Homepage Hijacking

[Corrine]

Clinton, please don't do anything right now. Your HijackThis log is being reviewed as I type.
_________________
Freedomlist.com (March 1, 2000 - 2013)



Take a walk through my Security Garden

[Die Hard]

clinton, hi

Please close all open applications and IE, run HJT and put a checkmark next to those details.Then click on "fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =  http://brutal-video.net/ 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =  http://drusearch.com/search.html 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =  http://drusearch.com/search.html 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =  http://brutal-video.net/ 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =  http://drusearch.com/search.html 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL =  http://brutal-video.net/ 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =  http://brutal-video.net/ 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =  http://drusearch.com/search.html 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =  http://drusearch.com/search.html 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =  http://drusearch.com/search.html 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =  http://drusearch.com/search.html 
O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com

Then you need to reboot, preferably into safe mode.(Press F8 repetedly at start)
If you please could move this file, in bold:
C:\WINDOWS\system32\rundll32.vbe
to a temp folder and have it submitted for us at:  http://www.lavahelp.com/submit/index.html 

Then rid you of the file and empty your dustbin

regards

Die Hard [/b]

[winchester73]

Die Hard ...

You beat me ... but my tired eyes see 3 entries, not 2:

O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe


_________________
Speak softly, but carry a Winchester

Member of , the Alliance of Security Analysis Professionals

[Corrine]

Thanks for coming so quickly, DieHard! Appreciate the fast response.

Clinton, I've been working with these folks for a while now. They really know what they're doing so you are in good hands. Just follow the instructions carefully and let us know how it works out.

Don't forget to submit the file. Doing that will get it added to the reference files & help the next person clean it easily.
_________________
Freedomlist.com (March 1, 2000 - 2013)



Take a walk through my Security Garden

[winchester73]

So as to make sure there is no confusion ... fix everything in DieHard's list, and also this one item:

O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
_________________
Speak softly, but carry a Winchester

Member of , the Alliance of Security Analysis Professionals

[clinton]

not sure how to do what die hard wants?
What is a safe mode, press F8 when the computer starts up again. How do I move the file?
Then you need to reboot, preferably into safe mode.(Press F8 repetedly at start)
If you please could move this file, in bold:
C:\WINDOWS\system32\rundll32.vbe

[clinton]

Corrine,

I did what was suggested and it seems to work. But, (as always) the sites continue to show in my favorites? How can i get them out of there?

[clinton]

Corrine,

I also have 15 new icons on mt desktop that different things like:

back-20040304-230233-650

All have this similar lettering and numbering. What do i do with these?

Clinton

[Die Hard]

clinton,

Those files on your desktop are the "backup"-files from HJT.
They end up there, when you have HJT on your desktop:
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

You could delete those files , they are of no use.

Please scan again with HJT and post a new log and let´s have a look at it .

regards

Die Hard

[Clinton]

Mr. Die Hard,

At a little before 6:00 am in Atl, Ga things seem to be working well. Only small problem is I this have the drusearch and coolsearcher.net icons on my desktop. If I must life with those I can. Just thrilled to no long have the porn %^$&#*@(@(@.
Thank You and everyone else for the help.

The new Highjack log:
Logfile of HijackThis v1.97.7
Scan saved at 5:43:26 AM, on 3/5/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SDPAPIS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =  http://www.comcast.net/ 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [SDPAPIS] C:\WINDOWS\SYSTEM\SDPAPIS.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: Yahoo! Pool 2 -  http://download.games.yahoo.com/games/clients/y/potc_x.cab 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -  http://download.macromedia.com/pub/shockwa...wflash.cab 

[Die Hard]

Clinton

There are a couple of things you could do to rid you of the shortcuts. The first, which you already tried I guess, is to delete them from the desktop. But isn´t it so, that they return after a reboot?

The other thing you could try is to right click on the icons, then click "properties" and under tab "shortcut" you will have the filepath. Copy it into the search feature and the file will show. Then rightclick on the file and choose (I´m a little uncertain here as I have to translate, but I think it would be) "open the folder of the object" or something similar. Once there, delete the source of the shortcut, which I think is a IE-icon.

Regards

Die Hard

[Original Guest 1]

Drag your Icons into the recycle/trash bin.

Empty bin.

Restart your PC

Icons gone.

For "favorites" delete

highlight

right click mouse button

select and left click "delete"

[Clinton]

Corrine, Die Hard, Winchester73, Original Guest1:

Thank You for all the help!!! Whatever I had is gone.

Thanks Again,
Clinton

[Corrine]

Wonderful news! Thanks for letting us know. If you have any more problems along this line, don't hesitate to ask.
_________________
Freedomlist.com (March 1, 2000 - 2013)



Take a walk through my Security Garden

[winchester73]

Top job ...
_________________
Speak softly, but carry a Winchester

Member of , the Alliance of Security Analysis Professionals

[tad12]

Hope you installed SpywareBlaster. Also SpywareGuard which will monitor your homepage and alert you to any attempted change.

[homepage problem]

ok i have a problem similar to clintons. my homepage keeps changing to C:\WINDOWS\homepage.htm. i've tried spybot, adaware, and i have spyware blaster. none of them worked. i have downloaded hijack this. can you please help me with this? it's really annoying.

[lion6644]

this is homepage problem. i just registered. i started a new thread in the help tips and tricks about this. i really need help. thanks.

[Corrine]

Hi, lion6644. We'll be helping you here:  http://www.freedomlist.com/forum/viewtopic.php?t=15618  
_________________
Freedomlist.com (March 1, 2000 - 2013)



Take a walk through my Security Garden