My home page keeps changing

[robhamblen]

I set explorer to go to myexcel.com as my home page when I connect or load explorer browser, it doesn't really matter what I set it to and after a few days when I connect, I notice the home page is switched to http://www.findthewebsiteyouneed.com/. I even have the site blocked in the explorer settings. What the heck is going on here? I have win xp explorer 6 and all the recent updates installed.

[eldon]

Have you downloaded and ran spybot search and destroy or adaware?They are 2 free programs that will stop some things like this,also try spywareblaster also.I will look up the ip addresses for all 3 or you can do a google search for them.After downloading them be sure and update them.

[robhamblen]

Yes Eldon, I have a free spy ware in my browser and so far I havent had anything show up but then again it might not be good enough to pick it up. Its free with yahoo toolbar. I also scanned for viruses.

[robhamblen]

Hey eldon, I just scanned for tracking cookies and a bunch came up. I just deleted them all but I bet they only take a day or two to be there again.

[delta013]

It would still be best to download spybot S&D, it may catch something that Yahoo missed. I would also run a virus scan.

Delta013

[compusport]

I trust spybot and AdAware far more than Yahoo. they're both free and i'm sure that if you ran them they would pick up far more entries. There is also a free program for protecting your homepage here:

http://www.snapfiles.com/get/startpageguard.html

[SGS]

robhamblen,

The usual drill for this kind of thing is to download, update and run:

Ad-Aware and Spybot Search & Destroy .

Then run an online virus scan at Trend Micro .

When you're done, download and run HijackThis . Click the scan button. Click the "Save Log" button and copy and paste the log here.

[JohnA]

Hello all, i have the same problem, have run both ad-aware and spybot search and destroy but my home page keeps changing all the time. Have also run a virus check and all is good.

I ran HijackThis and here is the log

Logfile of HijackThis v1.99.0
Scan saved at 2:25:04 PM, on 1/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\ebeuute.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\John\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dr-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [agskhrh] c:\windows\kvilrjq.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Easy-PrintToolBox.lnk = C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...er/alpine.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096509837673
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe


any help would be greatly appreciated

[Spaz06]

Quote:

Originally Posted by SGS robhamblen, The usual drill for this kind of thing is to download, update and run: Ad-Aware and Spybot Search & Destroy . Then run an online virus scan at Trend Micro . When you're done, download and run HijackThis . Click the scan button. Click the "Save Log" button and copy and paste the log here.

Your browser has been hijacked. Do the above steps. Adaware and Spybot don't alway removed items completely. I've had to manually removes items in the past.

I recommend purchasing webroot spysweeper, its well worth the $25. I did a good cleaning with the above steps and installed spysweeper, and use the pop up blocker included with SP2. Have not had any problems in several months.

[glc]

JohnA: You have hijacked robhamblen's thread. Please start your own. Thank you.

Do not post a HijackThis log until you have thoroughly read the sticky thread in the Security forum. Thank you.

- Moderator -

[sataraid0]

Hmmmm, you might also try using spywareblaster, I have used it for about a year now and it seems to work very well. Get very very little spyware on my computer. latest version is 3.2 and you can get it here:

www.javacoolsoftware.com

It was free when I got it and as far as I know still is.

Hope this helps...........regards..................Sterling

[glc]

Spyware Blaster is not a remover - it's a preventative.

[sataraid0]

That's right..........sooo maybe ifn ya have that ya won't get the problems in the first place.

Regards...........................Sterling