IE homepage taken over.....


Overclocked Like A Mother
Hi Guys,

I have two different friends that have their IE homepage taken over by spyware. What choices do they have in terms of fixing this situation (uninstalling and reinstalling IE?) . Spybot is not working in both these instances.

Thanks in advance...



NTFS Stoner
there is a new out there making its rounds, and adaware and spybot are NOT up to date, i have been trying to remove this from friends pc's all weekend dammit....

adaware, spybot and hijack this have not been able to clean it.


Only do it for fun
When you get it sorted you can lock your browser homepage with "StartPage Guard" it's free. For more info type name into your search engine.


Overclocked Like A Mother
I will post the log file when they send it to me later. They will use Hijackthis to create the log. Will keep updated. I think that "prizesurfer" has taken over that one persons IE. But will get confirmation.



Enyo said:
and Enyo if I may - since it is buried pretty far down the list - SpywareGuard notifies you whenever something attempts to change your home page and gives you the capability to stop it from being changed. Thus I feel if it is installed now - it could prevent the hijacks until such time as you get the HJT log run and cleaned out!


OSNN Veteran Addict
You can clearly see its hijacked by MyWebSearch and ClearSearch.

Alot of the other stuff i cant be cetain about without asking google and checking the BHOS in the database.

While normally i will hunt down info on the processes i dont know i dont have the time right now.

I will edit the post tomorrow with more info. For now AAW and SpyBot will both remove MyWebSearch, or should.

Heres a quick cut down of the log

Logfile of HijackThis v1.97.7
Scan saved at 8:15:17 PM, on 1/14/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\ClientMan\mscman.exe
C:\Program Files\ClientMan\msckin.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - c:\PROGRA~1\CLIENT~1\run\NEWADS~2.DLL
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - c:\program files\clientman\run\dnsrep117d78e0.dll

O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINNT\System32\netpal.dll (file missing)
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINNT\system32\btiein.dll
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - c:\program files\clientman\run\urlclib04e59c3.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~2.DLL
O2 - BHO: (no name) - {DDAAE51B-6CB6-4A9F-8E79-85D982FAE25D} - C:\WINNT\system32\faxevemnt.dll
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINNT\system32\cpr.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - c:\PROGRA~1\CLIENT~1\run\TAGGER~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: (no name) - {DA3F5EC3-9121-4F7D-BFB1-12EC93AEEFE4} - (no file)
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [susp] C:\WINNT\susp.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [RCSync] C:\Program Files\RCPrograms\RCSync.exe
O4 - HKLM\..\Run: [PrizeSurfer] C:\Program Files\RCPrograms\v2\prizesurfer.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINNT\System32\SahAgent.exe
O4 - HKLM\..\Run: [AStart] C:\WINNT\AStart
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O11 - Options group: [CommonName] CommonName


Overclocked Like A Mother
Adaware and Spybot have been used to no avail. Prizesurfer keeps locking them up. This is info I am getting from the user on this machine.



Mindless Poster
One Question, Did it change the homepage to a Porn site???? i had this happen recently I ran ADware and it cured the problem. I have to keep running it though for like a week straight but it doesn't happen anymore and i'm pretty clean now as well.. from all the ad-ware runs..


Ad-aware can remove those, you just need to change the settings. Run a custom scan and tell it it search inside archives, search all files and folders, and then run it. From what I have found, a custom scan works MUCH better than the preferred scan.

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
What a long strange trip it's been. =)

Forum statistics

Latest member