How to stop changing my homepage?

Discussion in 'adware, spyware & hijack cleaning' started by 790511, Nov 25, 2003.

Thread Status:
Not open for further replies.
  1. 790511

    790511 Registered Member

    Joined:
    Nov 25, 2003
    Posts:
    3
    Hi, can anyone help me? I hove simlillar problem as many others, here. Something is changing my homepage and creates shortcut icons on desktop. Here is a copy of HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:09:02, on 25. 11. 2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\WINDOWS\svchost.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashserv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\AutoCAD 2004\acad.exe
    C:\DOCUME~1\Pavel\LOCALS~1\Temp\~e5d141.tmp
    C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
    C:\Program Files\icq\Icq.exe
    C:\WINDOWS\system32\calc.exe
    C:\Documents and Settings\Pavel\Plocha\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xmail.cz/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\icq\Icq.exe -trayboot
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi 790511

    Have only HijackThis running while staying offline and fix the following :

    if this is not your desired startpage :

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xmail.cz/

    also fix :

    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe

    Reboot after doing so and remove :

    C:\WINDOWS\svchost.exe <- this file

    Note : Only remove the one in the c:\windows directory, the ones in the system32 folder are legit files!

    If windows wont let you delete it at this point, remove it while booting the PC an Safe Mode :

    Here's how

    Hope this helps,

    keep us posted,

    Cheers,
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Unzy and 790511,

    What do you make of this one in the running processes?
    C:\DOCUME~1\Pavel\LOCALS~1\Temp\~e5d141.tmp

    Could be something that is triggered by the fake svchost, but keep an eye on it or better yet, remove that file as well.

    Regards,

    Pieter
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ouch, well spotted Pieter , missed that one :oops:

    Needless to say it has to go too ;)

    Cheers,
     
  5. 790511

    790511 Registered Member

    Joined:
    Nov 25, 2003
    Posts:
    3
    THANKS A LOT TO YOU BOTH. I DIDNT TRY IT YET, BUT I BELIVE THAT IT WILL WORK ;)
     
  6. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    lol :)

    Keep us posted anyway ;)

    Good luck !

    Cheers,
     
  7. 790511

    790511 Registered Member

    Joined:
    Nov 25, 2003
    Posts:
    3
    Well done! You were right :D I have no problem now! Thanks again! ;)
     
  8. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    You're welcome 790511 :)

    Good job cleaning up!

    take care,

    Cheers,
     
  9. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    I am only a newbie, but while studying the log, I thought the .tmp was weird... I thought so because I had never seen .tmp process in Running processes, just for that I smelled something fishy here :) TMP in Running? What the? :D

    Shame I didnt come here before Pieter mentioned that, I could be the one to mention this as the first :D I think that would be worth some karma points :D
     
  10. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Maybe off topic, but I realized one interesting thing in 790511´s log...

    A little off topic, but did someone realized that?

    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashserv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

    I think that 790511 uses two antivirus programs at once... I know Avast 4, I was using that free antivirus until I won the NOD32 license here (thanx to Wilders ;) ) and I also know that AVG 6 is an antivirus program too...

    If 790511 uses two on-access scanners at once, he probably thinks he is twice protected - but it is not so... using two on-access scanners is very dangerous, because it can happen that the scanners would "fight each other" and problems on the way... using two on-access scanners may end in non-functionality of both of the scanners and thus the computer will be unprotected...

    I dont know if the entries are signs of the two running on-access scanners or if 790511 uses only one on-access scanner and the other running antivirus was on-demand scanner - if it was so, I think it can be, on-access scanner from one AV program and at the same time on-demand scanner from another AV...but if 790511 uses two on-access scanners, he better have to decide WHICH OA scanner to use and use only the one chosen, but not both of them :)
     
  11. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Just FYI while avast4+AVG6 was a big No-no, avast4+AVG7 was tested to work quite reliably together (talking about WinXP). :)

    Ahoj Zidane, tak uz jsi presel k Nodu...? :'( No nevadi :cool:
     
  12. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    Vlk, any comment on why they both missed this? o_O
    I don't need a degree to see that this is something, I would like my AV to remove.
     
  13. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    I believe neither avast nor avg is particularly good at spotting spyware/ratware/annoyware...

    Also, it might be worth asking if the original poster has all the critical Windows updates installed (IE wants to be patched quite often :))

    Cheers
    Vlk
     
  14. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    I think the mods didnt "missed" this, cos they werent searching for that, they were searching for spyware, adware and other scumware :) I was just looking at the log without knowing, what I want to find, I just examined the log and find this :)
     
  15. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Avast and AVG are AV programs, not scumware finding programs, so it is logical they are made for guarding us against viruses, not spyware, although some spyware can be quite "destructive" - one dialer in your comp can destroy your money savings very fast :D So if you want to be protected against scumware, there are Ad-Aware, Spybot, Spyware Blaster and Spyware Guard for that :)
     
Thread Status:
Not open for further replies.