homepage

[MAP]

-----Original Message-----
I have a homepage that is not my microsoft homepage that
keeps poping up. I think it is hidden in my comuter to

auto matically take me to this page. I am not sure how
to get rid of it

because it came from the internet. I know that it is
some kind of virus or something and I know that I can do
a search through my files and folders for it, however, I
don't know what to type in in order to look for it and
destroy it. Thanks

.
Hi,It's called "home page hijacking" There are several

tools to find and remove spywarehere here is a list of
free ones that work well, after you install any of them
update them before each use. Do not be surprized on the
first use if they find quite a lot of spyware on your
system. I use both ad-awre and spybot. Good luck

http://www.safer-networking.org/ Spybot
http://www.javacoolsoftware.com/spywareblaster.html
http://www.wilderssecurity.net/spywareguard.html
http://www.lavasoft.de/ Ad-aware
http://www.merijn.org/downloads.html (CWS)cool web
shedder and hijack this

 

[Guest]

The Hijackthis web site said to post this here and Someone would be able to help me in choosing what to delete, thank
Logfile of HijackThis v1.97.
Scan saved at 12:27:42 PM, on 1/23/200
Platform: Windows XP (WinNT 5.01.2600
MSIE: Internet Explorer v6.00 (6.00.2600.0000

Running processes
C:\WINDOWS\System32\smss.ex
C:\WINDOWS\system32\winlogon.ex
C:\WINDOWS\system32\services.ex
C:\WINDOWS\system32\lsass.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\System32\svchost.ex
C:\WINDOWS\Explorer.EX
C:\WINDOWS\system32\spoolsv.ex
C:\Program Files\Common Files\Real\Update_OB\realsched.ex
C:\WINDOWS\System32\msrexe.ex
C:\WINDOWS\svchost.ex
C:\Program Files\Messenger\msmsgs.ex
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.ex
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.ex
C:\Program Files\Internet Explorer\iexplore.ex
C:\WINDOWS\System32\wuauclt.ex
C:\Program Files\Common Files\Real\Update_OB\rnathchk.ex
C:\Documents and Settings\main\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.ex

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD.BIZ/search.htm (obfuscated
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=3
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=3
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=3
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=3
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=3
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD.BIZ/search.htm (obfuscated
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=3
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/h.php?aid=3
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.oc
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dl
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.oc
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboo
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.ex
O4 - HKLM\..\Run: [sys] regedit -s sys.re
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.ex
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroun
O4 - HKCU\..\Run: [PrivateNet] C:\PrivateNet\HORNY_COEDS_54[1].exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EX
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/300
O9 - Extra button: SEARCH (HKLM
O9 - Extra button: ENTERTAINMENT (HKLM
O9 - Extra button: PILLS (HKLM
O9 - Extra button: SECURITY (HKLM
O9 - Extra button: SEARCH (HKLM
O9 - Extra button: Messenger (HKLM
O9 - Extra 'Tools' menuitem: Messenger (HKLM
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dl
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37885.975416666
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.ca

 

[Redmond]

Bill, I pretty sure they meant to post it on their log site..that's where
they can help you, posting a log from hijackthis here is not going to help.
Go here to post your hijackthis log.
http://forums.tomcoyote.org/index.php?s=b81591c710d1e299ae46ea50bbe9a62f&showforum=27

The Hijackthis web site said to post this here and Someone would be able

to help me in choosing what to delete, thanks

Logfile of HijackThis v1.97.7
Scan saved at 12:27:42 PM, on 1/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\main\Local Settings\Temp\Temporary Directory 1

for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD.BIZ/search.htm
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=35
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=35
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=35
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=35
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=35
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=35
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=35
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD.BIZ/search.htm
(obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=35
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/h.php?aid=35
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PrivateNet] C:\PrivateNet\HORNY_COEDS_54[1].exe 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: ENTERTAINMENT (HKLM)
O9 - Extra button: PILLS (HKLM)
O9 - Extra button: SECURITY (HKLM)
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37885.9754166667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[MAP]

As Redmond suggested the other forum would be better
anything with a ro or r1 should be looked at real close
the processes listed below bring a red flag to me but I'm
sure their are more.

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

O4 - HKCU\..\Run: [PrivateNet]
C:\PrivateNet\HORNY_COEDS_54[1].exe 1

HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot

Good Luck

-----Original Message-----
The Hijackthis web site said to post this here and

Someone would be able to help me in choosing what to
delete, thanks

Logfile of HijackThis v1.97.7
Scan saved at 12:27:42 PM, on 1/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\main\Local

Settings\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL

=
http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809
JOW4WJ2304LFD0SF9FSD0A2T4LD.BIZ/search.htm (obfuscated)

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=35

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=35

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=35

R1 - HKCU\Software\Microsoft\Internet

Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?
aid=35

R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=35

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=35

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=35

R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =
http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809
JOW4WJ2304LFD0SF9FSD0A2T4LD.BIZ/search.htm (obfuscated)

R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?
aid=35

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,HomeOldSP = http://t.rack.cc/h.php?aid=35

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-

206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-

00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32

\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32 \msrexe.exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PrivateNet]

C:\PrivateNet\HORNY_COEDS_54[1].exe 1

O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft

Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: ENTERTAINMENT (HKLM)
O9 - Extra button: PILLS (HKLM)
O9 - Extra button: SECURITY (HKLM)
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}

(Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37885.9754166667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}

(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab