How to remove browser pages?

dags · Aug 6, 2003

Hi, I installed SpywareBlaster due to some porn nasties that hijacked my address bar. This and upgrading to IE6 latest version and deleting hkey_current_user\software\microsoft\internetexplorer\toolbar with regedit seems to have fixed all problems.
However I noticed when I go to tools in Blaster, there is some nasty urls in my browser page list.
Is there a way of deleting them.
I used the change option to change them to friendly urls. But if I go to one of those "friendly" sites, the nasty url appears as an alias in history.
I guess changing the browser urls to something invalid which I won't use will stop it appearing in history, but would prefer to remove it off possible.
Thanks
Steve

LowWaterMark · Aug 6, 2003

Hi Steve,

You probably have a browser hijack that needs to be repaired in other ways then just trying to over write those URLs. Posting a log from the program HijackThis will give the people here a chance to help you repiar these problems completely.

Go to http://www.tomcoyote.org/hjt and download "HijackThis!". Unzip it. Run the HijackThis.exe file and press the [Scan] button... When the scan is finished, the [Scan] button will change into a [Save Log] button. Press that, save the log somewhere and paste the contents into a post here for us to look at.

Note that much of what will be listed there is correct and should not be fixed. So, just post the output here and let's see if the people here can help identify the problem.

dags · Aug 6, 2003

Hi, It seems that typed urls are still being hijacked to porn sites. Here is the scan from hijack this.
ps. adaware scan came back clean.

Logfile of HijackThis v1.96.0
Scan saved at 6:58:58 PM, on 6/08/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\hh.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\DOCUME~1\dad\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = a
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = a
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.members.optusnet.com.au/sdag1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = a
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = a
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = a
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = a
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = a
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 0;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = a
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = a
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\dad\LOCALS~1\Temp\mslhig.dll
O2 - BHO: AdIteFiltr - {3FF41DB4-33EA-4D77-9D24-180754FF76F2} - C:\PROGRAM FILES\ADIEFILTR\ADIEFLTR.DLL
O2 - BHO: (no name) - {40AC4D2D-491D-11D4-AAF2-0008C75DCD2B} - C:\WINDOWS\BPBOH.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Exif Initializer Ver.1.0] C:\Program Files\FUJIFILM\Exif Initializer Ver.1.0\EXIFINIT.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Atomica... - file:C:\PROGRA~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
O8 - Extra context menu item: IE_Speakster - C:\Windows\IE_Speakster.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\Program Files\askSam\SurfSaver\Search.htm
O9 - Extra 'Tools' menuitem: AdIeFiltr Options (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: SurfSaver (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s=
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s=
O16 - DPF: Win32 Classes -
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5A3C6507-730A-43B2-8EAC-4C430F2EF35E} (PortfolioManager Class) - https://portfoliomanager.westpac.com.au/portfoliomanager/portfoliomanager.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://66.28.45.60/FreeMP3_v2.0.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37788.9113310185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B29E62-33E5-48CC-A4D8-78FD66BAC1BC}: NameServer = 198.142.0.51 203.2.75.132

thanks
Steve

Pieter_Arntz · Aug 6, 2003

Hi dags,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = a
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = a

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = a
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = a
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = a
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = a
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = a

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = a
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = a
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\dad\LOCALS~1\Temp\mslhig.dll

O2 - BHO: (no name) - {40AC4D2D-491D-11D4-AAF2-0008C75DCD2B} - C:\WINDOWS\BPBOH.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll

O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - (no file)

O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s=
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s=
O16 - DPF: Win32 Classes -

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://66.28.45.60/FreeMP3_v2.0.exe

Reboot after doing so, and make a new log to see if everything I listed is really gone.

Do you use this program: http://www.utils32.com/adiefiltr.asp ?
Just for my curiosity.

Regards,

Pieter

dags · Aug 6, 2003

Thanks Pieter,
That worked beautifully.
Typed url's now going where they should.
I also noticed in that report 8 lines of code that end in "= a". I actually changed all the nasty urls that appeared in the Spyblaster browser page list to just "a". Do you think I should remove those as well?

Re Adielfiltr, It's installed, but I've never really set it up properly. Do you recomend using it or removing.

Pieter_Arntz · Aug 6, 2003

It's best to have HijackThis repair them. The unnecessary ones will be removed and the others will get reset to blank or default.

I'm not sure about AdIeFilter. I just asked because I had never seen this one before:
O2 - BHO: AdIteFiltr - {3FF41DB4-33EA-4D77-9D24-180754FF76F2} - C:\PROGRAM FILES\ADIEFILTR\ADIEFLTR.DLL

Never heard anything good or bad about it, so if you like it, keep it and if you don't, uninstall it.
If you choose to uninstall check with HijackThis if the abovementioned entry disappears or gets set to (no file). It should disappear if the uninstall is any good, but you never know.

Regards,

Pieter

dags · Aug 6, 2003

Thanks for your help
Really appreciate it.
Think I will uninstall adielfltr
Thanks
Steve

Pieter_Arntz · Aug 6, 2003

Glad we could help.

Regards,

Pieter

dags · Aug 8, 2003

Hi, since this problem, I've started getting browser shutdowns with "urlmon.dll" exception errors.
Not sure if this is related to the hijacking, my upgrade to IE6 SP1 or something else again.
I've tried restoring to previous IE version
I tried this fix I found mentioned somewhere "regsvr32 urlmon.dll", but the problem is still happening.
Any ideas, or should I raise this as a new question in a different forum.
Maybe, I'll just start using netscape
Thanks
Steve

Prince_Serendip · Aug 9, 2003

Hi dags!

I am not an expert but here's some info that might help.

DLL File: urlmon or urlmon.dll
DLL Name: OLE32 Extensions for Win32
Description: Contains functions used by Microsoft OLE (Object Linking and Embedding)
System DLL: Yes

Common Errors: File Not Found, Missing File, Exception Errors
Note: Many of these problems are caused by uninstalling an app which used this dll. If the DLL is missing, download it to your windows system folder from:

http://www.dll-files.com/

Best of luck to you from Larry

Pieter_Arntz · Aug 9, 2003

Hi dags,

Also have a look at this site:
http://www.theeldergeek.com/repair_reinstall_ie_and_oe_6.htm

Regards,

Pieter

Log in or Sign up

How to remove browser pages?

dags Registered Member

LowWaterMark Administrator

dags Registered Member

Pieter_Arntz Spyware Veteran

dags Registered Member

Pieter_Arntz Spyware Veteran

dags Registered Member

Pieter_Arntz Spyware Veteran

dags Registered Member

Prince_Serendip Registered Member

Pieter_Arntz Spyware Veteran

Log in or Sign up

How to remove browser pages?

dags Registered Member

LowWaterMark Administrator

dags Registered Member

Pieter_Arntz Spyware Veteran

dags Registered Member

Pieter_Arntz Spyware Veteran

dags Registered Member

Pieter_Arntz Spyware Veteran

dags Registered Member

Prince_Serendip Registered Member

Pieter_Arntz Spyware Veteran

Useful Searches