hijacked my home page

well some hijacker has done it to me. my homepage gets changed every time i bootup or reboot to about:blank that is what is entered interner expolorer options for a home page. and all my seach redirected are changed i change them back and when i reboot they are changed. can't find anything in my startup ????? help

 

John,
Go here: http://www.spywareinfo.com/~merijn/index.html and download "Hijack This ". Just be careful and read the instructions before you delete any thing! Worked for me!
Gene

 

i have is program already i remove the spyware and when i reboot its back ??????

 

It is probably something in the registry.

Check the following locations for anything that looks suspicious. However if you aren't sure, post back with what you have.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

As an alternative, get hold of Spybot Search and Destroy from http://security.kolla.de/
Update it, then run it over your machine and see what it finds. If there is something hijacking your machine, it will find it and remove it.

Simon.

 

I have sypboot and ad-aware they don't help. i found boot.exe in my startup files and removed it no help. all the things the spyware find and fix get put back when i reboot help

 

Hello johngkerr,

Try running Ad-Aware - SpyBot in safe mode: F8 on bootup. Whatever malware is running is memory resident.

Also do a AV scan in safe mode - this may be a trojan.

Regards - Charles

 

WinXP? system Restore?

 

JOHNGKERR Hi
Have you done a full system scan with an updated anti virus program,,, and an ONLINE av scan yet ?
http://housecall.trendmicro.com/
It takes awhile if you have a dialup

get and use a trial trojan scaner
update it once nstalled
http://www.misec.net/trojanhunter/
this one can be updated manualy for 30 days
==========================
Go get a new hijackthis and coolweb shredder
they update them almost every day sometimes ,,

It cant hurt to use coolwebschredder even if not inffected with it
I know hijackthis has an update from withihin itself but it wont get the latest build..
uninstall any and all file sharing programs.please.
and anything else that you might suspect and anything unnessesary.if you dont use them anymore..


Again Cleanup with adaware and spybot (exclude nothing)
let them restartPC if they need to.also a greate Idea to run the scans when in safe mode
reboot pc restart

run coolweb schredder ,, run hijackthis (exclude nothing) and save its log .

go to Spywareinfo and post that log ,, they might ask also for its
startup list,, no beed to post it unless asked for..

Get the latest highjack & coolwebshredder here
http://www.spywareinfo.com/~merijn/

http://forums.spywareinfo.com/
http://www.spywareinfo.com/articles/hijacked/
Good luck and let us know what happens

 

And what about TDS3, a leading anti-Trojan including some additional utilities? I tested it recently and was impressed - so much that I decided to buy it (less than 50$, but you can test it for free. Admittedly, somewhat complicated at first sight, but finally easier to use than one would think at first sight, at least for general use. URL: http://tds.diamondcs.com.au/
Good luck!
Tribulatio

 

I found the program that is changing my home page and undoing what coolweb shredder and the regsearch fix lonny posted had fixed. The problem didn't happen in the safe mode so i removed all the program in startup with msconfig. Then add them back one at a time. The program had run=C:\Program Files\Common Files\Microsoft Shared\MSINFO\msino.exe. What does this program do ???
is this a Trojan ????? What should I do with this file. Thank you all for you help your all are great don't think my computor would be running very well without this BBS

 

johngkerr Hi

"msino.exe" Spelling is important

On my PC win ME there is a msinfo32 in the same area , this is system information utility, and part of the help system.

Hard to tell -are you saying msinfo was starting with windows?

If it was cool-web search that goofed things up, and probably was
But I'm am uncertain of that since you don't really say much.
It keeps morphing hiding changing,, there latest trick was to block uses access to http://forums.spywareinfo.com/
and Lavasoft , Adawares site,
By creating a hosts file if one was'nt there.or adding a block.

Best to post the log for the pros to gander at. Have you?
why you try by yourself to fix this , I cant figure this thing is hard enough for even them to get rid of.

regards
Lonny

 

Yes it was in startup under win.ini windows run. cool-web search did fix it and i don't think it cause it to be there. I will post the log. I did a search on google and found a bbs that had it listed as trojan ? I will get back to you all

 

I just look at my computor at work that has windows 98 and it and it didn't have msinfo.exe in that folder but it did have msinfo32 in that folder. From what i can tell this is not a windows file

 

http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?act=ST;f=36;t=5740;st=0#entry29902

I just noticed msinfo here to ,Like I suggested before best to post at http://forums.spywareinfo.com/

They will be interested

Lonny

 

I updated spyboot and it found alot more spyware. I also deleted the file msinfo.exe and removed the statement in my win.ini file. my comportor is working ok for know. I will update hijackthis program and post a log. Do you want me to post the on this BBS or on spyware BBS? Thank's your all

 

johngkerr
I would post there But you can post here as well,, do both.
They do mention msinfo.exe on the cronicles page
have you read it ?
http://www.spywareinfo.com/~merijn/cwschronicles.html
Lonny

 

This is hijackthis log file after using updated spyboot and cwshredder.

Logfile of HijackThis v1.97.2
Scan saved at 12:32:04 PM, on 09/13/2003
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EZ-S.M.A.R.T\EZSMART.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WALLSMART.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/cgi-bin/mywn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
F1 - win.ini: run=c:\windows\SYSTEM\cmmpu.exe
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - D:\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - D:\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - Startup: EZSMART App.lnk = C:\Program Files\EZ-S.M.A.R.T\EZSMART.exe
O4 - Startup: Resource Meter.lnk = C:\WINDOWS\RSRCMTR.EXE
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O4 - Startup: WallSmart.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MS&N Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

This is a log one of the time i was having trouble

Logfile of HijackThis v1.95.0
Scan saved at 9:22:17 PM, on 08/26/2003
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE
C:\PROGRAM FILES\EZ-S.M.A.R.T\EZSMART.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WALLSMART.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\SYSTEM TOOLS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://my.att.net/cgi-bin/mywn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=;<local>
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
F1 - win.ini: run=c:\windows\SYSTEM\cmmpu.exe
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - D:\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - D:\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - Startup: EZSMART App.lnk = C:\Program Files\EZ-S.M.A.R.T\EZSMART.exe
O4 - Startup: Resource Meter.lnk = C:\WINDOWS\RSRCMTR.EXE
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O4 - Startup: WallSmart.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MS&N Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab

Sorry about misspelled file name

My computor is work good thank's. Dose anyone know who did this and were someone could find those ass!!!!

Would you like spyboots fix log?????

 

Good Job
Looks clean to me

what is this WALLSMART.EXE ? is it perhaps part of
C:\PROGRAM FILES\EZ-S.M.A.R.T\EZSMART.EXE ?

Did you find the hijack log tutorial ?
http://www.spywareinfo.com/~merijn/htlogtutorial.html#f

You have SpyBot why havent you set it to immunize. if you had we would see this and use its Hosts file to
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

Lonny

 

WALLSMART.EXE is a program used to change backgrounds at startup and when ever you tell it to and EZSMART.EXE is a program install by compusa where I got my computor. I will
immunize asap thanks

 

I use the below on 4 PCs and it works (and free):

http://www.spywareinfo.com/downloads/spg/