Home Page keeps getting changed

Discussion in 'Computer Information' started by Admiralla, Jul 3, 2004.

  1. Admiralla

    Admiralla Guest

    I have a special homepage that I like to use for MIE (Microsoft Internet
    Explorer and I'm using Win XP).

    For the past couple of weeks, when I start MIE, I've been getting my
    homepage changed to about:blank and then I get several popups telling me I
    have spyware in my computer. These ads are for anti-spyware... Some of them
    even show little bug cartoons that are pornographic!!

    So, I went out and purchased Webroot Spysweeper 2.6 and have it protecting
    my computer. It even keeps whatever it is, from changing my homepage back to
    about:blank, which is great, but I want to get rid of whatever it is that's
    doing it in the firstplace.

    Does anyone have any thoughts on this? It's becoming a REAL pain in the
    butt...

    Oh and just so you know, no I don't have a virus... I've done the latest
    updates and the only thing on my computer are these blasted adware files...
    which Spysweeper has so graciously gotten rid of... *S*

    Any thoughts would be great

    Addie
    Admiralla, Jul 3, 2004
    #1
    1. Advertising

  2. Admiralla

    Duane Arnold Guest

    "Admiralla" <> wrote in message
    news:cc4ttd$t1h$...
    > I have a special homepage that I like to use for MIE (Microsoft Internet
    > Explorer and I'm using Win XP).
    >
    > For the past couple of weeks, when I start MIE, I've been getting my
    > homepage changed to about:blank and then I get several popups telling me

    I
    > have spyware in my computer. These ads are for anti-spyware... Some of

    them
    > even show little bug cartoons that are pornographic!!
    >
    > So, I went out and purchased Webroot Spysweeper 2.6 and have it protecting
    > my computer. It even keeps whatever it is, from changing my homepage back

    to
    > about:blank, which is great, but I want to get rid of whatever it is

    that's
    > doing it in the firstplace.
    >
    > Does anyone have any thoughts on this? It's becoming a REAL pain in the
    > butt...
    >
    > Oh and just so you know, no I don't have a virus... I've done the latest
    > updates and the only thing on my computer are these blasted adware

    files...
    > which Spysweeper has so graciously gotten rid of... *S*
    >
    > Any thoughts would be great
    >


    The simple approach is to implement the Host and keep it updated.

    http://www.snapfiles.com/get/hoststoggle.html
    http://www.mvps.org/winhelp2002/hosts.htm

    Duane :)
    Duane Arnold, Jul 3, 2004
    #2
    1. Advertising

  3. Admiralla

    Thor Guest

    "Admiralla" <> wrote in message
    news:cc4ttd$t1h$...
    > I have a special homepage that I like to use for MIE (Microsoft Internet
    > Explorer and I'm using Win XP).
    >
    > For the past couple of weeks, when I start MIE, I've been getting my
    > homepage changed to about:blank and then I get several popups telling me

    I
    > have spyware in my computer. These ads are for anti-spyware... Some of

    them
    > even show little bug cartoons that are pornographic!!


    Never download any spyware program advertised in a pop-up that tells you
    your system has spyware. They usually are spyware themselves, or use
    deceptive marketing to convince you to use their software.

    >
    > So, I went out and purchased Webroot Spysweeper 2.6 and have it protecting
    > my computer. It even keeps whatever it is, from changing my homepage back

    to
    > about:blank, which is great, but I want to get rid of whatever it is

    that's
    > doing it in the firstplace.
    >
    > Does anyone have any thoughts on this? It's becoming a REAL pain in the
    > butt...



    Most likely a CoolWebSearch spyware variant. There is one that is well known
    to do exactly what you describe. I just removed one from a customer's
    machine recently. Get CWShredder and scan your system with it. Google search
    for it. It's free and easy to use.
    Thor, Jul 3, 2004
    #3
  4. Admiralla

    Ross Durie Guest

    There is no "automated" anti-spyware removal tool for this type infection.
    There are 2 DLLs involved, the "BHO" DLL which you see in your log and the
    main culprit which is totally hidden. Removing the "BHO" DLL has no effect
    as it (main culprit) will simply generate a new BHO DLL.

    Ok, here goes ... this is my "How To:" (Hint: print out the below)

    [Tools and files needed]

    Download: "RepairAppInit.reg" (XP\2K only!)
    http://www.mvps.org/winhelp2002/RepairAppInit.reg
    Do not do anything with this file yet, it will be needed later.

    Download: CWShredder
    http://www.spywareinfo.com/~merijn/files/hijackthis.zip
    Unzip, but do not run it yet, it will be needed later.

    Download: Ad-Aware
    http://www.lavasoft.de/software/adaware/
    Install, but do not run it yet, it will be needed later.

    Download: Find-All.zip
    http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
    Unzip, but do not run it yet, it will be needed later.

    Download: WINFILE.zip
    http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
    Unzip, but do not run it yet, it will be needed later.

    Download: Registrar Lite [freeware]
    http://www.resplendence.com/download
    Install, but do not run it yet, it will be needed later.

    [Step1]

    Double-click the included "Find-All.bat" file from Find-All.zip.
    Generates: "output.txt"
    Note: if infected you will see:

    Locked file(s) found...
    C:\WINDOWS\System32\<filename> +++ File read error
    Where "<filename>" is the hidden invisable installer.
    Note: "+++ File read error" is not an error, this just identifies the
    culprit.

    [Step2]

    Run "Registrar Lite" and navigate to:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    Double click on "AppInit_DLLs" entry (right pane)
    The size will likely be something other than "1" (if infected)
    IMPORTANT: Make a note of the filename and location (folder)

    [Step3]

    Rename the highlighted "Windows" key (left pane)
    To rename: Right-click and select: Rename
    (type) NoWindows


    Double-click "AppInit_DLLs" again (right pane)
    Clear (delete) the "Value" containing the .dll and click Ok.


    IMPORTANT: Rename the "NoWindows" key (left pane)
    To rename: Right-click and select: Rename
    (type) "Windows" (no quotes) and close RegLite.

    [Step 4]

    Using Windows Explorer go to your root drive: (typically) "C:\"
    Click File (up top) select: New > Folder
    (type) "Junk" (no quotes)

    Open Winfile

    Navigate to System32 folder.
    Click File (up top) select: Move

    Copy and paste this into the 'From' box: C:\WINDOWS\System32\<filename>.dll
    Copy and paste this into the 'To' box: C:\Junk\<filename>.dll

    Note: where "<filename>" = culprit dll from "output.txt"

    Click OK. Close Winfile
    Open Windows Explorer and check in C:\Junk for the "<filename>.dll" file.

    At this point see if you can rename the "<filename>.dll"
    Do this several time, changing the name and extension each time.
    Then see if you can "Move" to "A:\" (floppy)

    [Step 5]

    Locate: "RepairAppInit.reg" right-click and select: Merge
    Ok the prompt

    [Step 6]

    Open Regedit (Start | Run (type) "regedit" (no quotes)
    Use the Search function for the <filename>.dll
    Click: Edit (up top) select: Find
    (type) <filename>.dll, click: Find Next

    Note: where "<filename>" = culprit dll from "output.txt"

    Remove all instances found.Press "F3" to continue searching
    until you see the "Completed" message.

    Next repeat the above steps, subsitute the "secondary dll"
    From: "text/html" as seen in the "output.txt"


    [Step 7]

    Run CWShredder and reboot.

    [Step 8]
    Run Ad-Aware

    Reconfigure Ad-Aware for Full Scan:
    Please update the reference file following the instructions here:
    http://www.lavahelp.com/howto/updref/index.html

    Launch the program, and click on the Gear at the top of the start screen.

    Click the "Scanning" button.
    Under Drives & Folders, select "Scan within Archives".
    Click "Click here to select Drives + folders" and select your installed hard
    drives.

    Under Memory & Registry, select all options.
    Click the "Advanced" button.
    Under "Log-file detail", select all options.
    Click the "Tweaks" button.

    Under "Scanning Engine", select the following:
    "Include additional Ad-aware settings in logfile" and
    "Unload recognized processes during scanning."
    Under "Cleaning Engine", select the following:
    "Let Windows remove files in use after reboot."
    Click on 'Proceed' to save these Preferences.
    Please make sure that you activate IN-DEPTH scanning before you proceed.

    After the above post a fresh log ...
    --

    Disclaimer: Renaming the "Windows" key modified some security settings.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

    Right-click the "Windows" key, select: Permissions

    [Example]
    Before renaming the "Windows" key:

    "Path"
    "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    "Read":
    *"Administrators
    *Power Users
    *Users"
    "Write"
    *"Administrators"

    --
    [Example]

    After Renaming the key:

    "Path"
    "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    "Read":
    ***"Everyone"***
    "Write"
    *"Administrators
    --

    You need to check that and if 'Everyone' was added (as seen above)
    You need to reset your original settings as follows:
    Note: do this after removing the infection.

    Right-click "Windows", select: Permissions
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

    Click Advanced [button]
    If the "inherit permissions" box is checked = Uncheck it.
    Then select "COPY" on the prompt.

    Select "Everyone Group" (if listed) and remove. (only the group)
    You can individually view/edit each group settings.
    Be sure "Administrators" and "System" have full control on all.
    Note: Creator owner full control on Sub keys only.
    "Power users" and "users" = "read control".


    --
    Ross
    "Admiralla" <> wrote in message
    news:cc4ttd$t1h$...
    > I have a special homepage that I like to use for MIE (Microsoft Internet
    > Explorer and I'm using Win XP).
    >
    > For the past couple of weeks, when I start MIE, I've been getting my
    > homepage changed to about:blank and then I get several popups telling me

    I
    > have spyware in my computer. These ads are for anti-spyware... Some of

    them
    > even show little bug cartoons that are pornographic!!
    >
    > So, I went out and purchased Webroot Spysweeper 2.6 and have it protecting
    > my computer. It even keeps whatever it is, from changing my homepage back

    to
    > about:blank, which is great, but I want to get rid of whatever it is

    that's
    > doing it in the firstplace.
    >
    > Does anyone have any thoughts on this? It's becoming a REAL pain in the
    > butt...
    >
    > Oh and just so you know, no I don't have a virus... I've done the latest
    > updates and the only thing on my computer are these blasted adware

    files...
    > which Spysweeper has so graciously gotten rid of... *S*
    >
    > Any thoughts would be great
    >
    > Addie
    >
    >
    Ross Durie, Jul 3, 2004
    #4
  5. Admiralla

    Admiralla Guest

    Thanks Ross, I'll try this... it's so bloody annoying that I'm willing to
    try anything...

    Can I email you if I have any problems?

    Addie
    My email is (HeatherL at roadrunner dot nf dot net)



    "Ross Durie" <> wrote in message
    news:wDoFc.6558$...
    > There is no "automated" anti-spyware removal tool for this type infection.
    > There are 2 DLLs involved, the "BHO" DLL which you see in your log and the
    > main culprit which is totally hidden. Removing the "BHO" DLL has no effect
    > as it (main culprit) will simply generate a new BHO DLL.
    >
    > Ok, here goes ... this is my "How To:" (Hint: print out the below)
    >
    > [Tools and files needed]
    >
    > Download: "RepairAppInit.reg" (XP\2K only!)
    > http://www.mvps.org/winhelp2002/RepairAppInit.reg
    > Do not do anything with this file yet, it will be needed later.
    >
    > Download: CWShredder
    > http://www.spywareinfo.com/~merijn/files/hijackthis.zip
    > Unzip, but do not run it yet, it will be needed later.
    >
    > Download: Ad-Aware
    > http://www.lavasoft.de/software/adaware/
    > Install, but do not run it yet, it will be needed later.
    >
    > Download: Find-All.zip
    > http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
    > Unzip, but do not run it yet, it will be needed later.
    >
    > Download: WINFILE.zip
    > http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
    > Unzip, but do not run it yet, it will be needed later.
    >
    > Download: Registrar Lite [freeware]
    > http://www.resplendence.com/download
    > Install, but do not run it yet, it will be needed later.
    >
    > [Step1]
    >
    > Double-click the included "Find-All.bat" file from Find-All.zip.
    > Generates: "output.txt"
    > Note: if infected you will see:
    >
    > Locked file(s) found...
    > C:\WINDOWS\System32\<filename> +++ File read error
    > Where "<filename>" is the hidden invisable installer.
    > Note: "+++ File read error" is not an error, this just identifies the
    > culprit.
    >
    > [Step2]
    >
    > Run "Registrar Lite" and navigate to:
    > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    > Double click on "AppInit_DLLs" entry (right pane)
    > The size will likely be something other than "1" (if infected)
    > IMPORTANT: Make a note of the filename and location (folder)
    >
    > [Step3]
    >
    > Rename the highlighted "Windows" key (left pane)
    > To rename: Right-click and select: Rename
    > (type) NoWindows
    >
    >
    > Double-click "AppInit_DLLs" again (right pane)
    > Clear (delete) the "Value" containing the .dll and click Ok.
    >
    >
    > IMPORTANT: Rename the "NoWindows" key (left pane)
    > To rename: Right-click and select: Rename
    > (type) "Windows" (no quotes) and close RegLite.
    >
    > [Step 4]
    >
    > Using Windows Explorer go to your root drive: (typically) "C:\"
    > Click File (up top) select: New > Folder
    > (type) "Junk" (no quotes)
    >
    > Open Winfile
    >
    > Navigate to System32 folder.
    > Click File (up top) select: Move
    >
    > Copy and paste this into the 'From' box:

    C:\WINDOWS\System32\<filename>.dll
    > Copy and paste this into the 'To' box: C:\Junk\<filename>.dll
    >
    > Note: where "<filename>" = culprit dll from "output.txt"
    >
    > Click OK. Close Winfile
    > Open Windows Explorer and check in C:\Junk for the "<filename>.dll" file.
    >
    > At this point see if you can rename the "<filename>.dll"
    > Do this several time, changing the name and extension each time.
    > Then see if you can "Move" to "A:\" (floppy)
    >
    > [Step 5]
    >
    > Locate: "RepairAppInit.reg" right-click and select: Merge
    > Ok the prompt
    >
    > [Step 6]
    >
    > Open Regedit (Start | Run (type) "regedit" (no quotes)
    > Use the Search function for the <filename>.dll
    > Click: Edit (up top) select: Find
    > (type) <filename>.dll, click: Find Next
    >
    > Note: where "<filename>" = culprit dll from "output.txt"
    >
    > Remove all instances found.Press "F3" to continue searching
    > until you see the "Completed" message.
    >
    > Next repeat the above steps, subsitute the "secondary dll"
    > From: "text/html" as seen in the "output.txt"
    >
    >
    > [Step 7]
    >
    > Run CWShredder and reboot.
    >
    > [Step 8]
    > Run Ad-Aware
    >
    > Reconfigure Ad-Aware for Full Scan:
    > Please update the reference file following the instructions here:
    > http://www.lavahelp.com/howto/updref/index.html
    >
    > Launch the program, and click on the Gear at the top of the start screen.
    >
    > Click the "Scanning" button.
    > Under Drives & Folders, select "Scan within Archives".
    > Click "Click here to select Drives + folders" and select your installed

    hard
    > drives.
    >
    > Under Memory & Registry, select all options.
    > Click the "Advanced" button.
    > Under "Log-file detail", select all options.
    > Click the "Tweaks" button.
    >
    > Under "Scanning Engine", select the following:
    > "Include additional Ad-aware settings in logfile" and
    > "Unload recognized processes during scanning."
    > Under "Cleaning Engine", select the following:
    > "Let Windows remove files in use after reboot."
    > Click on 'Proceed' to save these Preferences.
    > Please make sure that you activate IN-DEPTH scanning before you proceed.
    >
    > After the above post a fresh log ...
    > --
    >
    > Disclaimer: Renaming the "Windows" key modified some security settings.
    >
    > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    >
    > Right-click the "Windows" key, select: Permissions
    >
    > [Example]
    > Before renaming the "Windows" key:
    >
    > "Path"
    > "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    > "Read":
    > *"Administrators
    > *Power Users
    > *Users"
    > "Write"
    > *"Administrators"
    >
    > --
    > [Example]
    >
    > After Renaming the key:
    >
    > "Path"
    > "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    > "Read":
    > ***"Everyone"***
    > "Write"
    > *"Administrators
    > --
    >
    > You need to check that and if 'Everyone' was added (as seen above)
    > You need to reset your original settings as follows:
    > Note: do this after removing the infection.
    >
    > Right-click "Windows", select: Permissions
    > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    >
    > Click Advanced [button]
    > If the "inherit permissions" box is checked = Uncheck it.
    > Then select "COPY" on the prompt.
    >
    > Select "Everyone Group" (if listed) and remove. (only the group)
    > You can individually view/edit each group settings.
    > Be sure "Administrators" and "System" have full control on all.
    > Note: Creator owner full control on Sub keys only.
    > "Power users" and "users" = "read control".
    >
    >
    > --
    > Ross
    > "Admiralla" <> wrote in message
    > news:cc4ttd$t1h$...
    > > I have a special homepage that I like to use for MIE (Microsoft Internet
    > > Explorer and I'm using Win XP).
    > >
    > > For the past couple of weeks, when I start MIE, I've been getting my
    > > homepage changed to about:blank and then I get several popups telling

    me
    > I
    > > have spyware in my computer. These ads are for anti-spyware... Some of

    > them
    > > even show little bug cartoons that are pornographic!!
    > >
    > > So, I went out and purchased Webroot Spysweeper 2.6 and have it

    protecting
    > > my computer. It even keeps whatever it is, from changing my homepage

    back
    > to
    > > about:blank, which is great, but I want to get rid of whatever it is

    > that's
    > > doing it in the firstplace.
    > >
    > > Does anyone have any thoughts on this? It's becoming a REAL pain in the
    > > butt...
    > >
    > > Oh and just so you know, no I don't have a virus... I've done the latest
    > > updates and the only thing on my computer are these blasted adware

    > files...
    > > which Spysweeper has so graciously gotten rid of... *S*
    > >
    > > Any thoughts would be great
    > >
    > > Addie
    > >
    > >

    >
    >
    Admiralla, Jul 3, 2004
    #5
  6. Admiralla

    ProfGene Guest

    You might install a firewall to try to prevent webpages from accessing your
    computer.
    "Admiralla" <> wrote in message
    news:cc4ttd$t1h$...
    > I have a special homepage that I like to use for MIE (Microsoft Internet
    > Explorer and I'm using Win XP).
    >
    > For the past couple of weeks, when I start MIE, I've been getting my
    > homepage changed to about:blank and then I get several popups telling me

    I
    > have spyware in my computer. These ads are for anti-spyware... Some of

    them
    > even show little bug cartoons that are pornographic!!
    >
    > So, I went out and purchased Webroot Spysweeper 2.6 and have it protecting
    > my computer. It even keeps whatever it is, from changing my homepage back

    to
    > about:blank, which is great, but I want to get rid of whatever it is

    that's
    > doing it in the firstplace.
    >
    > Does anyone have any thoughts on this? It's becoming a REAL pain in the
    > butt...
    >
    > Oh and just so you know, no I don't have a virus... I've done the latest
    > updates and the only thing on my computer are these blasted adware

    files...
    > which Spysweeper has so graciously gotten rid of... *S*
    >
    > Any thoughts would be great
    >
    > Addie
    >
    >
    ProfGene, Jul 6, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pat
    Replies:
    3
    Views:
    1,779
    someone
    Feb 6, 2005
  2. Phil
    Replies:
    7
    Views:
    1,075
    Wyatt M. Portendt
    Mar 4, 2004
  3. Gary

    Explorer home page can't be changed

    Gary, Apr 20, 2005, in forum: Computer Support
    Replies:
    4
    Views:
    3,893
    Dave Lear
    Apr 20, 2005
  4. ts570d

    Explorer home page can't be changed

    ts570d, Apr 20, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    460
    Evan Platt
    Apr 20, 2005
  5. Replies:
    3
    Views:
    14,713
    JF Mezei
    Mar 7, 2007
Loading...

Share This Page