Cannot Change Ie Home Page

Discussion in 'Malware Help (A Specialist Will Reply)' started by allanr, Apr 19, 2005.

  1. allanr

    allanr Private E-2

    I need some assistance. I have been trying to help a friend with what appears to be some type of browser hijacker. We have tried to change IE's home page, but as soon as we click on the Home Page icon, IE goes to MSN.com and the home page setting we typed in (under Internet Options) is gone.

    I booted the system in safe mode and made the change, which appeared to have worked. But as soon as we booted in normal mode and opened IE, the home page was changed.

    The OS is XP home edition. Besides running his Antivirus software, we ran Ad-Aware Pro, Spybot S&D, Spyware Blaster and Microsoft's Anti-Spyware (beta) software. Microsoft's software was the only one to detect and warn that there is a hijacker present, but it does not provide any more information and it does not remove it, even though it says it did.

    I performed all of the steps recommended in the Major Geeks' post "Sypware, Trojans and Virus Removal". The online scans (Trend Micro and Symantec) turned up nothing. After booting in Safe Mode, I ran all the other recommended (except for about:Buster). HSRemove indicated that it found and removed 8 files and Ad-Aware detected that 8 registry entries were changed (which were the ones I suspected as being part of the problem). However, when I rebooted in normal mode and opened IE, the problem was back. I then rebooted in Safe Mode and ran Hijack This.

    I am not that familiar with all of the entries listed in the log, but the following entries caught my eye.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
    O15 - Trusted Zone: media36.fastclick.net

    The later looks to be one of those ad trackers that I typically block, but I don't believe it is causing the problem at hand. The first two look like the culprits, but if so, I am not sure I know how to deal with it. I hope that some of you can offer advice and help me. I have the hijackthis.log and will post it if requested.

    Thank you in advance,

    --al
     
    allanr, Apr 19, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Apr 19, 2005
    #2
  3. allanr

    allanr Private E-2

    chaslang,

    Thank you for your reply. I did run HijackThis in Safe Mode, with no other applications open. The log file is attached. I look forward to reading your analysis.

    Thanks,
    --al
     

    Attached Files:

    allanr, Apr 19, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please run HijackThis in normal boot mode and please use notepad to save the files (which is the default from HijackThis). The log you posted has no carriage returns and is not readable in notepad.

    Please post a new log!
     
    chaslang, Apr 19, 2005
    #4
  5. allanr

    allanr Private E-2

    Thank you, chaslang for your reply. It took a while to get access to the problem computer. Attached is the new log file, run with XP in Normal Mode.

    --al
     

    Attached Files:

    allanr, Apr 21, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\??rvices.exe

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {5A2AF738-18D4-1425-F5DE-32C68A639CE7} - C:\WINDOWS\system32\fbl.dll
    O2 - BHO: ToolHelper - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~2\Toolbar.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O3 - Toolbar: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O4 - HKLM\..\Run: [zsNeNcQ] c:\documents and settings\owner\local settings\temp\zsNeNcQ.exe
    O4 - HKLM\..\Run: [uFB] c:\windows\uFB.exe
    O4 - HKLM\..\Run: [01bb64e9d0f5] C:\WINDOWS\system32\activeds.exe
    O4 - HKLM\..\Run: C:\windows\i.exe
    O4 - HKCU\..\Run: [Jhisqf] C:\WINDOWS\system32\??rvices.exe
    O4 - HKCU\..\Run: [winmm] C:\WINDOWS\System32\winmm.exe
    O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
    O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
    O9 - Extra button: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O9 - Extra 'Tools' menuitem: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O15 - Trusted Zone: www.76wholesale.com
    O15 - Trusted Zone: onlineeast.bankofamerica.com
    O15 - Trusted Zone: premium.cnn.com
    O15 - Trusted Zone: www.cnn.com
    O15 - Trusted Zone: *.instanetforms.com
    O15 - Trusted Zone: www.nebs.com
    O15 - Trusted Zone: paims.ocpafl.org
    O15 - Trusted Zone: pamap1.ocpafl.org
    O15 - Trusted Zone: www.ticketmaster.com
    O15 - Trusted Zone: *.transactiondesk.com
    O15 - Trusted Zone: cache.unicast.com


    And if you do not recognize what the below are for, fix them too.
    O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://mfr.mlxchange.com/Control/Specfile.cab
    O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://mfr.mlxchange.com/Control/SISC.cab
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange.com/Control/MultiSelectComboBox.cab
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://johnboy.instanetforms.com/inet5_doc/InstanetForms/ILOAD/FAR/setup.exe
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://mfr.mlxchange.com/Control/LiteGrid.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mfr.mlxchange.com/Control/IRCSharc.cab
    O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://mfr.mlxchange.com/Control/AspCustomCtrls.cab


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\fbl.dll
    C:\Program Files\Advanced Searchbar <--- the whole folder if found
    c:\documents and settings\owner\local settings\temp\zsNeNcQ.exe
    c:\windows\uFB.exe
    C:\WINDOWS\system32\activeds.exe
    C:\windows\i.exe
    C:\WINDOWS\system32\??rvices.exe
    C:\WINDOWS\System32\winmm.exe
    C:\Documents and Settings\Owner\Application Data\wtta.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Apr 21, 2005
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds