ARRRRG! Please help - IE 6

I'm pulling out my hair with this one!
I use WIndows XP Home and IE 6. MSN is my home page. For the past few days, every time I turn on the computer and access the internet, "Quick Search" (www.quick-search.ws/) is now my home page. It is also listed in "My Favorites". I go to internet options and click the default (MSN) and apply it to be my home page. I remove "Quick Search from my favorites as well.
My wife has her own settings and when I log on to hers, she has the same problem. I remove all traces of this from both of our settings. The next time I restart the computer, Quick Search is back as the home page and in the Favorites as well.
I do a complete search in my computer and cannot find any other records for "Quick Search", but it keeps coming back.
I've done a complete virus scan (updated as of today), so I'm pretty sure it's not a virus.
If I click on the properties of the site it shows:
www.maxxxhosters.com/search.php
That also doesn't show up anywhere in my computer. What else can I do do puge this and get MSN back permanently as my home page?
Please help. Thank you in advance!!!!!

Win XP Home
Amd Athlon 2000+
Asus A7N8X Deluxe V2
Asus V9950 Ultra
Creative Audigy Platinum
1024 MB OCZ pc 3200 400Mhz EL DDR ram
Thermaltake Silent Purepower 480W
Thermake fans

 

Sounds like you have an advert trojen.

http://www.downloads.com

Download Ad-aware and run a scan.

 

Thanks for the advice, but I've run Spybot and it hasn't found anything.
I'm usually really good about what I download, cleaning out my my rig on an almost daily basis, defrags, scans, current updates, etc. That's why it's so puzzling as to where I got this, why I can't find it and how to get rid of it?

 

downloads.com is easy

also- spybot isnt much cop tbh, you need lots of diff programs, each program finds something different...

btw

adaware > spybot

 

Robo....
Here are the results:

Logfile of HijackThis v1.97.3
Scan saved at 10:07:34 AM, on 11/6/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Allan\LOCALS~1\Temp\Rar$EX00.859\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Ulubione] C:\WINDOWS\System32\sysqluq.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/3047253842b8fac6df16/netzip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.950150463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

 

Fix the R1 and R0 settings with Hijack This. Some of the O4 settings look interesting to me, I will have to do some research.

 

robo...Jamiiko,

I ran Hijack This again and deleted the R1 and R0 lines. I rebooted, opened IE and Quick Search is still the home page and is listed in "My Favorites" again!
I also ran Norton Win Doctor and it didn't find any registry problems. Any other ideas?

 

robo,

Yes I have tried to change the home page by: clicking default (MSN), typing in MSN, Yahoo as well as Blank. Each time I reboot....I'm back to having the Quick Search home page appear.

I've also checked in msconfig and there doesn't appear to be anything out of the ordinary in the startups.

???????

 

seems to me you need a good trojan remover. I personally have used the following and it has done wonders for me. the good thing is they allow you to use it for 30 days. this program is sort of complicated to use but it does exactly what it says.

Just read what Major Geeks have to say about it. Sounds good to me.

http://www.majorgeeks.com/download.php?det=3951

Depending on the amount of data and the size of your drive this program will run for a long time. Make sure to update it from this site since they update it daily

I hope this helps


http://tds.diamondcs.com.au/

 

OK,
Did that and the final report said there were no Trojan mutexes found.
I also ran the Ashampoo WinOptimiser Utility (as well as Norton System works) and nothing was found.
THIS IS SO FRUSTRATING!!!!!!!!!!!!!

What next??????

 

Have you tried ad-aware yet? I run ad-aware and spybot, they always find something the other has not. Make sure you update it before you run it.

Unless you want that 2020search thing, I suspect it is not supposed to be there. Ad-Aware and/or Spybot should get rid of it if you have the latest updates.

 

WOOHOOOO

Finally found the culprit! My friend Scott found it (have to give him credit).
It was in the Registry Entry. We looked at everything! Finally found:

ULUBIONE c:\window\system32\sysqluq.exe

Removed everything associated with it everywhere in my computer and it's finally gone!
In case anyone else ever gets this annoying problem, you now have the solution!
By the way...I ran Ad Aware and it didn't find it either!

Thanks very much to all those that offered assistance!

 

O4 - HKLM\..\Run: [Ulubione] C:\WINDOWS\System32\sysqluq.exe
above from your own posting

It was in front of us the whole time.

It was asking us to find it

I am glad you got your problem solved

 

I'm not exactly sure where it came from. I know my wife was using this computer to search for Czech. crystal & beads, but she knows better than to download anything. She just visited various web sites. That's the only thing we can come up with.

By doing some sleuthing, I found (through Google) another site with a link to "Quick Search", it was: http://msxml.blowsearch.com
Through Blowsearch, I found Quick Search's home. It appeared to be written in an Eastern European language. In what I assumed to be a FAQ section I noticed several other letters written and the only English words were "Hijack This". They were followed by exactly the same type of report that you asked me for. I guess I wasn't the only one with this problem and you were definitely on the right track.

We just found it by trial and error. Looked at every single entry for ones that didn't look familiar. We changed the .exe extention to ".old", rebooted and the problem was gone. That's when we knew we finally found the culprit!!!

I hope that this can be of help to someone else in the future. Again thank you for all of your help. You and this site continue to provide an invaluable service!!!!!