help! default page hijacked

sorry, i see here that these problems are common but couldn't decide whether or not it would be an error to refer to someone else's problem as a model to rectify my own. so i have erred on the side of caution. i'd be eternally grateful to anyone who could talk me through the process of getting here-to-find and its numerous pornographic sisters off my internet browser. i suspect my boyfriend has been browsing porn whilst i was away and in so doing has invited some nasty worms or whatever they might be to stage an orgy in my hard drive. i spent the day running a million antispy programs but alas to no avail. it was an education, but i feel empty as i still haven't managed to get the damn thing off. please help i am tired of looking at invitations to look at pictures of girls sucking dogs' cocks.

ok my hijack this log reports....




[log removed]

thankyou

 

Please read these two post before you do anything:

http://forums.majorgeeks.com/showthread.php?t=35407

http://forums.majorgeeks.com/showthread.php?t=38752

They should help you on cleaning up as well as forum rules.

hope it helps

 

i do apologise for having posted the log...am glad to have now seen the rules so i can'tr breach them further.

i have however been working from the other link that you posted all day long and remain at a loss. what should i do? is it a good idea to reformat?

 

Other Link? Do you mean you ran all the virus scans/spy stuff? Did you do it in safe mode? Did they find anything? Must be specific and formatting is usually a very, very, very, very, very, last resort.

 

if you've tried everything INCLUDING the altnerate scans listed at the bottom of the READE ME FIRST , then post a NEW log as an attachment.

Make sure you move Hijackthis into its' own folder like C:\HJT or something.

 

Hi joancrawfordsface,

Please move HijackThis to its own safe folder - C:\Program Files\HijackThis

Please scan and attach a Fresh log as per these instructions:

Note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

We should be able to work out a fix - I'll try to check back later tonight.

Best
PP

 

yes i did it in safe mode and they did find things. spybot found 7 files and adaware 16. they were deleted. what happened next was: i rebooted in normal mode and when i clicked on internet explorer it loaded with google. eureka! i thought. except next when i typed another url into the address bar it brought me back to here-to-find. i have seriously been at this for 7 hours.

 

lol...PP do you find yourself just repeating yourself day in day out?

and...joancrawfordsface maybe you should talk to your boyfriend for looking up those ..WIERD things...then they wont happen.

 

ok i'll do all this currently. many thanks.

 

well i shall patch my system up with all these delightful programs i've been reading about today. then chop my boyfriend's penis off so he won;t be tempted. scratch that actually...his hands. i need his penis

 

Just follow what Phillie and Kodo tell ya to do and you'll be in good hands.

They've dealt with it a very, very, very, very, very ,very lot!

 

ok here we are....have i attached the log correctly?

 

sorry this should be better..i have closed program files this time.

 

Joan, I don't see any of the online scanners in your log.

Hit the trend micro online virus scan please. It should kill a few problems you have.

 

just tried that again before realising i had tried it before. says something about how it cannot locate netscape. i'm browsing with mozilla.

 

is there any reason other than that i do not use netscape that this virus scan should not work for me kodo? sorry if the question's naive but i'm no techie.

 

load it up in IE, it will be easier than trying ot sort out installing the netscape plugin for it.

 

ok i have run that virus check...apparently it found itself a worm...and yet the smug porn page still hangs out as my default setting on ie. is there anything more i might do?

 

Well if you have done everything in the posts then attach your hijack log to your reply (dont post it in the reply) And if I have time I will go through it, if not then you'll have to wait for either Phillie or Kodo.

I am off to dinner for now but will try to be back later.

 

you'd like me to post it again? i shall just do a fresh scan then.

 

here's my latest scan

 

need you to empty your Temp directory. But first download this
http://tools.zerosrealm.com/startchmfix.exe
run it and tell it to place the files in C:\chmfix

now boot to safe mode
Go to Start..run. type

local settings/temp
select everything in there and delete it.

next I want you to try to find the following files

C:\WINDOWS\kjberup.exe
and
syslog32.exe

delete them if found


next I want you to go to C:\chmfix\startchmfix and run the fix.bat
DO NOT RUN THIS TWICE

next I want you to boot to normal mode and run HiJackThis again
then find and put a check mark next to the following items, then close your browser and hit fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [hoadgbw] C:\WINDOWS\kjberup.exe
O4 - HKLM\..\Run: [cyberfree.exe] C:\DOCUME~1\KRAIGE~1\LOCALS~1\Temp\jebd.dat [Possible Trojan!]
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=


O9 - Extra button: Corel Network monitor worker - {03FDFC54-4E34-413F-AD9D-C1C96408F091} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {03FDFC54-4E34-413F-AD9D-C1C96408F091} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {03FDFC54-4E34-413F-AD9D-C1C96408F091} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {03FDFC54-4E34-413F-AD9D-C1C96408F091} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)

now reboot, and post a fresh log.

 

wow i'm posting this using internet explorer. dr kodo seems to have cured my machine. i'll post a fresh log tho just to check.
i'm extremely grateful to everyone for their help. i appreciate that it must be a pain in the ass: all these people flying in and out of the forums with the same goddamn problems. i am thankful for everyone's patience. and if it makes anyone feel better...i've learned a great deal about spyware today and shall be far better equipped to handle it in future.

and hey! kodo...i see it's your birthday in a few days time. many happy returns, and again thankyou.

 

now that you're clean.. UPDATE TO SP1 AT THE MINIMUM..
http://www.microsoft.com/windowsxp/downloads/updates/sp1/network.mspx

Preferably SP2..

pretty please, with sugar on top.