HijackWare keeps writing different home page to registry

  • Thread starter Thread starter Pete
  • Start date Start date
P

Pete

Hi, I have a very tricky problem that involves my ie6 home page
continuing to default to http://www.search-paga.com/ . I keep changing
it in ie6 to my true home page and it keeps reverting back to the site
above. I am convinced this is some type of spyware and I have run every
piece of antispam, spyware, etc. software I can find including the
latest versions of Norton Antivirus, Ad-Aware SE, Spybot Search &
Destroy and HijackThis. Nothing shows although the results for
HijackThis report the problem as a registry string for the page above:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.search-paga.com/10079/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.users.bigpond.com/lansma/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = My
Internet Explorer

If I change or delete the 2nd string above within HiJackThis or using
RegEdit, my proper home page fires on the first and possibly the second
opening of ie6 but beyond that it reverts to http://www.search-paga.com/
once more.

I have Googled and found this problem and this site is not uncommon but
none of the solutions posed including those on the Microsoft website
pertaining to hijacked home pages have helped with this problem.

It seems clear that some application keeps writing
http://www.search-paga.com/ to the registry but I don't know which one
or how it is doing this. It is driving me bonkers.

Any help appreciated.
 
Pete said:
Hi, I have a very tricky problem that involves my ie6 home page
continuing to default to http://www.search-paga.com/ . I keep changing
it in ie6 to my true home page and it keeps reverting back to the site
above.
Click to expand...

Try running the removal tools in safe mode.

Check for a suspicious program in startup..

start -> run -> msconfig -> startup tab

and/or a process eg

CTRL + ALT+DEL -> Processes tab

against the list at...
http://www.sysinfo.org/startuplist.php
 
Hello, I am not familar with your problem or with computers. I had a problem
after a program removal, it would send info to the home site. Removed the
registry entries and they would return. Found a person with the same problem
that had located a .dll and removed it and the registry entries never were
recreated. Perhaps you have the same type of problem.
Take Care.
beamish.
 
Pete said:
Hi, I have a very tricky problem that involves my ie6 home page
continuing to default to http://www.search-paga.com/ . I keep changing
it in ie6 to my true home page and it keeps reverting back to the site
above. I am convinced this is some type of spyware and I have run every
piece of antispam, spyware, etc. software I can find including the
latest versions of Norton Antivirus, Ad-Aware SE, Spybot Search &
Destroy and HijackThis. Nothing shows although the results for
HijackThis report the problem as a registry string for the page above:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.search-paga.com/10079/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.users.bigpond.com/lansma/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = My
Internet Explorer

If I change or delete the 2nd string above within HiJackThis or using
RegEdit, my proper home page fires on the first and possibly the second
opening of ie6 but beyond that it reverts to http://www.search-paga.com/
once more.

I have Googled and found this problem and this site is not uncommon but
none of the solutions posed including those on the Microsoft website
pertaining to hijacked home pages have helped with this problem.

It seems clear that some application keeps writing
http://www.search-paga.com/ to the registry but I don't know which one
or how it is doing this. It is driving me bonkers.

Any help appreciated.
Click to expand...

Check for additional entries in your HiJackThis listing.

1. Remove any items that refer to c:\windows\inetdata or
c:\winnit\inetdata

2. Open the Process Manager in HiJackThis and kill any running
process that is from the items in (1).

Good luck


Ron Martell Duncan B.C. Canada
--
Microsoft MVP
On-Line Help Computer Service
http://onlinehelp.bc.ca

In memory of a dear friend Alex Nichol MVP
http://aumha.org/alex.htm
 
Hi and thanks for your responses.

I have followed all your advice (btw, there was no reference to
c:\windows\inetdata or c:\winnit\inetdata on my drive or in HijackThis).
I rescanned with Ad-Aware, Norton AntiVirus, Spybot S&D, and HijackThis
in safe mode and uncovered a number of seemingly minor problems that
were all fixed. Doing this removed the registry entry for
www.search-paga.com that showed up in HijackThis and I could open and
close my browser several times (while not connected to the internet) and
my true home page displayed. Next I rebooted and checked that the home
page was still mine - and it was. Finally, I connected to the net to do
the final test and much to my frustration up came www.search-paga.com
again. It has written itself back to the registry again.

I don't understand any of this because I have used the latest tools to
clean my system and I have Norton AntiVirus and Firewall installed.

Can you provide me any more clues before I literally go insane?
 
Pete said:
Hi and thanks for your responses.

I have followed all your advice (btw, there was no reference to
c:\windows\inetdata or c:\winnit\inetdata on my drive or in HijackThis).
I rescanned with Ad-Aware, Norton AntiVirus, Spybot S&D, and HijackThis
in safe mode and uncovered a number of seemingly minor problems that
were all fixed. Doing this removed the registry entry for
www.search-paga.com that showed up in HijackThis and I could open and
close my browser several times (while not connected to the internet) and
my true home page displayed. Next I rebooted and checked that the home
page was still mine - and it was. Finally, I connected to the net to do
the final test and much to my frustration up came www.search-paga.com
again. It has written itself back to the registry again.

I don't understand any of this because I have used the latest tools to
clean my system and I have Norton AntiVirus and Firewall installed.

Can you provide me any more clues before I literally go insane?
Click to expand...

Post the problem and HijackThis log to one of the specialty forums for
it, not this one.

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

mouse moving and closing out programs 5
No disk error on startup - HJT log included 11
Desktop Icons Missing at startup 7
help 4
.dll error - making us crazy 1
Are these instructions dodgy???...please advise 3
Crypserv.exe and Svcpack.exe: disconnecting from Internet 1
Hijack This 3

Back
Top