Hijacked Browser

I'm having problems with my homepage being changed automatically to a page I don't want. Also some adult (and rather offensive) web pages keep appearing in my Favorites list. Deleting them does not help...they keep coming back. The home page I keep getting directed to is http://www.win-eto.com/hp.htm?id=9. I have followed all of your steps in trying to remove my problem, but it keeps coming back. I have also installed hijackthis and have a log ready to post. Can you help?

oterra1313

 

Hi Oterra1313,

If you have exhausted all of the options in the Cleanup Tutorial including the Online Scans, then please go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been pretty busy with work lately, but somebody will try to take a look when they get a chance.

Best
PP

 

Here is my HijackThis log. I sure hope you can help me...I've been pretty tempted to chuck this computer out the window. Thanks so much for your help.

Oterra1313

 

Hi Oterra1313,

Before we can start, you must relocate HijackThis:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER
To Extract HijackThis:
Now, RightClick your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

Please rescan and attach a fresh log!

ALSO, Please download the following tool: Pocket KillBox - - Keep it handy, as we will need it.


I suggest Uninstalling WildTangent - It contribues to a lot of headaches such as this.


Do you recognize the below as legitimate and needed?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.direcwaysupport.com;192.168.0.*;localhost;<local>


Please address the above and attach a fresh HJT Log and we'll knock out those baddies. I'll check back as time permits - 'Tis the season for all things hectic!

PP

 

Okay, I have relocated HijackThis and have attached a new log. I went to uninstall Wild Tangent from the Add/Remove programs, and it says that it has already been uninstalled. As far as the internet proxy servers you asked me if I needed...I'm not sure. I DO know that direcway is my satellite internet connection, so it may be important.

Thanks,

Oterra1313

 

Hi Oterra1313,

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST:
Run Pocket Killbox and select the Delete on Reboot option. Then, Copy and Paste the following into the Box: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Then, Click Delete (red X) and then Yes or OK until your machine reboots.


THEN, navigate to C:\WINDOWS\System32\85rgr5uojxfuodll.dll and verify that this is the correct path for the DLL.
If it is not there, try looking for it here: C:\WINDOWS\85rgr5uojxfuodll.dll

After you find the correct path, run Pocket Killbox and again choose the Delete on Reboot option. Navigate to 85rgr5uojxfuodll.dll and press the Delete button (red X) and then Yes or OK until your machine reboots.

After your machine reboots, navigate to where the file had been and make sure it is gone.

Once it is gone, scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeality.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.freeality.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeality.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~2.DLL

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\gr8c6u1jielx6wthd.exe
O4 - Global Startup: winlogin.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O18 - Filter: text/plain - (no CLSID) - (no file)

O20 - AppInit_DLLs: 85rgr5uojxfuodll.dll.dll.dll.dll.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and DELETE the following if it should remain:

C:\WINDOWS\System32\gr8c6u1jielx6wthd.exe

NOW:
Run CWShredder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

Best luck
PP

 

YOU ARE A GENIUS!!! My problem has been fixed. I have one other thing tho that I hope isn't too much of a problem. After running all the virus kill programs you suggested, upon startup of my computer I get the following message: "could not find the target dll 'C:\Program Files\BackWeb\BackWeb Client\6.2.3.66L\Program\BackWeb.dll' error code 126. Is this something that can be fixed? If not, I can live with it now that my browser has been fixed. Thank you so very much for all of your time and help. I hope Santa brings you good stuff this year!! Have a great Holiday!!

Oterra1313

 

Hi Oterra1313,

Happy to help

You could probably delete the Backweb folder if you so desire. I don't know why you are getting that message. . . I don't think we messed with that.

Backweb comes bundled with certain products (HP, Kodak etc...) as an automatic updater and is considered to be very mild spyware. Usually I leave it alone. But, it is absolutely not essential to have on your machine!
I suggest you GOOGLE Backweb for more info.

While you're here, you should also take a look at Chaslang's recommendations HERE:How to protect yourself from malware!

I definitely recommend that you continue to use the following tools from the Cleanup Tutorial:
Ad-Aware SE Personal

SpyBot-Search & Destroy - Remember to use the "Immunize" feature

SpywareBlaster

These are all FREE! Just remember to Internet Update them regurlarly! They, along with a good Anti-Virus and Firewall & keeping your Windows up-to-date will do wonders in helping to keep Malware off your computer!

Happy Holiday Computing
PP