IE homepage taken over.....

Discussion in 'Windows Desktop Systems' started by Heeter, Jan 14, 2004.

  1. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Hi Guys,

    I have two different friends that have their IE homepage taken over by spyware. What choices do they have in terms of fixing this situation (uninstalling and reinstalling IE?) . Spybot is not working in both these instances.


    Thanks in advance...

    Heeter
     
  2. Electronic Punk

    Electronic Punk Administrator Staff Member Political User Folding Team

    Messages:
    18,590
    Location:
    Copenhagen, Denmark
    Perhaps it just changed their current homepage.
    Or once they change it is it reverting again?
     
  3. Petros

    Petros Thief IV

    Messages:
    3,038
    Location:
    Pacific Northwest
    Try Hijack This or Ad Aware and Spybot Search & Destroy. I have found HJT solves some browser problems that Ad Aware and SpyBot doesn't.
     
  4. ThePatriot

    ThePatriot -=[BOHICA!]=- Political User

    Messages:
    1,742
    Location:
    Pennsylvania
    Did you try AdAware? Same thing happend to my sons pc, it took care of it.
     
  5. GoNz0

    GoNz0 NTFS Stoner

    Messages:
    2,781
    Location:
    the year 2525
    there is a new lop.com out there making its rounds, and adaware and spybot are NOT up to date, i have been trying to remove this from friends pc's all weekend dammit....


    adaware, spybot and hijack this have not been able to clean it.
     
  6. Enyo

    Enyo Moderator

    Messages:
    1,338
  7. Sparks

    Sparks Only do it for fun

    Messages:
    23
    Location:
    County Durham, UK.
    When you get it sorted you can lock your browser homepage with "StartPage Guard" it's free. For more info type name into your search engine.
     
  8. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    I will post the log file when they send it to me later. They will use Hijackthis to create the log. Will keep updated. I think that "prizesurfer" has taken over that one persons IE. But will get confirmation.

    Heeter
     
  9. napalmnthemorning

    napalmnthemorning Moderator

    Messages:
    721
    Location:
    OREGON
    SpywareBlaster Prevents spyware from being installed. Its free and it has regular downloadable updates
     
  10. Enyo

    Enyo Moderator

    Messages:
    1,338
  11. Khayman

    Khayman I'm sorry Hal... Political User Folding Team

    Messages:
    5,518
    Location:
    England
    Moved per request
     
  12. damnyank

    damnyank I WILL NOT FORGET 911

    Messages:
    2,359
    Location:
    Petal, Mississippi
    and Enyo if I may - since it is buried pretty far down the list - SpywareGuard notifies you whenever something attempts to change your home page and gives you the capability to stop it from being changed. Thus I feel if it is installed now - it could prevent the hijacks until such time as you get the HJT log run and cleaned out!
     
  13. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Okay Guys,

    Here is the log for one of the machines.
     

    Attached Files:

  14. Enyo

    Enyo Moderator

    Messages:
    1,338
    You can clearly see its hijacked by MyWebSearch and ClearSearch.

    Alot of the other stuff i cant be cetain about without asking google and checking the BHOS in the database.

    While normally i will hunt down info on the processes i dont know i dont have the time right now.

    I will edit the post tomorrow with more info. For now AAW and SpyBot will both remove MyWebSearch, or should.

    Heres a quick cut down of the log

    Logfile of HijackThis v1.97.7
    Scan saved at 8:15:17 PM, on 1/14/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\WINNT\System32\SahAgent.exe
    C:\WINNT\AStart.exe
    C:\Program Files\ClientMan\mscman.exe
    C:\Program Files\ClientMan\msckin.exe
    C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\WINNT\system32\wuauclt.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server224.smartbotpro.net/7search/?002
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
    O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll
    O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
    O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - c:\PROGRA~1\CLIENT~1\run\NEWADS~2.DLL
    O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - c:\program files\clientman\run\dnsrep117d78e0.dll

    O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINNT\System32\netpal.dll (file missing)
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINNT\system32\btiein.dll
    O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - c:\program files\clientman\run\urlclib04e59c3.dll
    O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~2.DLL
    O2 - BHO: (no name) - {DDAAE51B-6CB6-4A9F-8E79-85D982FAE25D} - C:\WINNT\system32\faxevemnt.dll
    O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINNT\system32\cpr.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - c:\PROGRA~1\CLIENT~1\run\TAGGER~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O3 - Toolbar: (no name) - {DA3F5EC3-9121-4F7D-BFB1-12EC93AEEFE4} - (no file)
    O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [susp] C:\WINNT\susp.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [RCSync] C:\Program Files\RCPrograms\RCSync.exe
    O4 - HKLM\..\Run: [PrizeSurfer] C:\Program Files\RCPrograms\v2\prizesurfer.exe
    O4 - HKLM\..\Run: [SAHAgent] C:\WINNT\System32\SahAgent.exe
    O4 - HKLM\..\Run: [AStart] C:\WINNT\AStart
    O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O11 - Options group: [CommonName] CommonName
    O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
     
  15. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Adaware and Spybot have been used to no avail. Prizesurfer keeps locking them up. This is info I am getting from the user on this machine.

    Heeter
     
  16. Enyo

    Enyo Moderator

    Messages:
    1,338
    Have them run http://216.180.233.153/~merijn/files/CWShredder.exe

    (Note linked via IP, the domain may will be blocked by the spyware)

    After running this AAW should be able to run to clean up the rest.
     
  17. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    CWS has been run since this log. Will wait for new log after these fixes


    Heeter
     
    XpGuy1 likes this.
  18. XpGuy1

    XpGuy1 Mindless Poster

    Messages:
    136
    One Question, Did it change the homepage to a Porn site???? i had this happen recently I ran ADware and it cured the problem. I have to keep running it though for like a week straight but it doesn't happen anymore and i'm pretty clean now as well.. from all the ad-ware runs..
     
  19. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    I don't think Prizesurfer is a pron site.
    This is someone else's computer, I haven't it.

    Heeter
     
  20. Reg

    Reg eXperienced!

    Messages:
    639
    Location:
    Arlington, TX
    Ad-aware can remove those, you just need to change the settings. Run a custom scan and tell it it search inside archives, search all files and folders, and then run it. From what I have found, a custom scan works MUCH better than the preferred scan.