| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 45175 | 2004-05-12 09:35:00 | outhost.info | allcamp (1882) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 236012 | 2004-05-12 09:35:00 | My IE home page has been hijacked by the "search page" Free Search Online. The URL for this site consists of a random six letters followed by outhost.info. I have tried to correct it in Tools_Internet options but it immediately reverts back to the hijacker. I ran my virus checker (AVG) over my PC but it came up with nothing. I suspect that this virus checker may have been corrupted in some way as although I maintain regular updates a message has come up indicating that the database is out of date. (The Virus database release date button shows 11.05.04 but is in red). I then ran Trend Housecall and it came up with 4 files that were said to contain viruses including the java-bytever.a and startpage trojan. I deleted these files but am still having problems. I have since uninstalled AVG and then downloaded and installed the latest version as well as the latest updates - I still get the same message. I have also re-run Housecall and it resulted in a clean system. Some websites that I try to open also revert to the Free Search Online page. An example is bravenet.com. I am using IE6.0 with WIN98. Any ideas? Many thanks Allan |
allcamp (1882) | ||
| 236013 | 2004-05-12 10:09:00 | Hi Allan, I have found Spybot Search & Destroy to be very effective in getting rid of spyware/malware like that. http://www.safer-networking.org/ ps. check out the PressF1 Faq, esp. 8b mike |
_mike_ (4814) | ||
| 236014 | 2004-05-13 10:08:00 | Many thanks Mike Your information worked . I completely missed the FAQs at the top of the page merely trying some obviously ineffective searching . In the end I ran ad-aware, spybot and spyware blaster and followed the instructions outlined . End result I have sorted out the home page issue . However, some sites that I try to access result in the outhost . info problem page appearing . These were pages that I had tried to access while I had the problem . I have deleted all of the files and cookies from the Temporary Internet Files but it still opens with the search page . Is there somewhere else I can go to stop these pages defaulting to the page I don't want . (I have previously accessed them often in the past - www . bravenet . com) . Cheers Allan |
allcamp (1882) | ||
| 236015 | 2004-05-13 11:00:00 | Give HijackThis ( . majorgeeks . com/download . php?det=3155" target="_blank">www . majorgeeks . com) a run . After it has scanned your PC save the logfile and post the results here for help with analysis . Do not fix anything without advice as your computer may stop working . |
Susan B (19) | ||
| 236016 | 2004-05-13 17:58:00 | Thanks Susan . I appreciate your help with this . Log as follows . Regards Allan Logfile of HijackThis v1 . 97 . 7 Scan saved at 17:55:04, on 9/09/04 Platform: Windows 98 Gold (Win9x 4 . 10 . 1998) MSIE: Internet Explorer v6 . 00 (6 . 00 . 2600 . 0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32 . DLL C:\WINDOWS\SYSTEM\MSGSRV32 . EXE C:\WINDOWS\SYSTEM\MPREXE . EXE C:\WINDOWS\SYSTEM\mmtask . tsk C:\WINDOWS\SYSTEM\MSTASK . EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON . EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9 . EXE C:\WINDOWS\EXPLORER . EXE C:\WINDOWS\TASKMON . EXE C:\WINDOWS\SYSTEM\SYSTRAY . EXE C:\WINDOWS\SYSTEM\IRMON . EXE C:\PROGRAM FILES\SLEEP MANAGER\SLEEPMGR . EXE C:\PROGRAM FILES\MOUSE\AMOUMAIN . EXE C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD . EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED . EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32 . EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM . EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE . EXE C:\WINDOWS\SYSTEM\DDHELP . EXE C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS . EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:// R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:// R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = . passport . net/uilogin . srf?id=2" target="_blank">login . passport . net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:// R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:// R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:// R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:// R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:// R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:// R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:// R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:// O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5 . 0\READER\ACTIVEX\ACROIEHELPER . OCX O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0 . DLL O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1 . dll O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file) O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1 . dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM . OCX O4 - HKLM\ . . \Run: [ScanRegistry] c:\windows\scanregw . exe /autorun O4 - HKLM\ . . \Run: [TaskMonitor] c:\windows\taskmon . exe O4 - HKLM\ . . \Run: [SystemTray] SysTray . Exe O4 - HKLM\ . . \Run: [IrMon] IrMon . exe O4 - HKLM\ . . \Run: [LoadPowerProfile] Rundll32 . exe powrprof . dll,LoadCurrentPwrScheme O4 - HKLM\ . . \Run: [O2MemChk] O2memchk . exe 04000000 O4 - HKLM\ . . \Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr . exe O4 - HKLM\ . . \Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh . exe O4 - HKLM\ . . \Run: [NotebookManager] C:\Program Files\Notebook Manager\nbm . exe -1 O4 - HKLM\ . . \Run: [SleepManager] C:\Program Files\Sleep Manager\SleepMgr . exe O4 - HKLM\ . . \Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK . EXE" -atboottime O4 - HKLM\ . . \Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE . EXE /AUTORUN O4 - HKLM\ . . \Run: [WheelMouse] Amoumain . exe O4 - HKLM\ . . \Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD . exe O4 - HKLM\ . . \Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched . exe" -osboot O4 - HKLM\ . . \Run: [updater] C:\Program Files\Common files\updater\wupdater . exe O4 - HKLM\ . . \Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler . exe O4 - HKLM\ . . \Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32 . exe /STARTUP O4 - HKLM\ . . \RunServices: [LoadPowerProfile] Rundll32 . exe powrprof . dll,LoadCurrentPwrScheme O4 - HKLM\ . . \RunServices: [SchedulingAgent] mstask . exe O4 - HKLM\ . . \RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON . EXE -service O4 - HKLM\ . . \RunServices: [Avgserv9 . exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9 . exe O4 - Startup: Microsoft Office . lnk = C:\Program Files\Microsoft Office\Office\OSA9 . EXE O4 - Startup: Adobe Gamma Loader . lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader . exe O4 - Startup: RealDownload . lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD0 . EXE O4 - Global Startup: ZoneAlarm . lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm . exe O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1 . DLL/cmsearch . html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1 . DLL/cmcache . html O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1 . DLL/cmsimilar . html O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1 . DLL/cmbacklinks . html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1 . DLL/cmtrans . html O9 - Extra button: ICQ (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O12 - Plugin for . spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox . dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - . macromedia . com/pub/shockwave/cabs/flash/swflash . cab" target="_blank">download . macromedia . com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - . g . akamai . net/7/840/537/2004033001/housecall . antivirus . com/housecall/xscan53 . cab" target="_blank">a840 . g . akamai . net O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - . imagestation . com/common/classes/BPImageEditor . cab?ver=1,1,0,32" target="_blank">www . imagestation . com O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - . imagestation . com/common/classes/batchdwnl . cab?version=4,3,2,20802" target="_blank">www . imagestation . com O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - . windowsupdate . microsoft . com/CAB/x86/ansi/iuctl . CAB?38119 . 1656365741" target="_blank">v4 . windowsupdate . microsoft . com O19 - User stylesheet: C:\WINDOWS\system\kzkgke . p3h |
allcamp (1882) | ||
| 236017 | 2004-05-13 23:07:00 | remove ..... >O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file) >O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file) not to sure about these... >O19 - User stylesheet: C:\WINDOWS\system\kzkgke.p3h >C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE >O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll i would give CWshredder a run as well. |
tweak'e (174) | ||
| 236018 | 2004-05-13 23:31:00 | My suggestions:- O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file) O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file) O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe And also, I am a little suspicious of this one too:- O19 - User stylesheet: C:\WINDOWS\system\kzkgke.p3h |
Pheonix (280) | ||
| 236019 | 2004-05-13 23:58:00 | Adding to what tweak'e and Pheonix have suggested, my suggestions are: Definitely tick for removal: O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file) O19 - User stylesheet: C:\WINDOWS\system\kzkgke.p3h Not essential so tick these too: O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE -- resource hog - disable it through MS Office O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe -- not essential unless you are a grapics professional or need your monitor calibrated O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe See this page: www.doxdesk.com for more information. Note: I don't think that O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll should be removed as I think it is related to Acrobat. |
Susan B (19) | ||
| 236020 | 2004-05-14 00:45:00 | > i would give CWshredder a run as well. Have been wanting to reccomend this tool since I saw this thread, however login difficulties have prevented that. CWShredder Download (ftp.actrix.co.nz) |
whiskeytangofoxtrot (438) | ||
| 236021 | 2004-05-14 09:01:00 | Thank you everyone, especially Susan B., for your help. I have followed all of your advice and this has now fixed my problems. This is an excellent forum and one that I and others should visit and read frequently to ensure that our computers run smoothly. Once again, many thanks. Allan |
allcamp (1882) | ||
| 1 | |||||