home page hijacking

  graemey 23:04 02 Jun 04
Locked

my homepage has been hijacked by a search page called "about:blank"
I have also detected a trojan virus which i think may have something to do with it. i have run AVG which has removed the virus but I still get the virus warning page. I have also run latest spybot, stinger and startpagegaurd but can not get rid of this home page. Can anyone help?

  spanneress 23:08 02 Jun 04

You want CWShredder you do..click here:

click here

HTH

  VoG II 23:10 02 Jun 04

Please post a HijackThis Log. Please follow the instructions to the letter - this is really important.

click here

  billbod 08:03 03 Jun 04

Have you got adaware on your computer?This was happening to me a while back.I kept getting hijacked by msn homepage.I ran adaware and it got rid of it, only for it to return on next boot up.After a lot of searching on the web i found that if you run an adaware scan see which problems come up ,im guessing 1 of which will be a posible home page hijack,highlight the problem right click and select ignore this problem.You can then reset your homepage to your prefered choice and it stays that way Not a fool proof solution but stops the start page changing hope this works for you

  VoG II 21:36 03 Jun 04

P L E A S E - the e-mail facility is for private correspondence. Use the "Add a new response to 'home page hijacking' created by graemey" box at the bottom of the page to reply.

=======================================

Logfile of HijackThis v1.97.7 Scan saved at 21:21:46, on 03/06/2004

Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe

C:\Program Files\Winamp\Winampa.exe C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\graeme\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=click here;ftp=click here

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4C2F5141-B0D4-471D-BAB0-54AF5A499C5A} - C:\WINDOWS\System32\dkha.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [Lwinst Run Profiler] .\Lwtest.exe /detect /quiet /launch ".\Lwpevntm.exe"

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm

O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=click here

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - click here

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here

O17 - HKLM\System\CCS\Services\Tcpip\..\{71DE5DBF-7F5C-4AC1-AA1B-882222902D06}: NameServer = 195.92.195.95 195.92.195.94

  graemey 22:00 03 Jun 04

Logfile of HijackThis v1.97.7
Scan saved at 21:21:46, on 03/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\graeme\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dkha.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=click here;ftp=click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4C2F5141-B0D4-471D-BAB0-54AF5A499C5A} - C:\WINDOWS\System32\dkha.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Lwinst Run Profiler] .\Lwtest.exe /detect /quiet /launch ".\Lwpevntm.exe"
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=click here
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - click here
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{71DE5DBF-7F5C-4AC1-AA1B-882222902D06}: NameServer = 195.92.195.95 195.92.195.94

  Nellie2 23:02 03 Jun 04

ok graemey

The problem you have is caused by a hidden file that keeps re-infecting you.

We are going to try and make this file visible and then delete it.

Download
Winfile.zip from this page:
click here
------------------
Go here and download RegAlyzer:
click here

Download Ad-aware.Install and update it.
Do not run it yet. Here are the full instructions for running Ad-Aware. This
is for when the time comes to run it.
Download the latest version of Ad-Aware at
click here
After installing AAW, and before running the program, you NEED to FIRST
update the reference file following these instructions.
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"
Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Remember. Do not run Ad-Aware yet.

Run RegAlyzer. Navigate to this key by copying and pasting its path
as seen below into the address bar and pressing enter.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Look at the left pane and you will see a Folder (Key) named Windows. Rename it as NotWindows.
Click "AppInit_DLLs" in the right pane and clear the data value:
(path and filename) Be sure to write down the information before you clear it. You'll need that.
Click Apply and ok
Rename the NotWindows folder back to Windows again.
Close RegAlyzer.

Next, reset the permissions for the Windows key.
To do that open Regedit. Go to start>Run and type regedit, Press enter

Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

In Regedit Right click on the Windows key in the left pane and choose permissions.
Click the advanced button near the bottom of this page. Now you are on a different page.
In Xp Pro;

Uncheck the box labeled
Inherit from parent the entries that apply to child objects..... etc.
You will get a message with choice Choose copy by clicking on the copy
button.
Apply and OK.
Close the registry.

In XP Home the file permissions are a little different.
******Reset, but here you will check the Inherit from Parent box. The rest is the same.
Restart the Computer.

After you get back into Windows, go to C:\
Create a new folder and name it Junk.
You now have a folder C:\Junk
Unzip Winfile which you downloaded earlier. Run Winfile.
Expand and Navigate to the System32 Folder.
Double clicking to expand.
Once you are in System32 on the menu go to File>Select Files
Copy and paste to the box:
comn.dll (adjust to the file name in question remember you copied it down when you found it in the AppInit_DLLs key!) click select
Find and highlight that file.
Next in top menu>Security>permissions,
tell us what is listed there for that file.
Also check the owner tab
------------
Finally:
On the Menu go to File>move
In From: Copy/paste:
C:\WINDOWS\System32\comn.dll (the file name and path is an example,
substitute yours here)
To: Copy and paste:
C:\junk\comn.dll (substitute your filename here)
Click OK
Post back with the requested information and how you did.
Be sure to check C:\junk to see that the dll is there.

  VoG II 23:08 03 Jun 04

I now realise just how inadequate I am at all of this :o(

Can anybody recommend a decent shrink?

  Nellie2 23:13 03 Jun 04

I haven't finished yet... there is a part two to come, I do need to know which file system you are using graemey, NTFS or FAT32?
I'm off to bed in a mo, will check back tomorrow when I get home from work... shopping night tomorrow so it won't be before 7ish!

  graemey 23:33 03 Jun 04

ok thanks mate

  VoG II 23:36 03 Jun 04

You need to tell Nellie2 which file system!

This thread is now locked and can not be replied to.

How to get Windows 10 for free | How to install Windows 10: There is still a way to avoid paying…

1995-2015: How technology has changed the world in 20 years

Alex Chinneck’s giant ice cube Christmas tree at Kings Cross

Apple rumours & predictions 2017: The iPhone 8, new iPads, and everything else you should expect fr7…