Ad:

Viruses, Spyware and other Nasties Discussion Thread
Marked Solved
Views: 2538

May 26th, 2005

homepage hijack please help!

Expand Post »

I have been struggling to fix this for a couple days now. I've run ad-aware, spybot, and many other programs. But I really don't know what I'm doing. I change my homepage and it just keeps resetting back to www.findyourcouple.com. It seems like it's forwarding to another page every day. First it was a dating website, then it was a porn site, and now it's advertising a spyware program. Here is my hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 11:28:40 PM, on 5/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Documents and Settings\Ann Lee\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findyourcouple.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.findyourcouple.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: ATnotes.lnk = C:\Program Files\ATnotes\ATnotes.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup152.cab
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

Any help would be much appreciated! My windows xp search companion is not working, so I can't search for specific files. Perhaps someone can help me with that too....my search companion doesn't seem to finish loading or something; it is just blank. Also, my internet explorer favorites contains all WINNT folders. I don't understand why. Anyway, maybe I should deal with one problem at a time. Taking care of this hijack problem is a priority. Thanks!

Similar Threads

about:blank.... page hijack in Viruses, Spyware and other Nasties
Can't remove "about:blank" homepage. Please help. in Viruses, Spyware and other Nasties
Homepage resets in Viruses, Spyware and other Nasties
homepage hijack "Search for..." about:blank in address in Viruses, Spyware and other Nasties
Great search homepage (HIjack log inside) in Viruses, Spyware and other Nasties

aslee

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

5 posts
since May 2005

Permalink

May 26th, 2005

Re: homepage hijack please help!

Hi aslee, welcome to DaniWeb

This first part if kind of a guess, so you may not find any of the files listed.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Delete any icons from your desktop that you didn't put there, and empty your Recycle Bin.

Scan with hijackthis, and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findyourcouple.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.findyourcouple.com
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Be sure all windows, other then hijackthis, are closed before hitting Fix checked.

Go to C:\WINNT\web and delete related.htm

Reboot again, close any open browser windows, scan with hijackthis, and post a new log please. Let us know if you found any of those files listed near the beginning and if you're still being hijacked.

dlh6213

Team Colleague

Reputation Points: 63

Solved Threads: 213

Posting Maven

Offline

2,962 posts
since Jul 2004

Permalink

May 26th, 2005

Re: homepage hijack please help!

Thanks dlh6213 for the reply.

I followed your directions and booted in safe mode. However, my search companion does not work, so I was unable to search those files you listed. I looked in C:\WINNT\System32 and didn't see any of those files in there. Can you tell me where else I might look?

I continued with the next part and fixed the things you listed on hijackthis, and deleted the related.htm file. Here is my new log:

Logfile of HijackThis v1.99.0
Scan saved at 1:32:31 AM, on 5/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Ann Lee\Desktop\HijackThis.exe
C:\WINNT\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findyourcouple.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.findyourcouple.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: ATnotes.lnk = C:\Program Files\ATnotes\ATnotes.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup152.cab
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

It looks like it's still there, and I'm still being hijacked. Any more advice? Thank you so much!

aslee

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

5 posts
since May 2005

Permalink

May 26th, 2005

Re: homepage hijack please help!

Those files are usually found in the C:\Windows\System32 folder, but one user reported finding one of the files in a "C:\!Submit" folder, so you may want to see if you have one of those too. As I said before, those files are just a hunch; the symptoms you described seem similar to other infections going around recently.

Have you tried using System Restore to return to a point prior to when you lost your search function?

If that doesn't work, try an in-place upgrade (aka repair installation); instructions can be found here:

http://support.microsoft.com/default...&Product=winxp

You should also go to Windows Update and get SP1 for XP.

dlh6213

Team Colleague

Reputation Points: 63

Solved Threads: 213

Posting Maven

Offline

2,962 posts
since Jul 2004

Permalink

May 26th, 2005

Re: homepage hijack please help!

Couldn't find any of those files. I tried to do a system restore at a couple points, and I get a message saying it couldn't restore it to that point. I believe I've downloaded the most recent Windows XP update. That brings up another problem, the automatic update icon is ALWAYS in my taskbar. If i install it, it returns right away. I believe it's installing the same thing everytime. I can't repair windows because I don't have the cd with me. Any other ideas? Thanks so much for your help!

aslee

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

5 posts
since May 2005

Permalink

May 27th, 2005

Re: homepage hijack please help!

Quote originally posted by aslee ...

Any other ideas?

I'm afraid I don't at the moment; I'll see if I can find out anything. Maybe someone else here will have some suggestions.

dlh6213

Team Colleague

Reputation Points: 63

Solved Threads: 213

Posting Maven

Offline

2,962 posts
since Jul 2004

Permalink

May 28th, 2005

Re: homepage hijack please help!

Thanks for your help anyway.

aslee

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

5 posts
since May 2005

Permalink

Jun 20th, 2005

Re: homepage hijack please help!

had the same problem.
I downloaded the spy sweeper program from www.freedownloads.com
this is a free program to test for a period of time.
It restored my home page, got rid of all the spyware and protects your machine

Bruce Scott

bruce Scott

Reputation Points: 13

Solved Threads: 1

Newbie Poster

Offline

1 posts
since Jun 2005

Permalink

Jun 21st, 2005

Re: homepage hijack please help!

Thank you so much!! I have been struggling forever with this and it was as easy as downloading this program. I am soo happy! Thank you!

aslee

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

5 posts
since May 2005

Permalink

Jun 21st, 2005

Re: homepage hijack please help!

Quote originally posted by aslee ...

Thank you so much!! I have been struggling forever with this and it was as easy as downloading this program. I am soo happy! Thank you!

Glad Bruce was able to help you get this fixed finally

As soon as possible, you should go to Windows Update and get (at least) SP1a for XP.

dlh6213

Team Colleague

Reputation Points: 63

Solved Threads: 213

Posting Maven

Offline

2,962 posts
since Jul 2004

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Hacktool.rootkit virus in WinXP

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Aurora/ABI Networks Issues

DaniWeb Message

Cancel Changes

User Name
Password