LocostBuilders - powered by XMB

IT HELP - URGENT

Jeffers_S13 - 22/7/05 at 08:01 AM

I clicked a link in the madhouse section and now I have some teen porn website as my homepage and cant reset it as it automatically resets itself back to it. How the hell do I get rid of it ? I am no IT whizz kid.

DO NOT CLICK THE 'Buy your kid one for christmas' link.

[Edited on 22/7/05 by Jeffers_S13]

Dillinger1977 - 22/7/05 at 08:07 AM

oops, hold on..

[Edited on 22/7/05 by Dillinger1977]

Jeffers_S13 - 22/7/05 at 08:08 AM

I tried this already it doesnt work ! it must be some script or virus or whatever ? ? ?

Jeffers_S13 - 22/7/05 at 08:09 AM

The homepage is called 'findyourcouple' so I am searching for this string of characters on my machine in the hope I can find the file. Am I wasting my time ?

Dillinger1977 - 22/7/05 at 08:10 AM

tools -> internet options -> enter it by url

if its being ignored and reset to the dodgy one you probably have some spyware in memory thats resetting it.
reboot your pc and try it again. if its still doing it you'll need some anti spyware software to get rid, or root it out yourself..

Jeffers_S13 - 22/7/05 at 08:11 AM

Yep I did this, it just resets itself, what makes it worse is I am at work ! ! ! !

ReMan - 22/7/05 at 08:13 AM

In Internet Explorer its TOOLS - INTERNET OPTIONS - HOME PAGE , click use default, or use blank.
If its sorted then, great.
But you probably want to run a virus scan and then use utilities like "Hijack this", Spybot search and destroy" and "adaware" to check your PC for gremlins. Also check START- SETTINGS -AD and REMOVE PROGRAMMS for any unknown entries.
HTH

Jeffers_S13 - 22/7/05 at 08:14 AM

Will it be stored in my profile ? if I just switch my machine off, with the network lead out, without logging off will it get lost somehow ? then when I log on again it will download my original profile say from when I logged off last night ?? ?

DaveFJ - 22/7/05 at 08:14 AM

Download Lavasoft Adaware and run that

It's pretty good and it's free. should help you root out the bugger.

ReMan - 22/7/05 at 08:16 AM

quote:
Originally posted by Jeffers_S13
Will it be stored in my profile ? if I just switch my machine off, with the network lead out, without logging off will it get lost somehow ? then when I log on again it will download my original profile say from when I logged off last night ?? ?

Unfortunatly probably not!
But it wont hurt to try!

[Edited on 22/7/05 by ReMan]

nludkin - 22/7/05 at 08:17 AM

Well.. It sounds like something is running everytime Internet Explorer is starting.

So, without knowing what program is running (It could be anywhere!) it is probably best installing Microsoft Antispyware (Free).

http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

If this doesn't find and remove the little critter at least it will warn you (In a system tray popup!) as to what program is changing the default homepage.

Then with this information it will be easier to remove the offending critter.

Jeffers_S13 - 22/7/05 at 08:21 AM

Thanks guys will try all suggestions ! I am just running a program called 's-t-i-n-g-e-r' from McAfee.

Avoneer - 22/7/05 at 08:27 AM

"Hijack this"

Do that and post you log on here and I'll try and tell you what you need to delete.

Pat...

Jeffers_S13 - 22/7/05 at 08:32 AM

I ran stinger and it found the W32/Sasser.worm!ft virus, I thought this would be it but no now downloading some of the ones that have been recommended.

What log do you mean Pat ?

ReMan - 22/7/05 at 08:33 AM

As I said get Hijack this. Just done a Google for Findyourcouple and Virus, its a known problem with solutions

Jeffers_S13 - 22/7/05 at 08:35 AM

Ah, got you ! on the case now...

Peteff - 22/7/05 at 08:38 AM

Try googling for this and download it, disable your auto restore if using XP then run the program and it should get rid. It sounds like Cool Web Search has got a hold on your computer and it enters itself into registry every time you restart.

Jeffers_S13 - 22/7/05 at 08:40 AM

Logfile of HijackThis v1.99.1
Scan saved at 09:37:39, on 22/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
Crogram FilesNetwork AssociatesVirusScanAvsynmgr.exe
D:MSC.Patranlmgrd.exe
D:MSC.PatranMSC.exe
Crogram FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
D:MSC.Patranp3manager_filesbinWINNTQueMgr.exe
Crogram FilesNetwork AssociatesVirusScanVsStat.exe
D:MSC.Patranp3manager_filesbinWINNTRmtMgr.exe
D:abaqusDocumentationmonitor.exe
Crogram FilesNetwork AssociatesVirusScanVshwin32.exe
Crogram FilesVERITASBackup ExecRANTberemote.exe
D:abaqusDocumentationmonitor.exe
Crogram FilesNetwork AssociatesVirusScanAvconsol.exe
Crogram FilesCommon FilesNetwork AssociatesMcShieldMcshield.exe
C:WINDOWSExplorer.EXE
Crogram FilesCommon FilesRealUpdate_OBrealsched.exe
C:WINDOWSSystem32ctfmon.exe
Crogram FilesMessengermsmsgs.exe
C:WINDOWSSystem32rundll32.exe
Drogram FilesMicrosoft OfficeOffice10WINWORD.EXE
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32rundll32.exe
D:s-t-i-n-g-e-r.exe
C:WINDOWSSystem32msiexec.exe
drogram FilesAnitspywaregcasDtServ.exe
Crogram FilesInternet Exploreriexplore.exe
DROGRA~1WinZipwinzip32.exe
d:tmpHijackThis.exe
D:MSC.Patranp3manager_filesbinWINNTwinstats.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.findyourcouple.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.findyourcouple.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.findyourcouple.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = http://www.findyourcouple.com
O1 - Hosts: 192.1.1.1 nettle
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O4 - HKLM..Run: [TkBellExe] "Crogram FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [QuickTime Task] "D:program filesqttask.exe" -atboottime
O4 - HKLM..Run: [gcasServ] "drogram FilesAnitspywaregcasServ.exe"
O4 - HKLM..RunOnce: [MicrosoftAntiSpywareCleaner] drogram FilesAnitspywaregcASCleaner.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [MSMSGS] "Crogram FilesMessengermsmsgs.exe" /background
O4 - Global Startup: map-hugo.bat.lnk = C:map-hugo.bat
O4 - Global Startup: Microsoft Office.lnk = Drogram FilesMicrosoft OfficeOffice10OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:winntdownloaded program filesGoogleToolbar_en_1.1.62-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:winntdownloaded program filesGoogleToolbar_en_1.1.62-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:winntdownloaded program filesGoogleToolbar_en_1.1.62-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - ROGRA~1MICROS~1Office10EXCEL.EXE/3000" target="_blank">res://DROGRA~1MICROS~1Office10EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:winntdownloaded program filesGoogleToolbar_en_1.1.62-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:winntdownloaded program filesGoogleToolbar_en_1.1.62-deleon.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengerMSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengerMSMSGS.EXE
O12 - Plugin for .spop: Crogram FilesInternet ExplorerPluginsNPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4uk.cab
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = cape-eng.local
O17 - HKLMSoftware..Telephony: DomainName = cape-eng.local
O17 - HKLMSystemCCSServicesTcpip..{FEE31EE0-41A4-4E1B-8135-BD7A4BB2B79E}: NameServer = 194.72.6.57,194.73.82.242,192.1.3.34
O17 - HKLMSystemCS1ServicesTcpipParameters: Domain = cape-eng.local
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - Crogram FilesNetwork AssociatesVirusScanAvsynmgr.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - Crogram FilesVERITASBackup ExecRANTberemote.exe
O23 - Service: FLEXlm V8.4a - Macrovision Corporation - D:MSC.Patranlmgrd.exe
O23 - Service: McShield - Network Associates, Inc. - Crogram FilesCommon FilesNetwork AssociatesMcShieldMcshield.exe
O23 - Service: MSCQueMgr - Unknown owner - D:MSC.Patranp3manager_filesbinWINNTQueMgr.exe
O23 - Service: MSCRmtMgr - Unknown owner - D:MSC.Patranp3manager_filesbinWINNTRmtMgr.exe
O23 - Service: Texis Monitor - Expansion Programs International, Inc. - D:abaqusDocumentationmonitor.exe

Avoneer - 22/7/05 at 08:40 AM

Hijack this enable you to delete all the crap that gets put in your registry.

Can be dangerous though if you delete the wrong thing in your registry.

Pat...

Avoneer - 22/7/05 at 08:45 AM

Ok,
Scan again and put a tick in the top four with "findyourcouple" in them and "fix checked".
Scan again and re-post your log.
Pat...

DaveFJ - 22/7/05 at 08:48 AM

Micorsoft anti-spyware is as much use as tits on a fish. (a bit like the windows sp2 firewall!)

they made it even worse recently when they purchased several firms including Gator! and then downgraded the threat rating from gator !!

read this article here

[Edited on 22/7/05 by DaveFJ]

Jeffers_S13 - 22/7/05 at 08:50 AM

They are still there

Logfile of HijackThis v1.99.1
Scan saved at 09:45:43, on 22/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
Crogram FilesNetwork AssociatesVirusScanAvsynmgr.exe
D:MSC.Patranlmgrd.exe
Crogram FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
D:MSC.PatranMSC.exe
D:MSC.Patranp3manager_filesbinWINNTQueMgr.exe
Crogram FilesNetwork AssociatesVirusScanVsStat.exe
D:MSC.Patranp3manager_filesbinWINNTRmtMgr.exe
D:abaqusDocumentationmonitor.exe
Crogram FilesNetwork AssociatesVirusScanVshwin32.exe
Crogram FilesVERITASBackup ExecRANTberemote.exe
D:abaqusDocumentationmonitor.exe
Crogram FilesNetwork AssociatesVirusScanAvconsol.exe
Crogram FilesCommon FilesNetwork AssociatesMcShieldMcshield.exe
C:WINDOWSExplorer.EXE
Crogram FilesCommon FilesRealUpdate_OBrealsched.exe
Drogram FilesAnitspywaregcasServ.exe
C:WINDOWSSystem32ctfmon.exe
Crogram FilesMessengermsmsgs.exe
drogram FilesAnitspywaregcasDtServ.exe
Crogram FilesInternet Exploreriexplore.exe
DROGRA~1WinZipwinzip32.exe
DersonalDownloaded ProgramsHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.findyourcouple.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.findyourcouple.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.findyourcouple.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = http://www.findyourcouple.com
O1 - Hosts: 192.1.1.1 nettle
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O4 - HKLM..Run: [TkBellExe] "Crogram FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [QuickTime Task] "D:program filesqttask.exe" -atboottime
O4 - HKLM..Run: [gcasServ] "drogram FilesAnitspywaregcasServ.exe"
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [MSMSGS] "Crogram FilesMessengermsmsgs.exe" /background
O4 - Global Startup: map-hugo.bat.lnk = C:map-hugo.bat
O4 - Global Startup: Microsoft Office.lnk = Drogram FilesMicrosoft OfficeOffice10OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:winntdownloaded program filesGoogleToolbar_en_1.1.62-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:winntdownloaded program filesGoogleToolbar_en_1.1.62-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:winntdownloaded program filesGoogleToolbar_en_1.1.62-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - ROGRA~1MICROS~1Office10EXCEL.EXE/3000" target="_blank">res://DROGRA~1MICROS~1Office10EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:winntdownloaded program filesGoogleToolbar_en_1.1.62-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:winntdownloaded program filesGoogleToolbar_en_1.1.62-deleon.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengerMSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengerMSMSGS.EXE
O12 - Plugin for .spop: Crogram FilesInternet ExplorerPluginsNPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4uk.cab
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = cape-eng.local
O17 - HKLMSoftware..Telephony: DomainName = cape-eng.local
O17 - HKLMSystemCCSServicesTcpip..{FEE31EE0-41A4-4E1B-8135-BD7A4BB2B79E}: NameServer = 194.72.6.57,194.73.82.242,192.1.3.34
O17 - HKLMSystemCS1ServicesTcpipParameters: Domain = cape-eng.local
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - Crogram FilesNetwork AssociatesVirusScanAvsynmgr.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - Crogram FilesVERITASBackup ExecRANTberemote.exe
O23 - Service: FLEXlm V8.4a - Macrovision Corporation - D:MSC.Patranlmgrd.exe
O23 - Service: McShield - Network Associates, Inc. - Crogram FilesCommon FilesNetwork AssociatesMcShieldMcshield.exe
O23 - Service: MSCQueMgr - Unknown owner - D:MSC.Patranp3manager_filesbinWINNTQueMgr.exe
O23 - Service: MSCRmtMgr - Unknown owner - D:MSC.Patranp3manager_filesbinWINNTRmtMgr.exe
O23 - Service: Texis Monitor - Expansion Programs International, Inc. - D:abaqusDocumentationmonitor.exe

Avoneer - 22/7/05 at 08:55 AM

Sorry then, I'm stumped now.
That should have done it.
Will have a nosey and see what else I come up with...

Pat...

Big Stu - 22/7/05 at 09:00 AM

What operating system is it? NT or XP. If it is XP go into start menu and then run. Then type MSCONFIG. This will open a window. Click on the startup tag. These are the programs that run during startup. One of these will be changing your homepage every time you start. Look for sus names and remove the check boxes. Then reset your homepage, reboot, if your home page is no longer porn then you have found the bugger. If not then try some more. If using the NT then sorry, no idea.

Jeffers_S13 - 22/7/05 at 09:01 AM

quote:
Originally posted by Peteff
Try googling for this and download it, disable your auto restore if using XP then run the program and it should get rid. It sounds like Cool Web Search has got a hold on your computer and it enters itself into registry every time you restart.

Whats auto restore ? how do I disable it ?

Big Stu - 22/7/05 at 09:01 AM

if you find the program that is doing this remove it from the hard disk then run hijack this again, to remove the registry entries.

DaveFJ - 22/7/05 at 09:06 AM

Before trying to remove any spyware (or any other nasty for that matter) on windows XP. right click on 'My Computer' and selsect 'Properties'
select the 'System Restore' tab and ensure that 'Turn Off System Restore on all drives' is checked.

Big Stu - 22/7/05 at 09:09 AM

you also need to get service pack two installed.

Alistair Mc - 22/7/05 at 10:03 AM

the best spyware detection tool I have found is spybot S&D, seems to works. you can det a free version at
[url=http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10122137.html]

Alistair Mc - 22/7/05 at 10:04 AM

[url=http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10122137.html]http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10122137.html[/ url]

Alistair Mc - 22/7/05 at 10:05 AM

ok why dont the links, work. just copy the link

DaveFJ - 22/7/05 at 10:07 AM

try this one

Alistair Mc - 22/7/05 at 10:44 AM

ok so what am I doing wrong I added the link with link button

Peteff - 22/7/05 at 12:15 PM

Just paste the link straight into the message. It will sort itself out.

[Edited on 22/7/05 by Peteff]

Jeffers_S13 - 27/7/05 at 12:20 PM

Me again, I still have this problem ! work has been getting in the way (and still is...) to sort it out, been doing some long days here with no time to faff. I seem to have just about every spyware program installed now and they keep updating themselves ! yet I still have this bloomin porn site as my homepage. I need something 'industrial strength' to sort it out...

James

britishtrident - 27/7/05 at 12:31 PM

Have you turned off XP system restore ?

Jeffers_S13 - 27/7/05 at 12:37 PM

NEWSFLASH

I just ran that 'hijack this' thing again on the off chance and then checked the four dodgy things and pressed 'fix', and it has worked ! not sure why it didnt before ?

Ive just looked and have the 'turn off system restore on all drives' unchecked is this how it should be in a normal set-up ? should it be checked now everything seems to be back to normal ?

Thanks

James

DaveFJ - 27/7/05 at 12:46 PM

You should have checked when trying to remove nasties.....

once they are gone you can uncheck it again.