Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

IE Home Page Parasite

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

IE Home Page Parasite

Old 07-18-04, 08:22 PM
  #1  
DVD Talk Limited Edition
Thread Starter
 
Join Date: Mar 2000
Posts: 5,420
Likes: 0
Received 0 Likes on 0 Posts
IE Home Page Parasite

I have a parasite that keeps changing my home page to:
http://your-searcher.com/index.htm

It also inserts 4 adult sites into my favorites.

I've run Ad-Ware, Spybot & Hi Jack This but nothing has gotten rid of it yet.

Anyone have any ideas ?

Thanks.
Old 07-18-04, 08:43 PM
  #2  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
First of all turned off System Restore. This is located in the My Computer icon on the desktop and then Properties>System Restore Tab>un-check all drives>click OK. RE-Boot


UnZip HijackThis and Create a file folder for the install on your desktop for it and then run it.
After you have run hijackthis, you will have a list of registry keys and .exe programs that are possible problems. Here you may delete all of the ones that have "your-searcher " listed. This will temporarily clean your IE browser and allow you to reset your homepage. Within about 30 seconds the Trojan will take it back over so you must act quickly and go open up a browser and go to http://www.simplysup.com/tremover/download.html Here you will download the Trojan Remover software. This is what found the Trojan that even Norton (symantec) and all others couldn't find and eliminate. Download it and install it. You can use the trial version to remove the Trojan. I ran it and my file infected with a Trojan was C:\WINDOWS\system32\winlogin.exe This is the Global startup winlogin.exe file that you have in your list. Trojan Remover changed the name of the file and then asked me to reboot. After rebooting I ran Hijackthis again to clear my IE one more time and this time there was no Trojan to reset it!!
Finally, I turned my system restore back on. You can now look for other ads with Spybot or Adaware. Good Luck!

Post your Hijack log next time! After it scans, the scan button will change to savelog. save it to your hard drive and then open the log, copy and paste the contents here.

Please specify the version of Windows and IE you are using next time. (Hijackthis will have this info in the log)

Last edited by 68ShelbyGT500KR; 07-18-04 at 09:14 PM.
Old 07-18-04, 09:25 PM
  #3  
DVD Talk Limited Edition
Thread Starter
 
Join Date: Mar 2000
Posts: 5,420
Likes: 0
Received 0 Likes on 0 Posts
68ShelbyGT500KR.

Thanks for your help.

I tried what you said but it didn't work.
I don't think I rebooted after turning off system restore.
The 1st time I ran Trojan Remover it found something and renamed it. But now when I rerun it it says there are no active malicious files were found.


Logfile of HijackThis v1.98.0
Scan saved at 9:19:31 PM, on 7/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\Program Files\Trojan Remover\xvt6.exe
C:\Program Files\Trojan Remover\xvt6.exe
C:\Documents and Settings\Owner\Desktop\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\IEDOWN~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll (file missing)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: winlgn.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Old 07-18-04, 09:55 PM
  #4  
DVD Talk God
 
twikoff's Avatar
 
Join Date: Feb 2000
Location: Right Behind You!!!
Posts: 79,497
Likes: 0
Received 0 Likes on 0 Posts
restart to safe mode
navigate to
C:\WINDOWS\SYSTEM delete MSREXE.EXE
C:\WINDOWS delete DLLHLP.EXE
Boot it back to normal
Turn off ALL internet browsers and apps
Put hjt into its own folder
Run hjt select these and click fix

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
Old 07-18-04, 10:08 PM
  #5  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
I don't know anything about this little program but I have read that it will detect/or remove mybar/realbar lines
Download location: http://downloads.subratam.org/FINDnFIX.exe

Instructions for FindnFix
Double Click on the FindnFix.exe and it will install the batch file in its own folder.

Open the FindnFix folder and double click on !LOG!.bat

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows

except for the FindnFix folder.

Please wait while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will

probably receive an alert warning you that the script is running. "Allow" the script to run.

When the program is finished:

Open the FindnFix folder.
1. Post the contents of Log.txt in this thread.
2. Post the contents of the Win.txt to the same post.

Items that need to be removed are below!
Boot into Safe mode and Let HiJackThis fix these items
(Make sure these 2 items are deleted while in safe mode, winlgn.exe and p2p networking.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://your-searcher.com/index.htm
R0 HKLM\Software\Microsoft\InternetExplorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: myBar BHO{0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\ProgramFiles\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program
Files\Zero Knowledge\Freedom\BandObjs.dll (file missing)
O3 - Toolbar: &SearchBar {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program
Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} -
C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - Global Startup: winlgn.exe


When Finished re-run HijackThis and re-post your log
Old 07-18-04, 10:12 PM
  #6  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by twikoff
twinkiff, Am I blind?? I can't find those 2 entires in his log....
MSREXE.EXE
DLLHLP.EXE
Old 07-18-04, 10:27 PM
  #7  
DVD Talk God
 
twikoff's Avatar
 
Join Date: Feb 2000
Location: Right Behind You!!!
Posts: 79,497
Likes: 0
Received 0 Likes on 0 Posts
i didnt check through his logs..
ran into this same problem with a few computers at work.. and after googling a bit.. this was the answer that kept getting repeated
Old 07-19-04, 10:21 AM
  #8  
Member
 
Join Date: Oct 2002
Location: New York
Posts: 225
Likes: 0
Received 0 Likes on 0 Posts
if what the pros suggest dont work, try running bazooka from download.com. it lists things that might be malicious that are running & tells you how to remove them. be sure to update first.

you should also utilize a program like spybot that disables changes made to your internet options like homepages, etc...
Old 07-19-04, 06:02 PM
  #9  
Senior Member
 
Join Date: Dec 1999
Posts: 327
Likes: 0
Received 0 Likes on 0 Posts
Struz,

Fix the problem yet? Is that HiJackThis log current?
Old 07-19-04, 07:41 PM
  #10  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by csteak101
Struz,

Fix the problem yet? Is that HiJackThis log current?

Yeah, I am waiting on his new log too...
Old 07-19-04, 07:59 PM
  #11  
DVD Talk Godfather
 
DVD Polizei's Avatar
 
Join Date: Jan 2002
Posts: 52,609
Received 1 Like on 1 Post
PestPatrol does a pretty good job of removing stuff like this:

http://www.pestpatrol.com/Products/

There's a free online scan button in the upper-right of the screen.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.