Homepage hijacked!!!

Discussion in 'adware, spyware & hijack cleaning' started by Azirafal, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    Hi,

    I've got a serious problem with my homepage. I run a IE and have Win 98. In the Internet Options my default homepage is set to "about:blank" and at IE startup it redirects me to some page "SmartSearch". I triedchanging it in Internet Options, in the registry, I tried Ad-Aware, SpySweeper, Spybot S&D, CWShredder... Everything. But it just doesn't get deleted and keeps coming back!!! I really don't know what to do. Please help!

    Here's my HijackThis! log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:24:33, on 04-06-30
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    D:\TOOLS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jerozolimskie.waw.pl:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O10 - Broken Internet access because of LSP provider 'xfire_lsp_7651.dll' missing
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I would be very greatful for any help!!!

    Azirafal
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi Azirafal,

    Copy the contents of the bold text to Notepad.
    Name the file Appinit.bat
    Save as type *All Files*
    Save on the Desktop.

    Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
    ren windows1.hiv windows.txt


    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt
    Post the content please.

    Regards,

    Pieter
     
  3. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    It says I don't have the file windows1.hiv
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    That is correct. My mistake. Windows 98. :oops:

    Can you disable all the browser protection you have and then change it in Internet-options?

    See if it survives a reboot. It could be one of the programs protecting you that is holdong that setting.

    Regards,

    Pieter
     
  5. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    I don't think I have any browser protection! :doubt: I think I even disabled NortonAV already.

    I tried changing it in the internet options and rebooting. I scanned the comp zillions of times with Ad-Aware, CWShredder, Spybot S&D and everything else _and_ rebooting - nothing helped. Changing the start page in Internet options only helps while IE is running. As soon as I open it again or a new window the settings there are changed as well!!! :'(

    I really don't know what to do...
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    SpySweeper has browser protection and so does Spybot S&D.

    Regards,

    Pieter
     
  7. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    Oh yeah, right. But I don't have them tuner on. And neither one has that option turned on a tthe moment. I think I even might have already deleted spy Sweeper, but I'm sure that Spybot has that option unchecked. :doubt:
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
  9. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    I got this:

    Logfile of HijackThis v1.98.0
    Scan saved at 14:15:06, on 04-06-30
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    D:\TOOLS\HIJACKTHIS1980.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jerozolimskie.waw.pl:8080
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O10 - Broken Internet access because of LSP provider 'xfire_lsp_7651.dll' missing
    O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEM\MSXWORD.DLL
    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    There it is. :)

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEM\MSXWORD.DLL
    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}

    Then reboot and find C:\WINDOWS\SYSTEM\MSXWORD.DLL
    Send a copy (preferably zipped) to pieterATwilderssecurity.org (relpace AT with @)
    Then delete it.

    Regards,

    Pieter
     
  11. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you! Thank you!

    I am in a great debt!!! You are my one and only saviour, Pieter!!! I do not know how to thank you enough! After almost a month of struggles and unhelping advices I have been cured!!!

    Thank you once again!!! :D :D :D :D :D
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    My pleasure. :)
    Did you send me the file?
    If you did, we can help others easier in the future.

    Regards,

    Pieter
     
  13. Azirafal

    Azirafal Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    7
    Yes, I've sent it to the adress you wrote in your post. Thanks again for your help! i hope the file will help some people in the future, to not be in such a troublesome situation as I was.

    Thanks again!

    Keep up the good work! :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.