unwanted home page

[bsb]

Hi!
I am using Windows XP on a P-4. I have got two problems with my browser (IE 6), which started after I opened one spam by mistake. Well, the problem 1 my home page has been changed. Everytime, I switch on, I set to yahoo.com but as soon as I restart, it is same again.

2nd - I have got a few unwanted links as my favourites. I delete them everytime but as soon as I restart they appear again.

Will some one help me to rectify the above problems.

Thanks.

BSB

 

[mariner]

you have got some spyware.
download ad aware se from www.lavasoft.com.
also download spybot search n destroy from
*www.safer-networking.org/en/download/index.html

run these applications to get rid of all the spywares.
also get a good firewall. sygate personal firewall is good

 

[lajs]

best apply the available security patches for ie 6 in the net

 

[mariner]

btw adawae se download site is www.lavasoft.de

sorry for the error

 

[it_waaznt_me]

Please post your HijackThis Logfile for better assesment of your problem.

 

[lywyre]

Download Autoruns.exe from www.sysinternals.com

Boot into safemode and and run Autoruns.exe: remove unwanted executable from startup.
Remove all unwanted programs in Add/Remove programs.
Delete twain.dll and twain_32.dll in the Windows folder.

Also check there are no unwanted .dll files in your c:\windows\System32 folder. To do this list your files in 'details' view and sort by date. Delete all the .dll and tmp files created after you visited that 'spam site'.

Delete unwanted plugins in the "downloaded programs files". (Delete all except shockwave and java and quicktime).

Emtpy you Temp folder (Type %temp% in the address bar).

Hope this solves you problem.
To avoid further such issues, stop using IE.

 

[aadipa]

Best way .......
Post ur HijackThis Log file.....

 

[bsb]

unwanted homepage

Hi! Thanks to all who responded.

Well, 'ad aware SE' and ' Spybot SD' could not solve the problem. However, by running these programmes, I came to know that I may have more problems than I can see.

Secondly, I ran 'Hijackthis'. The logfile is reproduced below.
Logfile of HijackThis v1.98.2
Scan saved at 1:28:39 AM, on 9/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Contract\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = *up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = *up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *up-search.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *up-search.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = *up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = *up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = *up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *up-search.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = *up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = *up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.205.122.80:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.205.*.*;<local>
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [winupd] C:\Windows\System32\winupd.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!*69.31.79.101/winsearchie32.chm::/winsearchie32.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mumbai.ongcl.com
O17 - HKLM\Software\..\Telephony: DomainName = mumbai.ongcl.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE93C8B8-C329-4C20-AC17-9A6E663D96C7}: NameServer = 203.94.227.70 203.94.243.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mumbai.ongcl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mumbai.ongcl.com


I get a home page www.up-search.com. Although I tried to remove all references to this page through 'highjackthis' but as soon as I restart my computer, it appears again. The links added to 'favourites' folder still exist there.

Hope you will help me to solve my problem without reformatting the hard disk.

Thanks again.

 

[it_waaznt_me]

Re: unwanted homepage

To proceed with your HijackThis log, Run HijackThis again and put a CheckMark next to these entries and Click on Fix Checked.
Please make sure that all Internet Explorer and Windows Explorer windows are closed.

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = *up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = *up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *up-search.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *up-search.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = *up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = *up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = *up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *up-search.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = *up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = *up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = *up-search.com/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.205.122.80:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.205.*.*;<local>
O4 - HKLM\..\Run: [winupd] C:\Windows\System32\winupd.exe <-- Virus
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!*69.31.79.101/winsearchie32.chm::/winsearchie32.exe

 

[bsb]

at last!!!!

Problem solved. Thanks a lot.

By the way, how serious was it? Do u think the hijacker could have copied down my passwords etc.?