Jeffers_S13
|
| posted on 22/7/05 at 08:01 AM |
|
|
IT HELP - URGENT
I clicked a link in the madhouse section and now I have some teen porn website as my homepage and cant reset it as it automatically resets itself back
to it. How the hell do I get rid of it ? I am no IT whizz kid.
DO NOT CLICK THE 'Buy your kid one for christmas' link.
[Edited on 22/7/05 by Jeffers_S13]
|
|
|
|
|
Dillinger1977
|
| posted on 22/7/05 at 08:07 AM |
|
|
oops, hold on..
[Edited on 22/7/05 by Dillinger1977]
-Rog
|
|
|
Jeffers_S13
|
| posted on 22/7/05 at 08:08 AM |
|
|
I tried this already it doesnt work !  it must be some script or virus or whatever ? ? ?
|
|
|
Jeffers_S13
|
| posted on 22/7/05 at 08:09 AM |
|
|
The homepage is called 'findyourcouple' so I am searching for this string of characters on my machine in the hope I can find the file. Am
I wasting my time ?
|
|
|
Dillinger1977
|
| posted on 22/7/05 at 08:10 AM |
|
|
tools -> internet options -> enter it by url
if its being ignored and reset to the dodgy one you probably have some spyware in memory thats resetting it.
reboot your pc and try it again. if its still doing it you'll need some anti spyware software to get rid, or root it out yourself..
-Rog
|
|
|
Jeffers_S13
|
| posted on 22/7/05 at 08:11 AM |
|
|
Yep I did this, it just resets itself, what makes it worse is I am at work ! ! ! !
|
|
|
ReMan
|
| posted on 22/7/05 at 08:13 AM |
|
|
In Internet Explorer its TOOLS - INTERNET OPTIONS - HOME PAGE , click use default, or use blank.
If its sorted then, great.
But you probably want to run a virus scan and then use utilities like "Hijack this", Spybot search and destroy" and
"adaware" to check your PC for gremlins. Also check START- SETTINGS -AD and REMOVE PROGRAMMS for any unknown entries.
HTH
www.plusnine.co.uk
|
|
|
Jeffers_S13
|
| posted on 22/7/05 at 08:14 AM |
|
|
Will it be stored in my profile ? if I just switch my machine off, with the network lead out, without logging off will it get lost somehow ? then when
I log on again it will download my original profile say from when I logged off last night ?? ?
|
|
|
DaveFJ
|
| posted on 22/7/05 at 08:14 AM |
|
|
Download Lavasoft Adaware and run that
It's pretty good and it's free. should help you root out the bugger.
Dave
"In Support of Help the Heroes" - Always
|
|
|
ReMan
|
| posted on 22/7/05 at 08:16 AM |
|
|
quote:
Originally posted by Jeffers_S13
Will it be stored in my profile ? if I just switch my machine off, with the network lead out, without logging off will it get lost somehow ? then when
I log on again it will download my original profile say from when I logged off last night ?? ?
Unfortunatly probably not!
But it wont hurt to try!
[Edited on 22/7/05 by ReMan]
www.plusnine.co.uk
|
|
|
nludkin
|
| posted on 22/7/05 at 08:17 AM |
|
|
Well.. It sounds like something is running everytime Internet Explorer is starting.
So, without knowing what program is running (It could be anywhere!) it is probably best installing Microsoft Antispyware (Free).
http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en
If this doesn't find and remove the little critter at least it will warn you (In a system tray popup!) as to what program is changing the
default homepage.
Then with this information it will be easier to remove the offending critter.
|
|
|
Jeffers_S13
|
| posted on 22/7/05 at 08:21 AM |
|
|
Thanks guys will try all suggestions ! I am just running a program called 's-t-i-n-g-e-r' from McAfee.
|
|
|
Avoneer
|
| posted on 22/7/05 at 08:27 AM |
|
|
"Hijack this"
Do that and post you log on here and I'll try and tell you what you need to delete.
Pat...
No trees were killed in the sending of this message.
However a large number of electrons were terribly inconvenienced.
|
|
|
Jeffers_S13
|
| posted on 22/7/05 at 08:32 AM |
|
|
I ran stinger and it found the W32/Sasser.worm!ft virus, I thought this would be it but no now downloading some of the ones that have been
recommended.
What log do you mean Pat ?
|
|
|
ReMan
|
| posted on 22/7/05 at 08:33 AM |
|
|
As I said get Hijack this. Just done a Google for Findyourcouple and Virus, its a known problem with solutions
www.plusnine.co.uk
|
|
|
Jeffers_S13
|
| posted on 22/7/05 at 08:35 AM |
|
|
Ah, got you ! on the case now...
|
|
|
Peteff
|
| posted on 22/7/05 at 08:38 AM |
|
|
CWShredder
Try googling for this and download it, disable your auto restore if using XP then run the program and it should get rid. It sounds like Cool Web
Search has got a hold on your computer and it enters itself into registry every time you restart.
yours, Pete
I went into the RSPCA office the other day. It was so small you could hardly swing a cat in there.
|
|
|
Jeffers_S13
|
| posted on 22/7/05 at 08:40 AM |
|
|
Logfile of HijackThis v1.99.1
Scan saved at 09:37:39, on 22/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
D:\MSC.Patran\lmgrd.exe
D:\MSC.Patran\MSC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\MSC.Patran\p3manager_files\bin\WINNT\QueMgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
D:\MSC.Patran\p3manager_files\bin\WINNT\RmtMgr.exe
D:\abaqus\Documentation\monitor.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
D:\abaqus\Documentation\monitor.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
D:\s-t-i-n-g-e-r.exe
C:\WINDOWS\System32\msiexec.exe
d:\Program Files\Anitspyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\WinZip\winzip32.exe
d:\tmp\HijackThis.exe
D:\MSC.Patran\p3manager_files\bin\WINNT\winstats.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findyourcouple.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.findyourcouple.com
O1 - Hosts: 192.1.1.1 nettle
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "d:\Program Files\Anitspyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] d:\Program Files\Anitspyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: map-hugo.bat.lnk = C:\map-hugo.bat
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.62-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.62-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program
files\GoogleToolbar_en_1.1.62-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.62-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.62-deleon.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4uk.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cape-eng.local
O17 - HKLM\Software\..\Telephony: DomainName = cape-eng.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEE31EE0-41A4-4E1B-8135-BD7A4BB2B79E}: NameServer = 194.72.6.57,194.73.82.242,192.1.3.34
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cape-eng.local
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program
Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: FLEXlm V8.4a - Macrovision Corporation - D:\MSC.Patran\lmgrd.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MSCQueMgr - Unknown owner - D:\MSC.Patran\p3manager_files\bin\WINNT\QueMgr.exe
O23 - Service: MSCRmtMgr - Unknown owner - D:\MSC.Patran\p3manager_files\bin\WINNT\RmtMgr.exe
O23 - Service: Texis Monitor - Expansion Programs International, Inc. - D:\abaqus\Documentation\monitor.exe
|
|
|
Avoneer
|
| posted on 22/7/05 at 08:40 AM |
|
|
Hijack this enable you to delete all the crap that gets put in your registry.
Can be dangerous though if you delete the wrong thing in your registry.
Pat...
No trees were killed in the sending of this message.
However a large number of electrons were terribly inconvenienced.
|
|
|
Avoneer
|
| posted on 22/7/05 at 08:45 AM |
|
|
Ok,
Scan again and put a tick in the top four with "findyourcouple" in them and "fix checked".
Scan again and re-post your log.
Pat...
No trees were killed in the sending of this message.
However a large number of electrons were terribly inconvenienced.
|
|
|
DaveFJ
|
| posted on 22/7/05 at 08:48 AM |
|
|
Micorsoft anti-spyware is as much use as tits on a fish. (a bit like the windows sp2 firewall!)
they made it even worse recently when they purchased several firms including Gator! and then downgraded the threat rating from gator !!
read this article here
[Edited on 22/7/05 by DaveFJ]
Dave
"In Support of Help the Heroes" - Always
|
|
|
Jeffers_S13
|
| posted on 22/7/05 at 08:50 AM |
|
|
They are still there
Logfile of HijackThis v1.99.1
Scan saved at 09:45:43, on 22/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
D:\MSC.Patran\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\MSC.Patran\MSC.exe
D:\MSC.Patran\p3manager_files\bin\WINNT\QueMgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
D:\MSC.Patran\p3manager_files\bin\WINNT\RmtMgr.exe
D:\abaqus\Documentation\monitor.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
D:\abaqus\Documentation\monitor.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Anitspyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
d:\Program Files\Anitspyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\WinZip\winzip32.exe
D:\Personal\Downloaded Programs\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findyourcouple.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.findyourcouple.com
O1 - Hosts: 192.1.1.1 nettle
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "d:\Program Files\Anitspyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: map-hugo.bat.lnk = C:\map-hugo.bat
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.62-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.62-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program
files\GoogleToolbar_en_1.1.62-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.62-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.62-deleon.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4uk.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cape-eng.local
O17 - HKLM\Software\..\Telephony: DomainName = cape-eng.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEE31EE0-41A4-4E1B-8135-BD7A4BB2B79E}: NameServer = 194.72.6.57,194.73.82.242,192.1.3.34
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cape-eng.local
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program
Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: FLEXlm V8.4a - Macrovision Corporation - D:\MSC.Patran\lmgrd.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MSCQueMgr - Unknown owner - D:\MSC.Patran\p3manager_files\bin\WINNT\QueMgr.exe
O23 - Service: MSCRmtMgr - Unknown owner - D:\MSC.Patran\p3manager_files\bin\WINNT\RmtMgr.exe
O23 - Service: Texis Monitor - Expansion Programs International, Inc. - D:\abaqus\Documentation\monitor.exe
|
|
|
Avoneer
|
| posted on 22/7/05 at 08:55 AM |
|
|
Sorry then, I'm stumped now.
That should have done it.
Will have a nosey and see what else I come up with...
Pat...
No trees were killed in the sending of this message.
However a large number of electrons were terribly inconvenienced.
|
|
|
Big Stu
|
| posted on 22/7/05 at 09:00 AM |
|
|
What operating system is it? NT or XP. If it is XP go into start menu and then run. Then type MSCONFIG. This will open a window. Click on the startup
tag. These are the programs that run during startup. One of these will be changing your homepage every time you start. Look for sus names and remove
the check boxes. Then reset your homepage, reboot, if your home page is no longer porn then you have found the bugger. If not then try some more. If
using the NT then sorry, no idea.
|
|
|
Jeffers_S13
|
| posted on 22/7/05 at 09:01 AM |
|
|
quote:
Originally posted by Peteff
Try googling for this and download it, disable your auto restore if using XP then run the program and it should get rid. It sounds like Cool Web
Search has got a hold on your computer and it enters itself into registry every time you restart.
Whats auto restore ? how do I disable it ?
|
|
|
%20(WinCE).JPG)
