help with homepage hijack

Hi and Welcome

To sucessfully remove any malware please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

once done, we can proceed with any futher removal steps.

 

Re: help still needed - home page still hijacked

Please do not start new threads for the same problem. You must remain in one thread from beginning to end. I have merged you back to your original thread.

Is your copy of SpywareDoctor a paid version or free trial? If free, uninstall it since it will not fix anything for you.

What is it that you still have install from Symantec? Seems to be a security center application which you should not use since you have AVG7 installed.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - blank (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\program files\eMedia Codec <--- delete the whole folder
D:\My Downloads\vcodec_ver3.119.exe
D:\My Downloads\eCodec-v4.345.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay! So uninstall Windows Defender

For your Symantec AV issue, do the below.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to SymWMI Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SymWSC

If you receive any error messages just ignore them and continue.

Now exit HJT and reboot when it tells you it needs to.
After reboot make sure the below line is no longer in your HJT log:
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Also delete the below folder:
C:\Program Files\Common Files\Symantec Shared\Security Center

After uninstalling Windows Defender and after removing the Symantec Security Center Service as directed above, try resetting your home page again, but make sure you either disable Spyware Doctor's active protection or that you allow the change to be made if Spyware Doctor intercept's the change.

Let me know how this goes.

 

This is not a malware problem. Sounds like a configuration issue or your antispyware tools are blocking the change.

Did you try changing it before or after fixing the Symantec stuff and uninstalling Windows Defender?

What happens when you try to change it and how are you trying to change it?

Did you shutdown Spyware Doctor before changing it?

 

It still does not sound like a malware issue. It still seems more like to be due to software that is running or a restriction place on your user account (possibly a registry setting). Do you get an error message? Does it actually change on the screen when you edit it or does it immediately block the change? What I want to know is when it changes back!!!

Try this:

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

If the above does not help, then continue on to the below steps!

Please download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on iexplore.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.

Now run the below procedure and attach the runkeys.txt log.

• Using GetRunKey

 

Have you tried change the home page on other user accounts and does it work?

Have you tried changing it after booting in safe mode?

Try using MSconfig to stop the Startups for Spyware Doctor. You nned to disable them under both the Startup and Services tabs. Then reboot and try to change your start page.

If that does not help, then while Spyware Doctor is still disable do the following:

Copy the bold text below to notepad. Save it as fixPOL.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Then get a new runkeys.txt log and then try to change your start page. Then attach a new HJT log. If at this point you still have a problem, leave Spyware Doctor disabled otherwise enable it.

 

Note the reason I asked about the other user accounts is that I'm wondering if something has changed the ownership setting of the Registry key related to your user account's start page. If that has happened, it explains why nothing is working. We will have to use a special procedure to try and fix it in this case. Basically we need to have your user account take ownership of the registry key again and then make the change.

 

Good! I had a mistake in that registry patch anyway which I just fixed. So if you already downloaded it, download it now and overwrite the previous one. These changes are an attempt to change a potential system policy that is blocking you from changing your home page. Run the patch now.

 

I have not used the most current versions of ZoneAlarm yet so I'm not familiar with this. But remember I did say multiple times that your problem was more than likely not malware but rather a setting somewhere. I'm sure that ZoneAlarm has a setting in it someplace where you can choose to enable or disable the feature of locking your home page.

Is this just the firewall or is it their security suite, or is it the firewall + antispyware?