• Welcome to Poasters Computer Forums.
 

News:

Welcome to the ARCHIVED Poasters Computer Forums (Read Only)

Main Menu

Explorer default pages changed

Started by zdub, April 06, 2004, 11:38 hrs

Previous topic - Next topic

zdub

I use cwshredder to get rid of hijcakers and whatnot, but it doesnt recognize how one of my pages has been changed.


say i enter a invalid website or address. instead of saying that it takes me to a random search engine page, i cant find it in hijack this either...its kind of annoying, just wondering how i could get rid of it through registry? the name of the search engine is.

Removed by moderator as precaution

any ideas? thank you

Chandler

#1
I recommend installing Google Toolbar, it will set these up to Google for you automatically, and also has a pop-up blocker.

But, if you don't like additional toolbars, then this page may be of use:
http://www.winguides.com/registry/display.php?id=289

Warning!  Take care when modifying the registry.

Andrew S

I've had these happen before.  It was like a weird virus or something, it was a pain to get rid of.  Can you private message me and tell me what that search engine was so i can possibly know if it was the one i was dealing with?

If this isnt allowed.... Moderators or Admins please let me know poast?

Chandler

The address of the search engine ended in .cc

I removed the link in case other members clicked it and ended up having their browser hijacked.  There is nothing wrong with discussing it.

Andrew S

Hmm Doesnt sound like the one i had, but i have had several ones similar to what zdub was describing.  


Zdub, check in your installed softwares part of control panel and see if anything looks odd? See if anything was installed that you didnt know about

If you search your registry, go to the Find Option and type the search engines name and search for it.  If you find it linked in registry poast where its at in here.  
Did you clear all your cookies and temp internet files?

zdub

#5
thanx for the replies.

I went into hijack this and deleted the search pages thing...which screwed me cause now i have a search page default as my home page, when i change it and click apply, close the window and open a new explorer window it defaults back to a search page. the page is just called about:blank
but it shows up as a search page...its weird.

um...any recomendations for what i could do to have a homepage set up again since i cant seem to do it through explorer? or should i just say **** explorer and get opera or some other similar alternative browser thats not full of bugs? if i do that is there a google toolbar for any of those browsers or does the normal one work for it? cause i use it currently and really like the pop up killer...

thank you for your time guys. appreciate the help

zdub

#6
i'll repost the link to the name of the page, turns out that its the same search page as i mentioned in my first post it just defaults to it. so now that i cant have a homepage for some reason, It now defaults to this page even though it should be a blank page...weird.

http://linklist. cc/index. php? aid=20038

@ mods i added space to the link so it wont work. just thought it might help if people see what it contains? thank you if this is wrong please edit my post.

zdub

I searched my registry for the name of the page, even parts of the name and nothing was found.....***?

should i just get a new version of explorer or something? this is version 6.0.28

is there a new version?

saoirse

Hi Zdub.

6.0.2800 is the most recent release of Internet Explorer.

Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main.

What data is held for StartPage and SearchPage?  

Have you scanned with Spybot\Adaware?  Remember to check for updates.  

saoirse

zdub

#9
thanx i was looking in wrong place, yea i regularily run spybot and adaware so its not that

the data for startpage was about.blank but i think there was a script in the search page to make my start page that default as well.

for searchpage (and searchbar) it was :res://%43%3a%5c%57%49% etc etc

i close the regedit then went back in and the pages both defaulted back to what they were before i changed them the first time....

/edit (below the startpage key is a reg dword  set to 0x00000001 (1)

zdub

Quote from: Chandler on April 06, 2004, 14:04 hrs
I recommend installing Google Toolbar, it will set these up to Google for you automatically, and also has a pop-up blocker.

But, if you don't like additional toolbars, then this page may be of use:
http://www.winguides.com/registry/display.php?id=289

Warning!  Take care when modifying the registry.

i tried this as well, still defaults to the hijacked search page and start page :(

Andrew S

Has anyone heard of Xupiter?   This sounds similar to that........

zdub

can't say i have. I have found this out though. Lots of people have this exact same problem, only their hijack this logs are a bit different which leads me to believe the names for the search page are randomly generated to make it harder to identify. Alot of people have done the exact same things i have done those being

-changing reg files
-running adaware, spybot and antivirus all up to date
-running cwshredder
-hijacker remover walkthroughs

all don't work. which leads me to believe this is kind of like when cwshredder first came out and noone could fix it....hopefuly a fix is found soon its so irritating.

pat

Once you get your system cleaned up consider installing Spywareblaster from Javacool Software, this will help keep spyware from being installed.
Also from Javacool, Spywaregaurd. Spywaregaurd runs in the background like the real-time feature of an AV program. It will let you know if a hijack is attempted, you will be alerted.

Quote from help file.
The Browser Hijacking Protection component of SpywareGuard will alert as soon as browser hijacking activity is detected. If a BHO (Browser Helper Object) is added, or if various Internet Explorer settings are changed (the homepage, search page, etc.) an alert will immediately be displayed, and the user will be given the option to ignore the change, or to revert to the previous settings.

SeaSonic S12 550W, Athlon 64 X2 6000+, Asus M2N SLI-Deluxe, nvidia 9600 GSO, 2x2 gig Crucial Ballistix, LG DVD/RW, 2x Western Digital Black Edition 640gb,  SAMSUNG 226BW Black 22", Canon PIXMA MP600,  Logitech X-230 speakers, Logitech Comfort Duo keyboard & Mouse, Windows 7 64 Home Premium & Vista 64

zdub

I tried it, problem being the hijacker reproduces itself (even without opening explorer first) so when i did that everytime i opened explorer it said all my pages were trying to be hijacked and i had to close about ten windows just to get onto explorer....i think i'll uninstall and switch to opera i guess.

Andrew S

Whats probably happening is, there is an exe somewhere on your hard drive that re-updates it evertime you connect.  Even if you delete a thing from registry, as long as that exe is still there, it'll replace it, and vice versa, if there is somethign in registry and you delete exe, it still somehow updates

Is anything new added to your favorites?

Neon

Another thing to try is to use the immunize function in Spybot S&D, which will help to prevent spyware from installing.
Area 64 project|Asus SK8N|nForce3 Pro 150 chipset|AMD Athlon 64 FX-51|2x 512MB Kingston HyperX PC3200R|eVGA GeForce 6800GT|WD Caviar SE 1200JD SATA|Plextor PX-708A 8x DVD+R|Plextor PX-116A 16x DVD-ROM|Lian Li PC-60H1S|Antec TruePower 430W ATX|WinXP x64 edition

Whizbang

#17
Xupiter and CWS are two of the hijackers that SpyBot looks for.  The problem is that CWS is a bit like a virus in that it changes after reboot and becomes more entrenched.  CWShredder was developed to remove it; and, no, CWS is not the name, but in adding to the policy on this poast to refrain from using it, that is what I will call it.  There should be an executable file that is listed in Startup.  One variant has the word media in the text.  

The program is classified as a Malware Trojan.  One Antispyware site refuses to identify itself as an antispyware site because of fear that the server-based trojan will infect it.  Whether real or just paranoia, CWS is a very bad problem.

If SpyBot cannot remove it, run MSCONFIG and see what is coming up.  That is the way that I deactivated the varmint when it appeared out of the cyberworld on my computer.  Every attempt at locating it was futile (Where have I heard that word before?  ::)  )
There were no visible files even after changing files setting that had any detectable reference to CWS.

Since an AVG upgrade and a firewall installation, I have not had it appear again.  AVG did detect it and deactivated it before I installed Zone Alarm and then opted for hardware firewall.

Best way to keep from becoming "enslaved" by it is:

1)  Once infected, do not turn off computer until you have run
     SpyBot.
2)  If that fails, again do not turn off computer--->period.
    This will only allow CWS to go into full install.
3)   Run MSCONFIG and locate any suspicious executables and    
     check for legitimacy on a web search or on this forum.
4)   Dump all temporary Internet files.
5)   Run Antivirus.  Many, if not most, should have a check for this
      pest by now, although I do not know how effective a check will be once
     CWS is fully installed.  
6)   If antivirus locates and deactivates it, return to MSCONFIG to
     verify that it is not in the startup folder.

On a final note:  The program is at this poast perfectly legal because it does not quite meet the legal (or illegal) requirements of a virus!

Andrew S

Whizbang  What about this final note?

And what is the policy you speak of so i know better for the future?

Whizbang

#19
No law against it yet, but the State of Utah has initiated legislation to make malware illegal.  See Poast.  That really will not make any difference though because it can simply be based overseas.  As long as there are jerks who prey on the innocent, there will be stuff like this to fight.

Given the curious nature of human beings, poasting the name would immediately initiate a search by someone.  That person could potentially get on the wrong link and download the trojan because it is also advertised in pleasant terms on some links.  The one site seemed to think that the mere naming of the site in reference to this trojan or anti-spyware would cause the site to become infected.  Me thinks that paranoia doth rule.

Seriously, as long as you do not click on a Web Search that has glowing terms expressed regarding it there should be no problem.  There are kids also who frequent this forum, and I would hate it if one got this pest.  It is installed whether you want it or not, and that is the first problem.