Jump to content


Problems with Homepage changing


  • Please log in to reply
3 replies to this topic

#1 Guest_Val_*

Guest_Val_*
  • Guests

Posted 27 June 2004 - 04:08 PM

I've seen similar problems posted here, so I'm hoping can help me. My homepage is constantly being changed to a searh engine - about:blank is in the address bar. I would really be grateful to anyone that can help. Below is my Hijack This log. thank you again!

Logfile of HijackThis v1.97.7
Scan saved at 5:05:52 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kenneth & Gail\Local Settings\Temporary Internet Files\Content.IE5\4181YZYJ\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KENNET~2\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KENNET~2\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KENNET~2\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KENNET~2\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KENNET~2\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KENNET~2\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C43B5A02-888E-4991-978E-32BCA474148F} - C:\WINDOWS\System32\alb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{37DF84DD-0E30-4621-AC3A-A44AFF29D7B2}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{37DF84DD-0E30-4621-AC3A-A44AFF29D7B2}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS2\Services\Tcpip\..\{37DF84DD-0E30-4621-AC3A-A44AFF29D7B2}: NameServer = 198.190.226.3,198.190.226.30

#2 corrupted

corrupted

    Member

  • New Member
  • Pip
  • 1 posts

Posted 27 June 2004 - 04:19 PM

I too have this same exact problem. I've gone into safe mode, deleted any files that have shown up in my system32 folder in the past few days, ran hijackthis, spybot, adaware, and cwshredder, pulled any weird registry settings, emptied my temp folders (both in c:\windows and c:\documentsandsettings\***\localsettings\temp), deleted all temp internet files, searched through the registry for any entries relating to sp.html or the variable file name that hijack related this to. everytime i've done all of this, my home page is reset to the one i normally use. i can restart and all settings look great.....until about a half hour after i've done all of this. it then just reverts all back to the same crap i had before.


i've had some malware in my day, but this one takes the cake. this is the last time i let my brother-in-law touch my system!

Edited by corrupted, 27 June 2004 - 04:21 PM.


#3 mme_nrd

mme_nrd

    Member

  • Full Member
  • Pip
  • 38 posts

Posted 27 June 2004 - 11:16 PM

I had the same problem. This posting helped me solve it:

http://www.spywarein...ST&f=18&t=10027

Hope this helps. Good luck.

#4 valley29

valley29

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 July 2004 - 08:45 PM

;D

Thank you for everyone who attempted to solve this problem... but I've finally had a friend come by and fix this problem. I'm not sure how he did it, but it was in regedit... under brower helper objects. I had 2 in that folder... one was linked to Adobe but the other was not.
We had to copy the keys and search them within regedit. The one for me was found on another location - CLSID folder - and was not linked to Acrobat. We had to take the .dll file in there and delete it from the System32 folder in Windows Explorer and delete the folder (in regedit) in Brower Helper Objects as well as in the CLISD folder. Finally, we got the problem to stop and I've been clean of this annoyance since.

I am sorry that I am not much of a computer wiz and cannot explain this well, but hopefully this will make sense to someone if needed.

Thanks!!!


:bounce:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button