Please give me some advice on how to deal with a url that continues to change my home page setting. I have never been to the url in question. I have changed the home page setting to the site I always use several times only to have it changed back to this other site. I have searched my registry for any entry for this site. The only place I find an idication is at "Start up page". I change the setting there in the registry, and it works but then when I go to another url the bad dog site comes back. I have found no way to check source for the site and now I am absolutely pissed.
Does anyone have any suggestions?

Mihi crede, hoc mihi magis quam tibi nocet.

What site is giving you the problems?

Cheers
Andy

Have a look at this</font color=red> (http://www.spywareinfo.com/articles/hijacked/><font) site

It will tell you how to remove hijackings and also how to protect IE in the future


Dan<font color=green> (http://www.winguides.com/forums/sendprivate.php?Cat=&User=Dank><font) /images/forums/icons/smile.gif

www.egoog.com

thanks

Mihi crede, hoc mihi magis quam tibi nocet.

Thanks for the response. I have used two different programs that were indicated at the site you mentioned, with no luck. It is driving me nuts. Not a far drive might I mention.
Any other suggestions?


Mihi crede, hoc mihi magis quam tibi nocet.

Go to <a target="_blank" href=http://www.spywareinfo.com/downloads.html>http://www.spywareinfo.com/downloads.html</a> , and download 'Hijack This!' (in the "Detection and Removal" section).
Unzip, doubleclick HijackThis.exe, and hit "Scan".

Usually, most of what you'll see there is legit, but if you're browser has been hijacked, there will be telltale signs.

When the scan is finished, click "Save Log", and please show us its contents.

Next, press "Config" &gt; "Miscellaneous Tools", and press "Generate Startuplist Log"

This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit &gt; select all, copy it and post its contents here as well.

check for multiple copies of iexplore and see if they all do the same.
create a schortcut to the ie icon and use that to add the following switch to the target -nohome
(including the hyphen ).

within ie tools,options,programs you can reset web settings which includes home page but its possible that an install has customized ie for you and so reset will simply use that same install config but worth a shot maybe.
equally add/remove progs and choosing repair ie might suffer the same fate but is worth trying.

if all else fails try reinstalling ie by running setup from cd....even a free mag cd which could again customise your browser might at least overwrite this one and then allow you to change home page etc.

you might also like to check out the contents of homepage.inf (sytem32 i think- but search for others) , and also this reg key..HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FirstHomePage

and why not search the registry for egoog or whatever it is to see if its being called from somewhere obvious!

good luck.

Follow the instructions posted by Tony and that should provide the required information to help determine how to resolve your problem.

Cheers
Andy

I agree with Andy. Tony knows how to fix home page hijackings as shown many times here at WinGuides as well as at other forums.

Nana /images/forums/icons/smile.gif

whatever you do i hope it gets sorted.

Here is the list. Thanks for the support here, no more coffee for me today, I am bugging out!
Now topclicks.com opens twice every time I open ie.
HELP PLEASE

StartupList report, 12/10/02, 1:39:58 PM
StartupList version: 1.40.3
Started from : C:\KILLERAD\HIJACK THIS\HIJACKTHIS.EXE
Detected: Windows 98 Gold (Win9x 4.10.1998)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\REGSVC32.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PVSW\BIN\W3DBSMGR.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\KILLERAD\HIJACK THIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
W3dbsmgr.exe.lnk = C:\PVSW\Bin\W3DBSMGR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LoadQM = loadqm.exe
(Default) =
Alogserv = C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
MSRegSvc = C:\WINDOWS\SYSTEM\REGSVC32.exe
regsvc32 = C:\WINDOWS\SYSTEM\REGSVC32.exe
SpyBotSnD = "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY 1.1\SPYBOTSD.EXE" /autoclose

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
McAfeeVirusScanService = C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 5/12/2002, 8:3:0)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

Rem TShoot: REM Added by Pervasive.SQL 2000 install:
Rem TShoot: SET CLASSPATH=C:\PVSW\BIN\PVJDBC2.JAR
Rem TShoot: REM Added by Pervasive.SQL 2000 install:
Rem TShoot: SET CLASSPATH=C:\PVSW\BIN\PVJDBC2X.JAR;%CLASSPATH%
REM Added by Pervasive.SQL 2000 install:
SET CLASSPATH=C:\PVSW\BIN\PVJDBC2.JAR;%CLASSPATH%
REM Added by Pervasive.SQL 2000 install:
SET CLASSPATH=C:\PVSW\BIN\PVJDBC2X.JAR;%CLASSPATH%
Rem TShoot: c:\pvsw\bin\wsdbsmgr.exe-btrv
c:\pvsw\bin\W3dbsmgr.exe -btrv
Rem TShoot: REM Added by Pervasive.SQL 2000 install:
Rem TShoot: @REM SET VSL=C:\PVSW\BIN
Rem TShoot: SET Path=C:\PVSW\BIN;%Path%
Rem TShoot: SET PERVASIVE_PATH=C:\PVSW\BIN

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a224.g.akamai.net/7/224/52/20011004/qtinstall.info.apple.com/qt503/us/win/QuickTimeInstaller.exe

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLAY365.DLL
CODEBASE = http://www.live365.com/players/play365.cab

[PWMediaSendControl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PWACTIVEXIMGCTL.DLL
CODEBASE = http://216.249.24.140/code/PWActiveXImgCtl.CAB

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[Live Collaboration]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RNTX.DLL
CODEBASE = http://livesc03.rightnowtech.com/sonystyle/sonystyle/rnt/rnl/java/RntX.cab

[MSN Chat Control 4.2]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT42.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

--------------------------------------------------
End of report, 7,646 bytes
Report generated in 0.174 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Mihi crede, hoc mihi magis quam tibi nocet.

This is your baddie:

MSRegSvc = C:\WINDOWS\SYSTEM\REGSVC32.exe
regsvc32 = C:\WINDOWS\SYSTEM\REGSVC32.exe


Go to Start &gt; Run &gt; Msconfig, and uncheck both of these on the Startup tab.

Click OK, close Msconfig, reboot, delete C:\WINDOWS\SYSTEM\REGSVC32.exe

That's it!

Cheers, Tony

Hopfully I will be thanking you momentarily. Thanks just the same!

Mihi crede, hoc mihi magis quam tibi nocet.

I'm confident you will. I've seen this one a number of times before.

After doing what I advised you to do, In Internet OPtions, delete your Temporary Internet Files, and on the Programs tab, hit "Reset Web Settings".

Cheers, Tony

I understand that you're still having problems after removing that file.

I've seen it a number of times before, and this file is a homepage hijacker for sure.

There may be more, though.

Keep an eye on this thread at spywareinfo.com, to see whether it will hellp:

<a target="_blank" href=http://www.spywareinfo.com/yabbse/index.php?board=11;action=display;threadid=2328>http://www.spywareinfo.com/yabbse/index.php?board=11;action=display;threadid=2328</a>

Also do this, please:

Go to <a target="_blank" href=http://www.spywareinfo.com/downloads.html>http://www.spywareinfo.com/downloads.html</a> , and download 'Hijack This!' (in the "Detection and Removal" section).
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, click "Save Log", and please show us its contents.

Here is the log file. Thanks for the tenacity.

Logfile of HijackThis v1.81.1
Scan saved at 7:50:47 AM, on 12/11/02
Platform: Windows 9x 4.10.1998
MSIE version: 6.0.2600.0000

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.free-popup-killer.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.free-popup-killer.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://my.yahoo.com/?.rand=1039613979070
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.free-popup-killer.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.free-popup-killer.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.free-popup-killer.com/ie/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: []
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: Messenger
O9 - Extra 'Tools' menuitem: Messenger
O9 - Extra button: Messenger
O9 - Extra 'Tools' menuitem: Yahoo! Messenger
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20011004/qtinstall.info.apple.com/qt503/us/win/QuickTimeInstaller.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: Yahoo! Chat (YInstStarter Class) - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/sonystyle/sonystyle/rnt/rnl/java/RntX.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab


Mihi crede, hoc mihi magis quam tibi nocet.

No prob, it's a pleasure.

And I can tell you we will solve this one in the end. Just keep an eye on that Spywareinfo thread I posted.

Meanwhile, close down Internet Explorer, and check, and have Hijack This fix ALL of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.free-popup-killer.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.free-popup-killer.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://my.yahoo.com/?.rand=1039613979070
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.free-popup-killer.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.free-popup-killer.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.free-popup-killer.com/ie/
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: []

When you're done, launch IE, go to your favorite Start Page, go to Tools &gt; Internet Options, and in the Home Page section choose "Use Current", and then click OK.

Tell us how you make out.

T,
So far so good. I had deleted all of the entries but 2 that you listed yesterday, but still had the bad dogs coming back. Now it seems I can at least keep my home page set. I think it must have been the last two items on your list to check. I also took some advice from the thread you pointed out, as well as registered so I can keep utd with this stuff, and added the nasties list of sites to be blocked. The bad part of this is, the Regsvc32 is still in startup from msconfig. It is unchecked, but this file is undeletable when navigated to through explore my computer.
I really do appreciate the help.
DL.

Mihi crede, hoc mihi magis quam tibi nocet.

If the reference to the file is UNchecked in Msconfig, the file itself shouldn't become active when you start your computer.

But if I'm hearing you correctly, the regsvc32.exe file is still there, sitting in your Windows\System folder, and refuses to be removed?

First, please send me a copy of the file for analysis.
I'll give you my email addie in a Private message.

When you've done that, start your computer up in Safe Mode, where this file will not be in use by Windows. You'll then be able to remove it.

Here's an article: <a target="_blank" href=http://support.microsoft.com/default.aspx?scid=KB;en-us;180902>How to Start a Windows-Based Computer in Safe Mode</a>

But please DO send me a copy of this file before deleting it. It'll help no end in developing effective detection for this one.

Tony et al,
Problem solved! After using the "Hijackthis" download to find and delete the correct files - apparently I didn't get them all the first three times- I have managed to regain control of my system.
PCMag site had a post by someone else who was feeling my rage about spam/hijack etc... check it out. "spam part 2"

Couldn't have gone through another day without the help I received here.
Many thanks!


Mihi crede, hoc mihi magis quam tibi nocet.

You're welcome!

It's just because I eat spyware for breakfast, really.... /images/forums/icons/laugh.gif