Jump to content


Photo

Homesearch hijack


  • Please log in to reply
3 replies to this topic

#1 triplethreat

triplethreat

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 June 2004 - 09:02 AM

My home page is always changed to home search and i can't figure out how to rid myself of it. i have run adaware, spybot, cwshredder and now hijackthis. here is my log if anyone can help that would be great.

Logfile of HijackThis v1.97.7
Scan saved at 12:14:39 PM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mshz32.exe
C:\WINDOWS\system32\qttask.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\ndllzxy.exe
C:\WINDOWS\system32\iels.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Road Runner\Medic\RRMedic.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tina\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <a href="res://C:\WINDOWS\nsjjn.dll/sp.html#96676" target="_blank">res://C:\WINDOWS\nsjjn.dll/sp.html#96676</a>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href="res://nsjjn.dll/index.html#96676" target="_blank">res://nsjjn.dll/index.html#96676</a>
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href="res://nsjjn.dll/index.html#96676" target="_blank">res://nsjjn.dll/index.html#96676</a>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <a href="res://C:\WINDOWS\nsjjn.dll/sp.html#96676" target="_blank">res://C:\WINDOWS\nsjjn.dll/sp.html#96676</a>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <a href="res://nsjjn.dll/index.html#96676" target="_blank">res://nsjjn.dll/index.html#96676</a>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <a href="res://C:\WINDOWS\nsjjn.dll/sp.html#96676" target="_blank">res://C:\WINDOWS\nsjjn.dll/sp.html#96676</a>
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost
O2 - BHO: (no name) - {34486039-E905-10CA-29CC-C115092F02E3} - C:\WINDOWS\system32\crrq.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [stwitpwciru] C:\WINDOWS\System32\ndllzxy.exe
O4 - HKLM\..\Run: [iels.exe] C:\WINDOWS\system32\iels.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
O4 - HKLM\..\RunOnce: [ieee32.exe] C:\WINDOWS\ieee32.exe
O4 - HKLM\..\RunOnce: [d3ub.exe] C:\WINDOWS\system32\d3ub.exe
O4 - HKLM\..\RunOnce: [sysna32.exe] C:\WINDOWS\system32\sysna32.exe
O4 - HKLM\..\RunOnce: [winys32.exe] C:\WINDOWS\system32\winys32.exe
O4 - HKLM\..\RunOnce: [winbf.exe] C:\WINDOWS\winbf.exe
O4 - HKLM\..\RunOnce: [syspo32.exe] C:\WINDOWS\system32\syspo32.exe
O4 - Startup: Medic.lnk = C:\Program Files\Road Runner\Medic\RRMedic.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - <a href="res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000" target="_blank">res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000</a>
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB

#2 triplethreat

triplethreat

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 June 2004 - 10:55 AM

I am not very computer literate so any help would be great

#3 rodliv

rodliv

    Member

  • New Member
  • Pip
  • 1 posts

Posted 21 June 2004 - 11:43 AM

I had a similar problem and found that Notepad.exe no longer worked and had a date of 6/18, the date my home page had been hijacked. deleting Notepad, cleaning up the registry, as well as using CWshredder. Seems to have solved the problem.
Check the date on Notepad.

#4 atruemaverick

atruemaverick

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 June 2004 - 05:19 PM

I have been doing some research on this Homesearch - it is a limited Search Page with Affiliate programs - I am now contacting the companies that are paying affiliate fees to this HIJACKED PAGE .... Anyone that wants to join in on a class action suit to recover damages - please reply to this post ....... What I suggest you do is contact 20 - 30 of the websites linked to this HIJACKED PAGE and express your concers. Lets get this huy where it HURTS - CUT OFF HIS MONEY from this HIJACKED PAGE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button