I have, er, something!

Welcome to Majorgeeks!

Sorry it took so long but we are exceptionally busy! Just a note to you for future reference, bumping does you more harm than good. We work on oldest unanswered threads first. When you add a message, you effectively loose your place in the queue because your thread because newer and also looks answered.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

Yes but now all the malware items are showing that you were hiding before.

Problems like this (going to a valid site like MSN) with stuck home pages are not typically malware. It is the software you installed and how you have it configured. Check ZoneAlarm, Ewido, Windows Defender, Prevx1, AVG etc and make sure your do not have them set to lock your start page. I would recommend starting with ZoneAlarm.


Make sure viewing of hidden files is enabled (per the tutorial).
Uninstall the below programs if they are still installed:
Bearshare
eDonkey2000
reasyPalmUpdate
Kazaa or Kazaa Lite
shhost or OutLaster
saap or search-assistant
Sygate personal Firewall
webHancer
WhenUSearch
WinTools
Zango

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [shhost] C:\Program Files\OutLaster\shhost.exe
O4 - HKLM\..\Run: [saap] c:\program files\search-assistant\saap.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Maplom] C:\Program Files\Maplom\Maplom.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [GreasyPalmUpdate] C:\WINDOWS\GreasyPalmUpdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
<--- the whole folder
C:\Program Files\Common Files\WinTools <--- the whole folder
c:\program files\altnet\points manager <--- the whole folder
C:\Program Files\BearShare <--- the whole folder
C:\Program Files\Block Checker <--- the whole folder
C:\Program Files\eDonkey2000 <--- the whole folder
C:\Program Files\Kazaa Lite <--- the whole folder
C:\Program Files\Maplom <--- the whole folder
C:\Program Files\Messenger Plus! 3 <--- the whole folder
C:\Program Files\Microsoft AntiSpyware <--- the whole folder
C:\Program Files\MyWebSearch <--- the whole folder
C:\Program Files\OutLaster <--- the whole folder
c:\program files\search-assistant <--- the whole folder
C:\Program Files\Sygate <--- the whole folder
C:\Program Files\Toolbar <--- the whole folder
C:\Program Files\webHancer <--- the whole folder
C:\Program Files\WhenUSearch <--- the whole folder
c:\program files\zango <--- the whole folder
C:\WINDOWS\GreasyPalmUpdate.exe <--- the whole folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk


Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

What is normal and what is valid are two different things. That is a valid site. Whether it is what you want your start page to be only you can tell me.

What version of ZoneAlarm do you have (tell me the version number and also whether it is the free version or the Pro version).

Is Ewido a paid or free trial version?
Is Prevx a paid or free trial version?

Your HJT log is clean!

 

But my question about this was weather you want MSN to be your Home page or not. I assum you are trying to change it and cannot. And that was why I was asking about your ZoneAlarm version. I have had several users lately that had similar problems changing these kind of settings and it was ZoneAlarm blocking the changes. Tools that are used by everyone have to be better understood before all these restrictions are put into place by the user. I have had many cases of people coming here and complaining about malware and hijackers where the problem had nothing to do with malware. It was the all the software that user installed and did not understand how it worked that was the cause of the problem.

This is also the reason I was asking about whether some of your tools are free or paid. Over use of spyware blocking tools slows down PC performance, causes conflicts with each tool, and can confuse the heck out of the end user when trying to make changes and they keep getting blocked. You have Ewido, Prevx, and Windows Defender. You should only use one of them and it should be the one providing full functionality. The only one to do that is Windows Defender since it is totally free. The others are demos that have restrictions. My recommendation is to uninstall Ewido and Prevx unless you are going to purchase one of them. I would however resommed a full scan with Ewido and save the log to post here before uninstalling. (READ THIS: Running Ewido Anti-Malware )

Tell me exactly when you get these popups and what is in them. Do they ever occur when not connected to the internet? Do they occur in safe mode.

This is part of the reason that we do not accept HijackThis logs without the full cleaning process being run. HJT logs do not show all potential malware issues. It is not even close to that level of detail. Since you could not run Bitdefender other issues may have been missed too. Let's try something else. Please run the below procedure and attach the newfiles.txt log.

• Using ShowNew