IE homepage taken over.....

Heeter

Overclocked Like A Mother
Joined
8 Jul 2002
Messages
2,732
Hi Guys,

I have two different friends that have their IE homepage taken over by spyware. What choices do they have in terms of fixing this situation (uninstalling and reinstalling IE?) . Spybot is not working in both these instances.


Thanks in advance...

Heeter
 
Perhaps it just changed their current homepage.
Or once they change it is it reverting again?
 
Try Hijack This or Ad Aware and Spybot Search & Destroy. I have found HJT solves some browser problems that Ad Aware and SpyBot doesn't.
 
Did you try AdAware? Same thing happend to my sons pc, it took care of it.
 
there is a new lop.com out there making its rounds, and adaware and spybot are NOT up to date, i have been trying to remove this from friends pc's all weekend dammit....


adaware, spybot and hijack this have not been able to clean it.
 
When you get it sorted you can lock your browser homepage with "StartPage Guard" it's free. For more info type name into your search engine.
 
I will post the log file when they send it to me later. They will use Hijackthis to create the log. Will keep updated. I think that "prizesurfer" has taken over that one persons IE. But will get confirmation.

Heeter
 
Enyo said:

and Enyo if I may - since it is buried pretty far down the list - SpywareGuard notifies you whenever something attempts to change your home page and gives you the capability to stop it from being changed. Thus I feel if it is installed now - it could prevent the hijacks until such time as you get the HJT log run and cleaned out!
 
Okay Guys,

Here is the log for one of the machines.
 

Attachments

  • hijackthislog.txt
    10.1 KB · Views: 121
You can clearly see its hijacked by MyWebSearch and ClearSearch.

Alot of the other stuff i cant be cetain about without asking google and checking the BHOS in the database.

While normally i will hunt down info on the processes i dont know i dont have the time right now.

I will edit the post tomorrow with more info. For now AAW and SpyBot will both remove MyWebSearch, or should.

Heres a quick cut down of the log

Logfile of HijackThis v1.97.7
Scan saved at 8:15:17 PM, on 1/14/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\ClearSearch\Loader.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINNT\System32\SahAgent.exe
C:\WINNT\AStart.exe
C:\Program Files\ClientMan\mscman.exe
C:\Program Files\ClientMan\msckin.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server224.smartbotpro.net/7search/?002
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - c:\PROGRA~1\CLIENT~1\run\NEWADS~2.DLL
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - c:\program files\clientman\run\dnsrep117d78e0.dll

O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINNT\System32\netpal.dll (file missing)
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINNT\system32\btiein.dll
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - c:\program files\clientman\run\urlclib04e59c3.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~2.DLL
O2 - BHO: (no name) - {DDAAE51B-6CB6-4A9F-8E79-85D982FAE25D} - C:\WINNT\system32\faxevemnt.dll
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINNT\system32\cpr.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - c:\PROGRA~1\CLIENT~1\run\TAGGER~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: (no name) - {DA3F5EC3-9121-4F7D-BFB1-12EC93AEEFE4} - (no file)
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [susp] C:\WINNT\susp.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [RCSync] C:\Program Files\RCPrograms\RCSync.exe
O4 - HKLM\..\Run: [PrizeSurfer] C:\Program Files\RCPrograms\v2\prizesurfer.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINNT\System32\SahAgent.exe
O4 - HKLM\..\Run: [AStart] C:\WINNT\AStart
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O11 - Options group: [CommonName] CommonName
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
 
Adaware and Spybot have been used to no avail. Prizesurfer keeps locking them up. This is info I am getting from the user on this machine.

Heeter
 
CWS has been run since this log. Will wait for new log after these fixes


Heeter
 
One Question, Did it change the homepage to a Porn site???? i had this happen recently I ran ADware and it cured the problem. I have to keep running it though for like a week straight but it doesn't happen anymore and i'm pretty clean now as well.. from all the ad-ware runs..
 
I don't think Prizesurfer is a pron site.
This is someone else's computer, I haven't it.

Heeter
 
Ad-aware can remove those, you just need to change the settings. Run a custom scan and tell it it search inside archives, search all files and folders, and then run it. From what I have found, a custom scan works MUCH better than the preferred scan.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back