• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
adambomb223

Persistent IE Homepage Hijacker

4 posts in this topic

I have been working on trying to remove this Homepage Hijacker for a few days now. I have tried just about every method that I have been able to find in this forum. I was only able to temporarily remove the spyware, but it keeps coming back as soon as I close and reopen Internet Explorer. The dll name has changed at least a half a dozen times, but the result is the same in the end. It just keeps coming back. Here is my Hijack This and About:Buster logs below. Any help would be greatly appreciated. Thanks in advance!

 

Logfile of HijackThis v1.98.0

Scan saved at 2:13:48 PM, on 7/16/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\WINNT\System32\svchost.exe

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\apiuz.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\netbp.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\SMC\SMC2802W 54 Mbps WLAN Utility\SMCUTIL.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Spyware Software\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ienan.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ienan.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ienan.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ienan.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ienan.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ienan.dll/index.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {4A38BC22-CA22-15D7-B07D-FA2261EB573B} - C:\WINNT\system32\sdkcu.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [netbp.exe] C:\WINNT\system32\netbp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: SMC2802W 54 Mbps WLAN Utility.lnk = C:\Program Files\SMC\SMC2802W 54 Mbps WLAN Utility\SMCUTIL.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

 

 

-- Scan 1 --------

About:Buster Version 1.30

Removed! : C:\WINNT\wksyja.dat

Removed! : C:\WINNT\system32\htzgd.dat

Removed! : C:\WINNT\system32\ienan.dll

Removed! : C:\WINNT\system32\netbp.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Make sure you have the latest version of AboutBuster and have you tried running it in safe mode?

http://malwarebytes.biz/AboutBuster.zip <---use this one for AboutBuster

 

There's another program out that you can try, here,s the link to it and to make sure you have he latest version of the program, here's a direct download of it.

 

http://www.majorgeeks.com/download4286.html <---link to program info

 

http://www.hsremove.com/hsremove.exe <---dir download

 

MrC

Share this post


Link to post
Share on other sites

Ok, I downloaded the updated version of About:Buster, and HSremove. I rebooted in safe mode and ran Hijack This and cleaned the entries. Then I ran About:Buster and Hsremove respectively. While still in safe mode it seemed like Internet Explorer was back to normal. Upon reboot back into normal mode IE was still ok for about 2 opens and closes. However, when I opened it the third time it was back again. Unfortunately, I am still hijacked, any ideas.

Share this post


Link to post
Share on other sites

Post a fresh HJT log and don't reboot or shut down your computer until I get back to you. MrC

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0