my homepage has been...

Discussion in 'adware, spyware & hijack cleaning' started by Will44, Nov 28, 2003.

Thread Status:
Not open for further replies.
  1. Will44

    Will44 Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    7
    Hello all,

    I came across your website while trying to find a solution to my homepage problem.

    Here is the problem...
    Everytime I restart my computer my homepage becomes start-space.com. When I change the page back to my preference, boston.com it works fine. But every time I restart it's back to start-space.com.

    I'm looking for an alternative to reimaging my hard drive.

    I also would like to know how something like this happens - in laymen terms please. I say that because you all seem like a highly intellectual bunch.

    Any help much appreciated!


    In search for a solution,
    /Will

    p.s. Not sure exactly what this topic falls under. I hope I posted this in a proper place. If not I appologize and could use your help.
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Will44 and welcome to Wilders

    It sounds like your homepage has been hijacked.

    If you could follow the instructions here for downloading HijackThis http://www.wilderssecurity.com/showthread.php?t=15913 it will get things started in helping you remove the hijacker from your computer.

    Once you post your HijackThis log, one of the Moderators will better be able to help you with fixing your computer.

    regards,

    snap
     
  3. Will444

    Will444 Guest

    Thanks snapdragin!, the following is the Hijack This log after running Ad-aware 6.0

    (again)
    Here is the problem...
    Everytime I restart my computer my homepage becomes start-space.com. When I change the page back to my preference, boston.com it works fine. But every time I restart it's back to start-space.com.

    I'm looking for an alternative to reimaging my hard drive.

    I also would like to know how something like this happens? - in laymen terms please.

    I also noticed the name 8ad in the script. This is the company name that comes up on my pop-up ads. Maybe we could eliminate both?

    Any help on what to delete/keep - greatly appreciated!

    Thanks in advance,
    /Will


    Logfile of HijackThis v1.97.7
    Scan saved at 3:45:41 AM, on 11/28/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\spoolsv.exe
    C:\Windows\System32\Ati2evxx.exe
    C:\Windows\System32\drivers\CDAC11BA.EXE
    C:\Windows\Cpqdiag\Cpqdfwag.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Windows\System32\NMSSvc.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\MsgSys.EXE
    C:\Windows\System32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Compaq\EAB\EabServr.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Windows\System32\Promon.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Windows\System32\ctfmon.exe
    C:\windows\winlogon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\NextStep\Desktop\hijackthis\HijackThis.exe
    C:\Documents and Settings\NextStep\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sharempeg.com/find/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start-space.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start-space.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.verizon.com/cgi-bin/getproxy
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O1 - Hosts: 198.65.164.168 00hq.com
    O1 - Hosts: 198.65.164.168 8ad.com
    O1 - Hosts: 198.65.164.168 searchv.com
    O1 - Hosts: 198.65.164.168 www.searchv.com
    O1 - Hosts: 198.65.164.168 008k.com
    O1 - Hosts: 198.65.164.168 www.008k.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
    O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe
    O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.04.03&http://www.tagheuer.com/multimedia/3d_list.lbl
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/190c97011e49f32efb15/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.5292939815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = verizon.com,bell-atl.com,bellatlantic.com,nynex.com,gte.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = verizon.com,bell-atl.com,bellatlantic.com,nynex.com,gte.com

    Deleted one log
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Will444,

    Download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    Then run HijackThis again and check the items listed below that are still there, then close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sharempeg.com/find/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start-space.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start-space.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
    O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
    O1 - Hosts: 198.65.164.168 00hq.com
    O1 - Hosts: 198.65.164.168 8ad.com
    O1 - Hosts: 198.65.164.168 searchv.com
    O1 - Hosts: 198.65.164.168 www.searchv.com
    O1 - Hosts: 198.65.164.168 008k.com
    O1 - Hosts: 198.65.164.168 www.008k.com

    O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe <= grmbl
    O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/190c97011e49f32efb15/netzip/RdxIE601.cab

    Then reboot and delete:
    c:\windows\winlogon.exe <= make sure to get the right one, do NOT delete this one C:\Windows\system32\winlogon.exe
    c:\windows\qttasks.exe <= again be carefull, C:\Program Files\QuickTime\qttask.exe is the real thing

    Regards,

    Pieter
     
  5. Will4

    Will4 Guest

    oops I think I inadvertantley deleted...

    C:\Program Files\QuickTime\qttask.exe is the real thing

    My updated HiJack log...

    Also when I rebooted, the problem was fixed thank you!

    Do I have to worry about that "Quick time" file?

    /Will

    p.s. when I try to post here with my original name "Will44" it says somone already has this name. That would be me. This site allows me to log in with my user name and password, but when I click on the link to posy the top of the page goes from recognizing me as Will44 to "Guest" that is why the name has changed here.
     
  6. Will444

    Will444 Guest

    i'm getting tierd...
    the new log...

    Logfile of HijackThis v1.97.7
    Scan saved at 5:04:16 AM, on 11/28/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\spoolsv.exe
    C:\Windows\System32\Ati2evxx.exe
    C:\Windows\System32\drivers\CDAC11BA.EXE
    C:\Windows\Cpqdiag\Cpqdfwag.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Windows\System32\NMSSvc.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Compaq\EAB\EabServr.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Windows\System32\Promon.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Windows\System32\ctfmon.exe
    C:\Windows\System32\MsgSys.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\NextStep\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://boston.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.verizon.com/cgi-bin/getproxy
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.04.03&http://www.tagheuer.com/multimedia/3d_list.lbl
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.5292939815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = verizon.com,bell-atl.com,bellatlantic.com,nynex.com,gte.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = verizon.com,bell-atl.com,bellatlantic.com,nynex.com,gte.com
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Will (add any number of 4's ;) ),

    If you deleted the file, you can download and install the Quicktime player here: http://www.apple.com/quicktime/download/
    As long as you got the right one in HijackThis and delete the imposter, no real harm done.

    As to your posting problem: are you blocking referrers?

    Regards,

    Pieter
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Our posts crossed. The log is clean now. :)
    And I can see Quicktime in your running processes (the real one), so you did fine.

    Regards,

    Pieter
     
  9. Will44

    Will44 Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    7
    Pieter, thanks for all your help. It's taken a little while here, but well worth it.

    My login name seems to work fin now, before I would login and when I clicked on the subject, the next page would recognize me as guest. This is the first time it recognized me on the next page with my login name and password. anyways...

    one last curiosity question before i go to bed. What exactly do those "imposter" files do? the one that looked like quicktime for example? and where do they come from?


    Thanks again!!

    Respectfully,
    /Will
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Will44,

    They are all part of one big family: http://www.spywareinfoforum.com/~merijn/cwschronicles.html
    (not updated for qttasks yet)
    They use about every trick in the book (and invented a few new ones) to get on your computer.

    Read this on how to minimize the risk of infection: http://boards.cexx.org/viewtopic.php?t=957.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.