Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Explorer homepage hijacker [CLOSED]

  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 4 posts
Can some please help me to remove this homepage. Ive tried to remove this cool web varient, but it coming back.

Thanks :tazz:

Attached Files

  • 0




    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Welcome to Geekstogo, dmcm1234!

I'm now working on your problem..
I'll get back to you soon,
as soon as this forums experts has checked my fix for you.
Thank you for your patience ;)

- Rawe :tazz:
  • 0



    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again!

Please print these instructions out, or write them down, as you can't read them during the fix.
Be sure to follow every step.

First, download;

- About:buster

Unzip the contents of AboutBuster.zip and an About:Buster directory will be created.
- Launch About:Buster
- Click "Ok" at the prompt with instructions.
- Click "Update" and then "Check For Update" to launch the update process.
- If any updates exist please download them by clicking "Download Update". After this, exit the updating window.
- Now please close About:Buster

- Clean Up

Install Cleanup and get it ready to be used, but don't run it yet.

- Spybot S&D

=> An tutorial for SpyBot

Run the program, as instructed on the link. ;)

After this, please download CWShredder v 2.15
When installed, launch it, check for any updates, and close it. Don't Run A Scan Yet!

Please run at least two of these free online scans here (use the "Auto-clean" - option);

- BitDefender
- Kaspersky
- Jotti Virusscan
- A2

Please now run CWShredder v. 2.15, use the "Fix" button.

Once you have done all of this;

Disconnect from the internet. {For broadband/cable users, it is recommended to disconnect the cable connection}

Please boot up into Safe Mode.

While rebooting your computer, tap f8 continuosly. A menu should come up, choose to go to Safe Mode.

While at Safe Mode, please run About:Buster;

Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
Click "Yes" to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it.
When the scan has finished, and log saved, please reboot your computer to Safe Mode again.

Ok, now run About:Buster again without the reboot in the end.

Do this before HJT fixes;
Click Start => Run => and type in:


Click "OK".

In the services window find service; Remote Procedure Call (RPC) Helper
Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.

After this;

Please launch HJT. Close any other open windows.

Just hit the button to "Scan". When finished, please check these objects for removal

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\nkgxb.dll/sp.html#44980
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\nkgxb.dll/sp.html#44980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\nkgxb.dll/sp.html#44980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\nkgxb.dll/sp.html#44980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\nkgxb.dll/sp.html#44980
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\nkgxb.dll/sp.html#44980
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\nkgxb.dll/sp.html#44980
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {3BB095BA-58DE-C7CE-7396-A8C92B4E4594} - C:\WINNT\system32\mswt32.dll
O2 - BHO: Class - {A13D0368-AE57-5996-D4B4-DFBF6D77F24B} - C:\WINNT\crel32.dll
O4 - HKLM\..\Run: [sysgr32.exe] C:\WINNT\sysgr32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.fdnet.com
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINNT\system32\addlb32.exe

Has the system administrator (if work pc) set up a policy restriction in Internet Explorer? If not, then please also check the following entry in HJT;

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Do you know these entries;

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fdeel.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fdeel.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fdeel.com
? ;)

If not,
please check them for removal also.

There is also couple optionals if you want to get rid of them;

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime {System Tray access to Apple's "Quick Time" viewer from version 5 onwards}
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE {Opens in startup, unnecessary/not required entry, as it can be launched manually if needed.}

Make sure that the above mentioned objects are all checked, then hit "Fix Checked".

Run HiJackThis;

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"


Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

Using Windows Explorer, locate the following files and delete them (if found);

If you could, please now run CWShredder v 2.15 again.
Use the "Fix" button.

Run Cleanup!
It will ask you to reboot to finish the cleaning,
please do so.

Boot into normal mode.

Once your Windows has loaded, run a scan with HJT, post that scanlog here along with the log from About:Buster. Tell us how's your system working. :help:
Connect back to the internet when the HJT scan has finished, to post your results.

- Rawe :tazz:

If you have anything to ask, please don't hesitate to ask.
Also, if you can't for some reason finish a step, then please move on to the next step.

  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi RAWE thanks for your help so far.

I've removed the about:blank web page per instructions but I must have deleted something by mistake during the operation. I am having the following problems,

1- Printer. My existing printer selections have been deleted from the printers folder. When I click on the add printer icon i get an error message "Printer operation cannot continue due to lack of resources. The print subsystem is unavailable.

2- When I go to open an excel spreadsheet i get the following error message "Cannot use object linking and embedding". It then crashes out.

please advise. I am attaching the latest scanlog

Logfile of HijackThis v1.99.1
Scan saved at 00:27:31, on 01/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fluor.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fluor
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JavaConnect - http://conference10....JavaConnect.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - http://conference10....STConnAgent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fdeel.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fdeel.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fdeel.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\cwshredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Radia Notify (RADEXECD) - Novadigm - C:\PROGRA~1\Novadigm\RADEXECD.exe
O23 - Service: Radia Scheduler (RADSCHED) - Novadigm - C:\PROGRA~1\Novadigm\RADSCHED.exe
O23 - Service: Radia MSI Redirector (RADSTGMS) - Novadigm - C:\PROGRA~1\Novadigm\RADSTGMS.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
  • 0



    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
you're log would seem to be clean.
you are missing one critical process.
Please browse to c:\windows\system32 folder and look for svchost.exe or svchost. If you can't find it anywhere;

Boot from your Windows XP disk and use recovery console, follow the onscreen stuff and put the admin password in that your setup when you installed windows (if any..leave blank if none), you should now be at a prompt EXAMPLE: C:\WINDOWS>

At the end of the prompt type: cd F:\I386
F is the letter of the drive where your XP disk is so you will need to change it to your drive letter. Make sure to change it. The prompt should now be F:\I386>

After the prompt type: Expand svchost.ex_ C:\windows\system32
C is the letter of you HD were windows XP is installed, needs to be changed accordingly. At the prompt type: exit
Your sytem will reboot and you will now have a copy of svchost.exe in your system32 folder again.

- Rawe :tazz:
  • 0



    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP