Homepage hijacked!!!

Discussion in 'adware, spyware & hijack cleaning' started by Azirafal, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    Hi,

    I've got a serious problem with my homepage. I run a IE and have Win 98. In the Internet Options my default homepage is set to "about:blank" and at IE startup it redirects me to some page "SmartSearch". I triedchanging it in Internet Options, in the registry, I tried Ad-Aware, SpySweeper, Spybot S&D, CWShredder... Everything. But it just doesn't get deleted and keeps coming back!!! I really don't know what to do. Please help!

    Here's my HijackThis! log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:24:33, on 04-06-30
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    D:\TOOLS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jerozolimskie.waw.pl:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O10 - Broken Internet access because of LSP provider 'xfire_lsp_7651.dll' missing
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I would be very greatful for any help!!!

    Azirafal
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Azirafal,

    Copy the contents of the bold text to Notepad.
    Name the file Appinit.bat
    Save as type *All Files*
    Save on the Desktop.

    Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
    ren windows1.hiv windows.txt


    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt
    Post the content please.

    Regards,

    Pieter
     
  3. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    It says I don't have the file windows1.hiv
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    That is correct. My mistake. Windows 98. :oops:

    Can you disable all the browser protection you have and then change it in Internet-options?

    See if it survives a reboot. It could be one of the programs protecting you that is holdong that setting.

    Regards,

    Pieter
     
  5. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    I don't think I have any browser protection! :doubt: I think I even disabled NortonAV already.

    I tried changing it in the internet options and rebooting. I scanned the comp zillions of times with Ad-Aware, CWShredder, Spybot S&D and everything else _and_ rebooting - nothing helped. Changing the start page in Internet options only helps while IE is running. As soon as I open it again or a new window the settings there are changed as well!!! :'(

    I really don't know what to do...
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    SpySweeper has browser protection and so does Spybot S&D.

    Regards,

    Pieter
     
  7. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    Oh yeah, right. But I don't have them tuner on. And neither one has that option turned on a tthe moment. I think I even might have already deleted spy Sweeper, but I'm sure that Spybot has that option unchecked. :doubt:
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  9. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    I got this:

    Logfile of HijackThis v1.98.0
    Scan saved at 14:15:06, on 04-06-30
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    D:\TOOLS\HIJACKTHIS1980.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jerozolimskie.waw.pl:8080
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O10 - Broken Internet access because of LSP provider 'xfire_lsp_7651.dll' missing
    O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEM\MSXWORD.DLL
    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    There it is. :)

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEM\MSXWORD.DLL
    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}

    Then reboot and find C:\WINDOWS\SYSTEM\MSXWORD.DLL
    Send a copy (preferably zipped) to pieterATwilderssecurity.org (relpace AT with @)
    Then delete it.

    Regards,

    Pieter
     
  11. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you!

    I am in a great debt!!! You are my one and only saviour, Pieter!!! I do not know how to thank you enough! After almost a month of struggles and unhelping advices I have been cured!!!

    Thank you once again!!! :D :D :D :D :D
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    My pleasure. :)
    Did you send me the file?
    If you did, we can help others easier in the future.

    Regards,

    Pieter
     
  13. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    Yes, I've sent it to the adress you wrote in your post. Thanks again for your help! i hope the file will help some people in the future, to not be in such a troublesome situation as I was.

    Thanks again!

    Keep up the good work! :D
     
Thread Status:
Not open for further replies.