Dellnet hijacker when launching IE

Hello,

I need help. I've read "Read and Run Me First," following all of the steps as listed. Thank you for clear and accurate instructions. (It took me a couple days to get through the steps and other people used the computer in-between some of the steps.)

The issue that I'm seeing is that whenever I launch IE, it automatically goes to http://www.dellnet.com/. This gives "IE cannot display the page." Even if I change the default homepage in Internet Options, it goes back to dellnet at the next launch of IE.

I've run all of the tools recommended in the RRME article and am attaching all the logs requested.

Please help. Thank you.

 

Here are the other three files.

 

2nd try to post the other three log files

 

Please look in Add/Remove Programs for the following and uninstall them if found:

Viewpoint

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.earthlink.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ELNKPCCINST] C:\DOCUME~1\Ann\LOCALS~1\Temp\{7797C70B-11EB-446A-9B1E-3D9039DB581F}_78\elnk_pcc .exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O11 - Options group: [INTERNATIONAL] International*

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\Viewpoint ← Delete this whole folder if it exist!

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

I wanted to ask before we removed, are you familiar with the below?

Is "Sprint" your ISP? If so this is legit.

 

Sprint is the ISP, although it has been merged/purchased by Embarq, so technically, the ISP is Embarq not Sprint. I'm not sure if I understand how Earthlink differs from Sprint. I guess Sprint is the service provider and Earthlink provides the email client and email services? Not sure that I understand how it all works.

I don't completely understand your two quotes. The first quote has a reg key and gives the preferred and alternate DNS servers that a recent tech support rep had me put into TCP/IP properties.

I don't understand the second quote.

Should I proceed with your directions? (I already uninstalled the three Viewpoint programs as part of the initial housecleaning.)

 

Yes, procede with my fix and then reboot and attach a fresh HJT log. Those entries are legit, you can ignore that post.

 

I ran all of the steps from your post.
1. Viewpoint was already uninstalled
2. Ran Hijackthis and fixed the list of items indicated. (All browser windows closed)
3. Ran CCcleaner
4. In Safe Mode, I viewed hidden and system files and deleted the Viewpoint folder.
5. Reboot into normal mode. Reset web and security settings
6. Turned off system restore. Reboot.
7. Turned on system restore. Reboot.
8. Ran HJT. Log attached.

On the first launch of IE after resetting web settings, I got microsoft runonce page. On the second and subsequent lanches, I'm still getting hijacked by www.dellnet.com

Poor me. What am I to do?

Also, over the last couple of days, I've noticed that when I first boot up, Norton displays a message balloon from the Notification Area saying that the Antivirus is turned off. After several minutes it turns itself on. Have not noticed this behavior in the past (although, this is my parents' computer, but they haven't noticed this behavior in the past). Is this just because it is Norton is launching in the background?

 

It's not a hijacker, just an unwanted start page. First thing I would do is, if you don't use it I would uninstall "Dell Support" as it's a waste of resources. Also, you can uninstall CounterSpy if it was installed during the READ ME, if you purchased it you can leave it.

Reboot into Safe Mode and have HJT fix the below entries...

Next, run CCleaner to clean up cookies and temp files.

After you complete the above, REBOOT and proceed with the rest of this fix...

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file iefix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the iefix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Once you complete this post reboot once more and let me know how things are running.

 

bjgarrick, you're amazing!

I followed your fixes as closely as possible. When running HJT, I could not find all of the lines to fix that you listed while in SafeMode in the Admin account, so I ran HJT in the other two user accounts, and I think that I got all of the lines fixed by doing it in all three accounts.

IE seems to be working fine. We have our familiar homepage back.

I do have a couple questions:
1) How'd you learn all this stuff?
2) My parents used to use the Earlthlink toolbar; it is now grayed out on the context menu of the toolbars area. Do you have a recommendation if it is wise/unwise to reinstall it?
3) What is a browser hijacker? How does it differ from an unwanted start page?

Thank you so much for your time, your patience, and your help.

 

Doing it for a long time, best way I found to learn this is to read around the forum and research other forums because everyone does things in their own way.

Personally, I don't recommend any toolbar because toolsbars IMO are a waste of resources.

It's basically the same thing, a hijacker takes over your internet browser and redirects the homepage to a malicious website.