unwanted homepage

Please follow all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal > If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

 

Disable system restore! And post (as a .txt file attachment) your HJT log.

 

First you need to get HijackThis installed into a non-temp, non-Desktop folder where it can properly and safely save backups. You have it on your Desktop:
C:\WINDOWS\DESKTOP\INTERNET CLEANUP TOOLS\HIJACKTHIS1982.EXE

Second: I need to your HijackThis log from normal boot.
Third: What do you expect your home page to be?

 

First some questions:

1) Do you use this Disney Digstream stuff?
See: http://www.answersthatwork.com/Tasklist_pages/tasklist_d.htm and scroll down to Digstream.exe

If not, consider uninstalling it.

2) Do you use "BEST BUY MUSICNOW"?

3) Did you use any program to create the below restriction on Internet Explorer Contol Panel?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Typically this can be done with programs like SpywareBlaster, SpyBot S&D and SpySweeper.

4) Is this your complete log? You said you ran all the other steps from the < READ ME FIRST: Basic Spyware, Trojan And Virus Removal >
tutorial. There should be other lines after the OC13 if you did and typically there are other lines anyway.


Run HijackThis again and put checks on the following lines but do not click Fix until you exit ALL Internet Explorer sessions:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
O9 - Extra button: Corel Network monitor worker - {3BB5D522-3689-4CB0-A1E9-1CBFCCB8537E} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3BB5D522-3689-4CB0-A1E9-1CBFCCB8537E} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {3BB5D522-3689-4CB0-A1E9-1CBFCCB8537E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3BB5D522-3689-4CB0-A1E9-1CBFCCB8537E} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)


Now copy the below information (in bold print) to a file and save it to a file named urlpref.reg
After saving the file, open up Windows Explorer (not Internet Explorer) and locate the file and double click on it.
You will get a message about putting it into the registry, click okay (or yes). Then reboot, run a new HJT scan and post me a new log and tell me how things are working.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

 

You can leave items 1 & 2. It was a question more than anything. And if not used, I would delete.

First let's see if we can fix the blank startup page:

Reset Web Settings by opening Internet Explorer. Then click Tools, Internet Options, Programs, and click the Reset Web Settings button. Then go back to the General tab and set your home page back to what you like (i.e., www.yahoo.com).

As far as the registy file (urlpref.reg) are you sure you have the lines exactly as written. All lines and all punctuation. I uploaded a file in the following thread:
http://forums.majorgeeks.com/showthread.php?t=39841
called urlpref.txt (it's an attachment) Go to that thread and click on it. It will download and bring up notepad. Save it on your PC and rename it to urlpref.reg after downloading.

Note:
While downloading to your desktop can make it easier to find, it clutters up your desktop and it is not a good place to save things if you want to keep them. It should run okay from there when you double click on it, I just don't like saving/downloading things there (call it a pet peeve)!