IE homepage taken over.....

Heeter

Overclocked Like A Mother
Joined
Jul 8, 2002
Messages
2,732
#1
Hi Guys,

I have two different friends that have their IE homepage taken over by spyware. What choices do they have in terms of fixing this situation (uninstalling and reinstalling IE?) . Spybot is not working in both these instances.


Thanks in advance...

Heeter
 

Electronic Punk

willalwaysbewithyou
Staff member
Political User
Joined
Dec 2, 2001
Messages
18,627
#2
Perhaps it just changed their current homepage.
Or once they change it is it reverting again?
 

GoNz0

NTFS Stoner
Joined
Mar 4, 2002
Messages
2,781
#5
there is a new lop.com out there making its rounds, and adaware and spybot are NOT up to date, i have been trying to remove this from friends pc's all weekend dammit....


adaware, spybot and hijack this have not been able to clean it.
 

Sparks

Only do it for fun
Joined
Jan 6, 2004
Messages
23
#7
When you get it sorted you can lock your browser homepage with "StartPage Guard" it's free. For more info type name into your search engine.
 

Heeter

Overclocked Like A Mother
Joined
Jul 8, 2002
Messages
2,732
#8
I will post the log file when they send it to me later. They will use Hijackthis to create the log. Will keep updated. I think that "prizesurfer" has taken over that one persons IE. But will get confirmation.

Heeter
 

damnyank

I WILL NOT FORGET 911
Joined
Mar 14, 2002
Messages
2,359
#12
Enyo said:
and Enyo if I may - since it is buried pretty far down the list - SpywareGuard notifies you whenever something attempts to change your home page and gives you the capability to stop it from being changed. Thus I feel if it is installed now - it could prevent the hijacks until such time as you get the HJT log run and cleaned out!
 

Enyo

OSNN Veteran Addict
Joined
Feb 2, 2003
Messages
1,338
#14
You can clearly see its hijacked by MyWebSearch and ClearSearch.

Alot of the other stuff i cant be cetain about without asking google and checking the BHOS in the database.

While normally i will hunt down info on the processes i dont know i dont have the time right now.

I will edit the post tomorrow with more info. For now AAW and SpyBot will both remove MyWebSearch, or should.

Heres a quick cut down of the log

Logfile of HijackThis v1.97.7
Scan saved at 8:15:17 PM, on 1/14/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\ClearSearch\Loader.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINNT\System32\SahAgent.exe
C:\WINNT\AStart.exe
C:\Program Files\ClientMan\mscman.exe
C:\Program Files\ClientMan\msckin.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server224.smartbotpro.net/7search/?002
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - c:\PROGRA~1\CLIENT~1\run\NEWADS~2.DLL
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - c:\program files\clientman\run\dnsrep117d78e0.dll

O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINNT\System32\netpal.dll (file missing)
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINNT\system32\btiein.dll
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - c:\program files\clientman\run\urlclib04e59c3.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~2.DLL
O2 - BHO: (no name) - {DDAAE51B-6CB6-4A9F-8E79-85D982FAE25D} - C:\WINNT\system32\faxevemnt.dll
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINNT\system32\cpr.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - c:\PROGRA~1\CLIENT~1\run\TAGGER~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: (no name) - {DA3F5EC3-9121-4F7D-BFB1-12EC93AEEFE4} - (no file)
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [susp] C:\WINNT\susp.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [RCSync] C:\Program Files\RCPrograms\RCSync.exe
O4 - HKLM\..\Run: [PrizeSurfer] C:\Program Files\RCPrograms\v2\prizesurfer.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINNT\System32\SahAgent.exe
O4 - HKLM\..\Run: [AStart] C:\WINNT\AStart
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O11 - Options group: [CommonName] CommonName
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
 

Heeter

Overclocked Like A Mother
Joined
Jul 8, 2002
Messages
2,732
#15
Adaware and Spybot have been used to no avail. Prizesurfer keeps locking them up. This is info I am getting from the user on this machine.

Heeter
 

XpGuy1

Mindless Poster
Joined
Oct 15, 2002
Messages
136
#18
One Question, Did it change the homepage to a Porn site???? i had this happen recently I ran ADware and it cured the problem. I have to keep running it though for like a week straight but it doesn't happen anymore and i'm pretty clean now as well.. from all the ad-ware runs..
 

Heeter

Overclocked Like A Mother
Joined
Jul 8, 2002
Messages
2,732
#19
I don't think Prizesurfer is a pron site.
This is someone else's computer, I haven't it.

Heeter
 

Reg

eXperienced!
Joined
Mar 2, 2002
Messages
639
#20
Ad-aware can remove those, you just need to change the settings. Run a custom scan and tell it it search inside archives, search all files and folders, and then run it. From what I have found, a custom scan works MUCH better than the preferred scan.
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Hey ep!

All good with me, applying for microsoft mvp right now, should have done this a while ago.

Notifications don't work, I only found your response by comming back to hunt up some threads, if you want, give me your email address so we can keep in touch easier, mine is perriscalderon at gmail
Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...

Forum statistics

Threads
62,027
Messages
673,527
Members
89,037
Latest member
MichaelPowers