How to remove browser pages?

Discussion in 'privacy problems' started by dags, Aug 6, 2003.

Thread Status:
Not open for further replies.
  1. dags
    Offline

    dags Registered Member

    Hi, I installed SpywareBlaster due to some porn nasties that hijacked my address bar. This and upgrading to IE6 latest version and deleting hkey_current_user\software\microsoft\internetexplorer\toolbar with regedit seems to have fixed all problems.
    However I noticed when I go to tools in Blaster, there is some nasty urls in my browser page list.
    Is there a way of deleting them.
    I used the change option to change them to friendly urls. But if I go to one of those "friendly" sites, the nasty url appears as an alias in history.
    I guess changing the browser urls to something invalid which I won't use will stop it appearing in history, but would prefer to remove it off possible.
    Thanks
    Steve
  2. LowWaterMark
    Offline

    LowWaterMark Administrator

    Hi Steve,

    You probably have a browser hijack that needs to be repaired in other ways then just trying to over write those URLs. Posting a log from the program HijackThis will give the people here a chance to help you repiar these problems completely.

    Go to http://www.tomcoyote.org/hjt and download "HijackThis!". Unzip it. Run the HijackThis.exe file and press the [Scan] button... When the scan is finished, the [Scan] button will change into a [Save Log] button. Press that, save the log somewhere and paste the contents into a post here for us to look at.

    Note that much of what will be listed there is correct and should not be fixed. So, just post the output here and let's see if the people here can help identify the problem.
  3. dags
    Offline

    dags Registered Member

    Hi, It seems that typed urls are still being hijacked to porn sites. Here is the scan from hijack this.
    ps. adaware scan came back clean.

    Logfile of HijackThis v1.96.0
    Scan saved at 6:58:58 PM, on 6/08/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Real\RealPlayer\realplay.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\hh.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\DOCUME~1\dad\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = a
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = a
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.members.optusnet.com.au/sdag1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = a
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = a
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = a
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = a
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = a
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 0;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = a
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = a
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\dad\LOCALS~1\Temp\mslhig.dll
    O2 - BHO: AdIteFiltr - {3FF41DB4-33EA-4D77-9D24-180754FF76F2} - C:\PROGRAM FILES\ADIEFILTR\ADIEFLTR.DLL
    O2 - BHO: (no name) - {40AC4D2D-491D-11D4-AAF2-0008C75DCD2B} - C:\WINDOWS\BPBOH.DLL
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
    O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Exif Initializer Ver.1.0] C:\Program Files\FUJIFILM\Exif Initializer Ver.1.0\EXIFINIT.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Atomica... - file:C:\PROGRA~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
    O8 - Extra context menu item: IE_Speakster - C:\Windows\IE_Speakster.htm
    O8 - Extra context menu item: SurfSaver &QuickSave - C:\Program Files\askSam\SurfSaver\QuickSave.htm
    O8 - Extra context menu item: SurfSaver Sav&e... - C:\Program Files\askSam\SurfSaver\Add.htm
    O8 - Extra context menu item: SurfSaver Searc&h... - C:\Program Files\askSam\SurfSaver\Search.htm
    O9 - Extra 'Tools' menuitem: AdIeFiltr Options (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: SurfSaver (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s=
    O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s=
    O16 - DPF: Win32 Classes -
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {5A3C6507-730A-43B2-8EAC-4C430F2EF35E} (PortfolioManager Class) - https://portfoliomanager.westpac.com.au/portfoliomanager/portfoliomanager.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://66.28.45.60/FreeMP3_v2.0.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37788.9113310185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B29E62-33E5-48CC-A4D8-78FD66BAC1BC}: NameServer = 198.142.0.51 203.2.75.132

    thanks
    Steve
  4. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi dags,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = a
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = a

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = a
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = a
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = a
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = a
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = a

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = a
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = a
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\dad\LOCALS~1\Temp\mslhig.dll

    O2 - BHO: (no name) - {40AC4D2D-491D-11D4-AAF2-0008C75DCD2B} - C:\WINDOWS\BPBOH.DLL
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll

    O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - (no file)

    O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s=
    O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s=
    O16 - DPF: Win32 Classes -

    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://66.28.45.60/FreeMP3_v2.0.exe

    Reboot after doing so, and make a new log to see if everything I listed is really gone.

    Do you use this program: http://www.utils32.com/adiefiltr.asp ?
    Just for my curiosity. ;)

    Regards,

    Pieter
  5. dags
    Offline

    dags Registered Member

    Thanks Pieter,
    That worked beautifully.
    Typed url's now going where they should.
    I also noticed in that report 8 lines of code that end in "= a". I actually changed all the nasty urls that appeared in the Spyblaster browser page list to just "a". Do you think I should remove those as well?

    Re Adielfiltr, It's installed, but I've never really set it up properly. Do you recomend using it or removing.
    :D
  6. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    It's best to have HijackThis repair them. The unnecessary ones will be removed and the others will get reset to blank or default.

    I'm not sure about AdIeFilter. I just asked because I had never seen this one before:
    O2 - BHO: AdIteFiltr - {3FF41DB4-33EA-4D77-9D24-180754FF76F2} - C:\PROGRAM FILES\ADIEFILTR\ADIEFLTR.DLL

    Never heard anything good or bad about it, so if you like it, keep it and if you don't, uninstall it.
    If you choose to uninstall check with HijackThis if the abovementioned entry disappears or gets set to (no file). It should disappear if the uninstall is any good, but you never know.

    Regards,

    Pieter
  7. dags
    Offline

    dags Registered Member

    Thanks for your help
    Really appreciate it.
    Think I will uninstall adielfltr
    Thanks
    Steve :D
  8. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Glad we could help. :)

    Regards,

    Pieter
  9. dags
    Offline

    dags Registered Member

    Hi, since this problem, I've started getting browser shutdowns with "urlmon.dll" exception errors.
    Not sure if this is related to the hijacking, my upgrade to IE6 SP1 or something else again.
    I've tried restoring to previous IE version
    I tried this fix I found mentioned somewhere "regsvr32 urlmon.dll", but the problem is still happening.
    Any ideas, or should I raise this as a new question in a different forum.
    Maybe, I'll just start using netscape :)
    Thanks
    Steve o_O
  10. Prince_Serendip
    Offline

    Prince_Serendip Registered Member

    :) Hi dags!

    I am not an expert but here's some info that might help.

    DLL File: urlmon or urlmon.dll
    DLL Name: OLE32 Extensions for Win32
    Description: Contains functions used by Microsoft OLE (Object Linking and Embedding)
    System DLL: Yes

    Common Errors: File Not Found, Missing File, Exception Errors
    Note: Many of these problems are caused by uninstalling an app which used this dll. If the DLL is missing, download it to your windows system folder from:

    http://www.dll-files.com/

    Best of luck to you from Larry :)
  11. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi dags,

    Also have a look at this site:
    http://www.theeldergeek.com/repair_reinstall_ie_and_oe_6.htm

    Regards,

    Pieter
Thread Status:
Not open for further replies.