My homepage hijacked by web search aka searchpaga.com

No matter what I do, my home page keeps returning to Web Search/cool web search, URL http://www.search-paga.com/10039/

I have installed and run ad-aware, e-trust Pest Patrol, zone alarm, spybot, cw shredder, anonymyzer...etc... none have been successful in fixing the problem. Not sure what to keep and what to get rid of on my Hijackthis log. Any assistance would be greatly appreciated. I'm on Windows XP. I am at witts end to say the least!!!!! Thx.

Logfile of HijackThis v1.99.0
Scan saved at 10:11:17 PM, on 1/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

have you already gone through this sticky if not please do so. . .
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal:
if you have double check everything and make sure you did do everything
and all software is up to date


NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting:
*Note that your HijackThis should be up-to-date (v1.99.9) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis! Please do this!!!*

 

Welcome to the forums!

Have you gone through all the steps in this tutorial?

]http://forums.majorgeeks.com/showthread.php?t=35407

Never mind

 

What u have is a virus. Run Virus scanner.

EDIT by chaslang: If you can't contribute something useful, then don't.

 

I followed Major Attitudes steps re the disable of system restore...cleaning the crap and then restoring...it worked for about 1 minute which was great...until www.search-paga aka web search beat away my home page and took over again. But, it was the longest I've gone before being hijacked. My AdAware keeps detecting 42 items named coolwebsearch...I Quarantine/delete and when I rescan there they are again. Spybot keeps detecting 2 coolwwwsearch.Yexe and 5 DSO Exploit...then spybot reads "error during check 2_Demon" and then some German writing. May I post my Hijack this log? There looks like a few weird items on the log but I'm no pro. T H A N K Y O U everyone for helping! This is a nightmare!!!

 

It was a virus though, that is pretty specific infomation....

 

If allowed I would be more than happy to post my latest Hijackthis log. I do not know which items to delete in the log. I have read and followed the tutorial...it was imformative...thank you. I think with some help I will get rid if this homepage hijacker. I will then write a formal complaint to the company in Boca Raton and cc it to the FCC, better business bureau...maybe Wayne Newton too. Helppppppppppp

 

Go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:
Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

PP

 

Thank you for your advice. I am eager to begin the battle against my homepage hijacker called web search/search-paga. Would you please instruct me on how to close the system tray? My operating system is Windoes XP.

 

just close all applications in the system tray
right click ,say an IM you may be running, you'll get a dropdown box, choose exit
just the ones you don't need

close all windows(including this one)
and run HJT
save the log as a .txt
and attach it here

 

Thanks all! I will paste my HJT log. Quick note: Following all the suggestions I ran all my spyware and things are getting cleaned up. Again, I changed my homepage and it stayed put for a minute...which is an improvement. It eventually was hijacked again by www.search-paga/Web Search. After running Spybot this time www.coolweb was gone but 4 items of DSO Exploit remain with a "error during check/Z-Demon(a couple of German words). The 4 DSO Exploit look something like this;
HKEY_USERS\5-1-5-18\Software\Microsoft\Windows\Currentversion\Internetsettings\Zones\0\1004!=W=3

HKEY_USERS\5-1-5-21-459082294 etc..... registry change?

HKEY_USERS\5-1-5-20\software etc.....W=3

HKEY_USERS\Default\Software etc.....W=3

 

no, we ask that you attatch it as a .txt file
if you need to know how, ask

did you read the Read Me's?

 

I went through all of the read me steps but hijack is still present. Here's my HJT log.

 

Okay, completed the steps you suggested. Here's what happened:

When I rebooted in regular mode I received the following error:
Windows cannot find 'C:\WINDOWS\inetdata\winlogon.exe' make sure you typed the name correctly, and then try again. To search for a file click Start button and then click search.

Then I received the following error:
Could not load or run C:\WINDOWS\inetdata\winlogon.exe specified in the registry. Make sure file exists on your computer or remove the reference in the registry.

I re-ran Spybot and it turned up the following:
RSLocal
DSO Exploit
CoolWWWSearch.Yexe

Also at the end of running the Spybot search I receive the following error:
Error during check! Z-Demon (Ungultiger Datentyp fur")

I re-ran HJT and log is attached.

After deleting the files you suggested, my IE homepage changed to about:blank. I changed my Home page back to google and it has remained same for about 15-20 tries.

Please advise on next steps. Thanks!!!

 

Titlebar = Spybot Search & Destroy
Version = 1.3

Fixed F3... and messages did not appear when I rebooted.

 

It has been a couple of hours and my homepage has stayed put. I deleted the HJT log lines that Dr. C suggested. I think it is fixed thanks to the good Doctor and everyone else who advised me. My computer is running clean except for the DOS Exploit/Error/Z-Demon... that Spybot keeps detecting. The coolweb has dissapeared from the computer! I am elated.

You are all fighting on the front lines of the war to save us from these evil virus', hijackers and worm. You make life a better place for the rest of us. As a show of appreciation for your dedication to THE WAR ON BUGS I have decided to make www.majorgeeks.com my new unhijacked homepage. We thank you and we salute you!!!

-Private Coconut

 

Oh, missed that one. Downloaded 1.31 and re-ran. DSO Exploit was found and deleted. Thanks again!