, TROJAN REMOVER AND NOTHING SEEMS TO WORK WHAT CAN I DO TO GET RID OF THIS ANNOYING SEARCH PAGE I DONT POST THE URL FOR IT CAUSE IM AT WORK BUT WILL POST AS SOON AS I GET HOME TODAY..... THANKS IN ADVANCED
0
Comment
Question by:JMA12
  • 8
  • 5
  • 3
  • +4
21 Comments
 
LVL 22

Expert Comment

by:DarkoLord
ID: 11743285
First turn your Caps Lock off :))

Then go to http://www.safer-networking.org/en/index.html and download SpyBot SD (and dont forget to update it)

Darko
0
 
LVL 4

Expert Comment

by:shard26
ID: 11743413
As Darko said this is definately a SpyWare issue. You may have to edit your registry. See if there is anything peculiar in these keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchProperties]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchProperties\en-us]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]

0
 

Author Comment

by:JMA12
ID: 11743872
I HAVE CHECKED MY REGYSTRY AND REMOVED SOM THINGS THAT WERE NOT SUPPOSED TO BE THERE AND I DO HAVE SPY BOT BUT SOME REASON EVERY TIME I START MY PC THAT PAGE APPEARS AGAIN SO I DONT KNOW WHAT ELSE TO DO.
0
 

Expert Comment

by:pinballistic
ID: 11744274
Download Hijackthis.exe update it, run it, and take a good look at the registry entries it shows you.  Be careful, but delete obvious junk.  You can upload the resulting file if you need help with it.  Good luck.

Pin
0
 
LVL 10

Expert Comment

by:stafi
ID: 11744653
try to get a softwere called " pestpatrol " if this one will not help you ...  they give a free scan on:

http://www.pestscan.com/ScanOrTrial.asp

0
 

Author Comment

by:JMA12
ID: 11745423
0
 
LVL 22

Expert Comment

by:DarkoLord
ID: 11745777
Post your entire hijackthis log

Darko
0
 

Author Comment

by:JMA12
ID: 11750070
well when i run hijackthis i dont really get much i just run it again and get this new ones
R0-HCKU\Software\Microsoft\Internet Explorer\Main,Start Page=htt://www.indowws.cc/hp.htm?id=9
02-BHO:(no name)--{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}--C:WINDOWS\SYSTEM32\esiadnbmt4bjg.dll
04-HKLM\..\Run:[romahere]C:\WINDOWS\SYSTEM32\matrixhere.exe
04-HKLM\..\Run:[pnpsvc_lock]C:\WINDOWS\SYSTEM32\432489.exe
04-HKLM\..\Run:[msngr]"C\Program Files\MSN Messenger\msngr.exe" /background
04-HKLM\..\Run:[romahere]C:\WINDOWS\SYSTEM32\matrixhere.exe
04-Global Startup: winlogin.exe
015-trusted zone:*.greg-search.com
015-trusted zone:*.greg-search.com
04-Global Startup: winlogin.exe

i have deleted this ones as well but they keep coming back.

0
 
LVL 3

Expert Comment

by:saito1
ID: 11750655
first tools -> internet options -> delete files (include offline files)
make sure there is no files and cookies

then download & run the program from

http://www.mlin.net/StartupCPL.shtml

and remove every unnecessary program that you will see in tabs in startupcpl program.

this will solve your problem..


0
 
LVL 22

Expert Comment

by:DarkoLord
ID: 11750993
Okay this is the best utility to show programs that run on startup:

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Use it and paste the results here


Darko
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:JMA12
ID: 11757496
This is what i got when i runed this http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml hope this helps.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify                  

+ cscdll      Offline Network Agent      Microsoft Corporation      C:\WINDOWS\system32\cscdll.dll

+ ScCertProp      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ Schedule      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ SensLogn      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ termsrv      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

+ wlballoon      Common DLL to receive Winlogon notifications      Microsoft Corporation      C:\WINDOWS\system32\wlnotify.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit                  

+ C:\WINDOWS\system32\userinit.exe      Userinit Logon Application      Microsoft Corporation      C:\WINDOWS\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell                  

+ Explorer.exe      Windows Explorer      Microsoft Corporation      C:\WINDOWS\explorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run                  

+ pnpsvc_lock                  C:\WINDOWS\System32\1695177.exe

+ romahere                  C:\WINDOWS\system32\matrixhere.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx                  

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components                  

+ Address Book 6      Outlook Express Setup Library      Microsoft Corporation      C:\Program Files\OUTLOOK EXPRESS\setup50.exe

+ Browser Customizations      Microsoft Internet Explorer Customization DLL      Microsoft Corporation      C:\WINDOWS\system32\iedkcs32.dll

+ Internet Explorer      Windows NT User Data Migration Tool      Microsoft Corporation      C:\WINDOWS\system32\shmgrate.exe

+ Internet Explorer 6      IE 5.0 Per-User Install Utility      Microsoft Corporation      C:\WINDOWS\system32\ie4uinit.exe

+ Microsoft Outlook Express 6      Outlook Express Setup Library      Microsoft Corporation      C:\Program Files\OUTLOOK EXPRESS\setup50.exe

+ Microsoft Windows Media Player      ADVPACK      Microsoft Corporation      C:\WINDOWS\system32\advpack.dll

+ NetMeeting 3.01      ADVPACK      Microsoft Corporation      C:\WINDOWS\system32\advpack.dll

+ Outlook Express      Windows NT User Data Migration Tool      Microsoft Corporation      C:\WINDOWS\system32\shmgrate.exe

+ Themes Setup      Microsoft(C) Register Server      Microsoft Corporation      C:\WINDOWS\system32\regsvr32.exe

+ Windows Desktop Update      Microsoft(C) Register Server      Microsoft Corporation      C:\WINDOWS\system32\regsvr32.exe

+ Windows Media Player      Microsoft Windows Media Player Setup Utility      Microsoft Corporation      C:\WINDOWS\inf\unregmp2.exe

+ Windows Messenger 4.7      ADVPACK      Microsoft Corporation      C:\WINDOWS\system32\advpack.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler                  

+ Browseui preloader      Shell Browser UI Library      Microsoft Corporation      C:\WINDOWS\system32\browseui.dll

+ Component Categories cache daemon      Shell Browser UI Library      Microsoft Corporation      C:\WINDOWS\system32\browseui.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad                  

+ CDBurn      Windows Shell Common Dll      Microsoft Corporation      C:\WINDOWS\system32\shell32.dll

+ PostBootReminder      Windows Shell Common Dll      Microsoft Corporation      C:\WINDOWS\system32\shell32.dll

+ SysTray      Systray shell service object      Microsoft Corporation      C:\WINDOWS\system32\stobject.dll

+ WebCheck      Web Site Monitor      Microsoft Corporation      C:\WINDOWS\system32\webcheck.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Run                  

+ romahere                  C:\WINDOWS\system32\matrixhere.exe

Task Scheduler                  

+ Symantec NetDetect.job      Symantec NetDetect      Symantec Corporation      C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11757544
Sorry for jumping in on this question...

There still is a lot of garbage on your computer running.
Close all browser windows and programs, then please run hijackthis as suggested by DarkoLord, click "scan" and then "save log"
Post the ENTIRE contents of that logfile (you may mask your domainname if you're on a domain, but please leave the rest, including all headers!)

Then we will be able to see exactly what the problem with your computer is...

Greetings,

LucF
0
 

Author Comment

by:JMA12
ID: 11759664
Its ok if anyone jumps in all i want is to get rid this stupid page and need all the help i can get.
Well i just runed hijackthis again and this is all i get. i did killed some processes should i dont know if any one needs to look at those as well.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Familia Alecio\Desktop\Joel Mmovies\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\1ecg1ruc7s2.dll
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\513177.exe
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: avz67he7uftu.tlb
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11759866
I still don't see a full logfile, how about the headers etc? (version information etc)
Please reboot the computer, then the first thing you do should be running hijackthis, don't kill any processes before running.

And just to be sure, use the latest version of hijackthis => http://aumha.org/downloads/hijackthis.exe

LucF
0
 
LVL 3

Expert Comment

by:saito1
ID: 11759888
Dear JMA12,

did you make what I wrote above ? it will solve your problem...
0
 
LVL 22

Expert Comment

by:DarkoLord
ID: 11760822
Go to the safe mode and delete these files:
1ecg1ruc7s2.dll
matirxhere.exe
513177.exe
matrixhere.exe
image.dll

Then reboot and you should get some error messages that file(s) doesn't exist... fire up the registry editor and delete al keys/values which contain those filenames

Darko
0
 

Author Comment

by:JMA12
ID: 11767972
Saito1 yes i did try what u posted and it did not work i still have that stupid page.
LucF i downloaded that updated version and it was the same i had but i still downloaded any ways and here is what i came up with as soon as i started my pc:
Logfile of HijackThis v1.98.2
Scan saved at 4:41:47 PM, on 08/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Documents and Settings\Familia Alecio\Desktop\Joel Mmovies\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\4kjv3ecwczlfh.dll
O15 - Trusted Zone: *.greg-search.com
O20 - AppInit_DLLs: avz67he7uftu.tlb

im about to try the last post that Darklord posted see it that works.
0
 

Author Comment

by:JMA12
ID: 11768154
Darkloard
to delete the files in safe mode do i just to a search for them or is there another way to find them and delete, i located matirxhere.exe, 513177.exe, matrixhere.exe i deleted those files but the other the 1ecg1ruc7s2.dll i could not locate as for image.dll i did locate that one but is a nero file should i still delete it?
0
 
LVL 22

Accepted Solution

by:
DarkoLord earned 500 total points
ID: 11768173
Well from your last post it looks like the file is renamed to: 4kjv3ecwczlfh.dll
if you don't find it look for such file with a strange filename...

well you can try to rename image.dll just to be sure (although I am sure that there is a spyware that uses same filename)..

Darko
0
 

Author Comment

by:JMA12
ID: 11769869
Well i dont what Darklord told me i just deleted those files on safe mode went to the regestry took a while but i think i got all those files and so far it has been 2 hours and have not seen that page hopefully it will stay like this thanks to everyone that helped me out i apreciate it.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11769948
You're welcome :)

If you see any of those lines in hijackthis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\4kjv3ecwczlfh.dll
O15 - Trusted Zone: *.greg-search.com
O20 - AppInit_DLLs: avz67he7uftu.tlb
You should get rid of them, none of them are the way they should be.

LucF
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Fine Tune your automatic Updates for Ubuntu / Debian
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Edureka is one of the fastest growing and most effective online learning sites.  We are here to help you succeed.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now