IE Annoying Homepage problem

IceCube · Post by **IceCube** » Tue May 04, 2004 10:49 am

Whenever I start up my homepage (ie. opening internet explorer) this annoying website would set itself as the default homepage.
An example would be:

I want google.com to be my default homepage, but whenever i open IE, a page (ie. yahoo.com) would actually become my default and not my desired google.com. In other words, I couldn't get the my default homepage to appear.

I've tried deleting cookies, history, checking for spyware, but everytime I open IE, this darn annoying unwanted webpage would pop up!!!

Anyone know what the problem is??

Thx

lobosblanco · Post by **lobosblanco** » Tue May 04, 2004 10:52 am

im assuming you tried to set your homepage back through internet options

Please do this. Click here: http://www.sherrylynn.us/HijackThis.exe to download Hijack This. Save it to it’s own folder (not temporary files or the desktop).
Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

IceCube · Post by **IceCube** » Tue May 04, 2004 11:04 am

thx! that was quick! It's the http://kv163.com site that's giving me the headache!

----------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 11:02:07, on 4/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\PC-CIL~1\Pop3trap.exe
C:\PROGRA~1\ISTsvc\istsvc.exe
C:\PROGRA~1\QUICKT~1\qttask.exe
C:\PROGRA~1\TRENDM~1\PC-CIL~1\WEBTRA~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Real\UPDATE~1\REALSC~1.EXE
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\HIJACK~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://kv163.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kv163.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kv163.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page ... _id=133720
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://kv163.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://kv163.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kv163.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.library.utoronto.ca:8080
R3 - URLSearchHook: (no name) - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - c:\PROGRA~1\win32.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [nmsrvcm] C:\WINDOWS\System32\nmsrvcm.exe
O4 - HKLM\..\Run: [LogFeil] regedit -s C:\$NtUninstallQ8875736$\WINSYS.cer
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [] regedit -s C:\$NtUninstallQ8875736$\WINSYS.cer
O4 - HKLM\..\RunOnce: [LogFeil] C:\$NtUninstallQ8875736$\WINSYS.vbs
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Short Message (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/10e264ed6882c73f90 ... RdxIE2.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/part ... nstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://203.199.200.61/ads/shareit/da/cab/SysUpd.CAB

lobosblanco · Post by **lobosblanco** » Tue May 04, 2004 11:22 am

you probably have some of these programs
but download if you dont

cwshredder
http://www.spywareinfo.com/~merijn/cwsc ... cwshredder
Download AdAware 6 181
http://www.lavasoftusa.com/
Download Spybot - Search & Destroy from
http://security.kolla.de

first
run cwshredder
Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")

reboot

then run

AdAware

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

Then......

Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

Then.........

Go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" and "Let windows remove files in use at next reboot"

Then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished mark everything for removal and get rid of it.(Right-click the window and choose"select all" from the drop down menu)

reboot

then run

Spybot - Search & Destroy

After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED

post a fresh log

lobosblanco · Post by **lobosblanco** » Tue May 04, 2004 12:03 pm

after you do all that

first put hijackthis into its own folder

next

ctrl-alt del
stop these
Running processes:

istsvc.exe

run hjt put a check next to these, close all browsers and hit fix

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://kv163.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kv163.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kv163.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=133720
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://kv163.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://kv163.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kv163.com

R3 - URLSearchHook: (no name) - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - c:\PROGRA~1\win32.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll

O4 - HKLM\..\Run: [ISTsvc] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [nmsrvcm] C:\WINDOWS\System32\nmsrvcm.exe
O4 - HKLM\..\Run: [LogFeil] regedit -s C:\$NtUninstallQ8875736$\WINSYS.cer
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [] regedit -s C:\$NtUninstallQ8875736$\WINSYS.cer
O4 - HKLM\..\RunOnce: [LogFeil] C:\$NtUninstallQ8875736$\WINSYS.vbs

O9 - Extra button: Sidesearch (HKLM)

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/10e264ed6882c7...tzip/RdxIE2.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/...ise/install.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://203.199.200.61/ads/shareit/da/cab/SysUpd.CAB

rebbot into safe mode
delete what is in bold

C:\WINDOWS\SysUpd.exe
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\nmsrvcm.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\ISTbar\istbar.dll
c:\PROGRA~1\win32.dll

then come back and post a fresh log

IceCube · Post by **IceCube** » Tue May 04, 2004 12:57 pm

Thx!!! It's fixed now....but I couldn't find any of the files that you specified for deleting in safe mode. Thanks!!! You give excellent step by step instructions!!! So easy to follow.

---------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 12:53:09, on 4/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\PC-CIL~1\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\PC-CIL~1\WEBTRA~1.EXE
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\hajack\HIJACK~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.library.utoronto.ca:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: (no name) - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Short Message (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab

lobosblanco · Post by **lobosblanco** » Tue May 04, 2004 12:59 pm

thankyou

glad to help

now

Also try spyware guard and spyware blaster http://www.javacoolsoftware.com
spyware blaster will block spyware from comming in when you surf the net(compatible with IE, mozilla and firefox) and spyware guard is a resident scanner

IceCube · Post by **IceCube** » Tue May 04, 2004 5:58 pm

ok, I'll give it a try. Thanks again!

YARDofSTUF · Post by **YARDofSTUF** » Tue May 04, 2004 6:18 pm

Also in Control Panel under Internet Tools, check your security settings, dont allow 3rd party cookies.

I like adaware and spybot as my main scanners, spybot blocks alot. spyblaster's settings can be read by other spyware finders as spyware, so I dont use it anymore. The immunize feature is great in spybot.

I keep hijackthis and cwshredder around for any emergencies.

Joe · Post by **Joe** » Fri May 07, 2004 11:55 pm

get hijackthis.... or better yet get any form of mozilla.. serious