BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Homepage redirect virus!
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Homepage redirect virus!  
Forum Quick Jump
 
New Topic Post reply to : Homepage redirect virus! Printable version of : Homepage redirect virus!
[ << Previous Thread | Next Thread >> ]

Patrick Green
New Member


Date Joined Jun 2004
Total Posts : 7
 
   Posted 6/21/2004 5:13 AM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
I have a similar problem, but its not MSN.
 
It happened once before, and after 3 weeks of frustration I reformatted to get rid of the bastard. Now it's back, but the redirect is for a different site.
 
It shows as about:blank, but its not pulling up any microsoft related. Its some search engine on msie.tv
 
I've tried 6 kinds of spyware removal, 3 antiviruses, nothing can find it.
 
At the same time, theres another bug I found which may be related... on restart my Recent Documents are changing back to reflect a list from a couple months ago... I suspect theres a little prog somewhere that keeps overwriting my registry from the day it installed itself, and thus putting itself back in active. I tried reinstalling my registry from my earliest backup after I reinstalled XP to get the last bastard out... but it didn't work... so either I'm wrong or I caught the bastard before I backed up my registry for the first time... which was like a few days after my reformat....ARG!
 
So... any suggestions? Where in the registry is the home page set? Help!
Back to Top
 

eagle
Senior Member


Date Joined May 2004
Total Posts : 805
 
   Posted 6/21/2004 12:18 PM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
smhair  Chill patrick,
 you don't need to reformat to get rid of this, first turn off recovery program that's why it keeps rewriting, viruses tend to write themeselves into the recovery. second go into regedit go to the edit key highlight the find key click it type in the trojan and see if it pops up, if it does delete it. then do a disk clean to remove all restore points, then restart. do another scan with bullguard, if it's still there send scan logs to support@bullguard.com and make sure you get all the latest updates from microsoft. Oh btw- msie.tv is probably micrsoft internet explorer .tv
 after all ie is how most viruses travel.
                                                       Good luck,
                                                       Eaglesmilewinkgrin
Back to Top
 

Patrick Green
New Member


Date Joined Jun 2004
Total Posts : 7
 
   Posted 6/23/2004 12:30 AM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
Ok couple things then.
 
Whats recovery?
 
I found the keys in the registry that keep getting updated. Theres a dll in my system32 directory that seems to be restoring the redirect every few seconds. Its in active memory but I cant find it with anything but hijackthis, except hijackthis cant remove it - it tells me its been removed but then when i refresh the folder its there again. Last night I managed to delete it - and then this morning there was another dll with a slightly different name causing the same problem.
 
Oh and bullgaurd cant detect it. I just downloaded a fresh version to be sure.
 
I wish someone had told me about that system restore thing before - its not disabled, but even though i've been running xp for 3 months there aren't any automatic restore points - it seems pretty useless to me unless one remembers to make a restore point every now and again.
 
What else can I try?
 
Back to Top
 

eagle
Senior Member


Date Joined May 2004
Total Posts : 805
 
   Posted 6/23/2004 3:19 PM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
 Patrick,
please turn off the restore you actually don't need it. as far as the dll file goes, go into regedit, go to edit key, highlight the find button when the window comes up, type in the file or whatever your looking for it will find it then, delete it. do a disk, clean empty your temp internet files and your cookies, then defrag the darn thing. that should help if not write back we'll try something else.
                                            Eaglesmilewinkgrin


P.S. windows sets the restore point even if you don't, there in the default settings.
Back to Top
 

Jerry
New Member


Date Joined Jun 2004
Total Posts : 7
 
   Posted 6/23/2004 10:52 PM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
Eagle,
 
How do you get into the regedit part of our xp computer system.  Ive got the same darn virus.  thanks.
 
Jerry
Back to Top
 

eagle
Senior Member


Date Joined May 2004
Total Posts : 805
 
   Posted 6/24/2004 2:30 PM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
Hi jerry,
  simple go to start, run, click on that, when the window pops up type regedit and hit ok. when you get into regedit go to the edit key,click it then scroll down to the find tab,highlight and click. when that window pops up type in the name of the virus and click ok. the do the other stuff I was telling Patrick. that should help if not write back and we'll try something different.
                                                 Eaglesmilewinkgrin
Back to Top
 

Patrick Green
New Member


Date Joined Jun 2004
Total Posts : 7
 
   Posted 6/25/2004 1:21 AM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
I did that the first day.
 
I assure you, there are no default restore points. If there were, I would have tried one to backstep the damn thing. If I had known about system restore before I got this problem, I would have used it regularly. It looks like a fantastic tool and I have 100 free gigs I don't need - it can make all the points it wants...
 
Here's what I've already done, and pretty much the order in which I did it.
 
I deleted my cookies and temp files. I ran ad-aware to no result.
 
I went into the registry under local machine and current user, and checked the keys related to IE start pages, search pages, etc. All of them pointed to a html file in a temp directory in docs&settings. So I deleted that folder and fixed the keys.
 
About 15 seconds later the folder reappered and the keys reverted. I researched the problem, and followed someones suggestkon of scanning with hijackthis. So I did that and deleted all the things it brought up. This wiped out every program that loaded at startup (which was cool by me cuz I meant to do that anyway), and also found the dll in my system32 directory that was affecting the registry keys, which it also pointed out (and which I had already identified manually were the correct ones). So after booting in safe mode (it was running active and I couldnt delete it in normal) I deleted the offending dll and the offending temp dir with the offending html file as well as correct the offending registry keys (manually not with hijackthis). On reboot the problem came back... I reran hijackthis and found another dll with a different name causing the same problem. I repeated the whole procedure and a different dll appeared the third time.
 
I suspect that somewhere is an executable or another dll that runs either constantly or periodically and creates the detecable dll, which is then picked up by hijackthis or bulguard or whatever and serves as a decoy of sorts. It does te dirty work and it reloaded with a randomly generated name (or one from a list within the main prog) to escape quarantine routines. Or something like that, you get the idea.
 
Unfortunately, none of the tools I have tried yet have been effective at finding anything except the first dll - which covers me for one and only one reboot when the next one is created.
 
bullgaurd called it trojan.startpage.IS but I have not been able to dig up anything on removal for it at all... variants of trojan.startpage are common, and I haven't found any procedure for removal any more comprehensive than what i've already done.
 
day 1-a c:\winxp\system32\gpjjhaa.dll   infected: Trojan.StartPage.IS
day 1-b c:\winxp\system32\cmn.dll   infected: Trojan.StartPage.IS
day 2-a c:\winxp\system32\ikg.dll   infected: Trojan.StartPage.IS
 
 
Now how can bullguard be able to give it a name but theres no info on it anywhere on the forums faqs archives or any bullguard page??? If someone has seen this particular variant before - why isn't there any info on it published?
 
The best i've been able to do today is with a new version of bullguard I can quarantine the active dll on boot up - which means that my home page is set to about:blank until I update it, and any change is erased on reboot. Also, this semi-fix does not affect my search page or other buttons - all of which have been changed to the offending html file and all of which I can fix only manually with hijackthis or manually - bullguard aparently doesnt concern itself with unusual registry activity.
 
So what have I missed? I've tried norton, mcaffee online, bullguard, hijackthis, cwshredder, in normal and safe mode, and i've come up empty.
 
 
 
 
 
Back to Top
 

eagle
Senior Member


Date Joined May 2004
Total Posts : 805
 
   Posted 6/25/2004 2:49 PM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
 what Os are you running, if it's XP you should be able to turn off the restore, if not which OS are you running the ways are different.With XP try disk clean with restore on then turn it off. and then clean regedit. and restart let me know, other than that take your logs vshield scan logs and send them to support@bullguard.com they could help better than I. And if it's stumpin the puppy they would like to know.
                                        Eaglesmilewinkgrin
Back to Top
 

Patrick Green
New Member


Date Joined Jun 2004
Total Posts : 7
 
   Posted 6/28/2004 2:20 AM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
Xp, and restore is enabled, but there are no restore points.
 
I give up. I'm gonna reformat.
Back to Top
 

eagle
Senior Member


Date Joined May 2004
Total Posts : 805
 
   Posted 6/28/2004 7:40 AM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
 Patrick if it's anything like blaster formatting won't get rid of it. I found that out the hard way! send your scan logs to support@bullguard.com they can really help, And if you don't have bullguard then download the 60 day trial, what you got to lose?  confused
                                     Eaglesmilewinkgrin 
Back to Top
 

backflipdan1
New Member


Date Joined Jun 2007
Total Posts : 3
 
   Posted 6/29/2007 8:50 PM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
I NEED HELP: HI JACK THIS SOMEBODY
Logfile of HijackThis v1.99.1
Scan saved at 19:06:15, on 29/06/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\NETGEAR\WG511SCU\UTILITY\GEAR511.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE
C:\MICROSOFT SECURITY ADVISER\MSCTRL.EXE
C:\MICROSOFT SECURITY ADVISER\MSAVSC.EXE
C:\MICROSOFT SECURITY ADVISER\MSSCAN.EXE
C:\MICROSOFT SECURITY ADVISER\MSIEMON.EXE
C:\MICROSOFT SECURITY ADVISER\MSFW.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\EASYBUTTON\EZBUTTON.EXE
C:\WINDOWS\PROFILES\DANIEL DULIEU\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\ORANGE3\ORANGE3.DLL
O2 - BHO: H - {875DFA42-0F20-449b-B8AE-4795E5A30B98} - rtreywem.dll (file missing)
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\ORANGE3\ORANGE3.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Microsoft security adviser] C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE
O4 - HKLM\..\Run: [msctrl.exe] \Microsoft Security Adviser\msctrl.exe
O4 - HKLM\..\Run: [msavsc.exe] \Microsoft Security Adviser\msavsc.exe
O4 - HKLM\..\Run: [msscan.exe] \Microsoft Security Adviser\msscan.exe
O4 - HKLM\..\Run: [msiemon.exe] \Microsoft Security Adviser\msiemon.exe
O4 - HKLM\..\Run: [msfw.exe] \Microsoft Security Adviser\msfw.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Microsoft security adviser] C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE
O4 - HKCU\..\Run: [msctrl.exe] \Microsoft Security Adviser\msctrl.exe
O4 - HKCU\..\Run: [msavsc.exe] \Microsoft Security Adviser\msavsc.exe
O4 - HKCU\..\Run: [msscan.exe] \Microsoft Security Adviser\msscan.exe
O4 - HKCU\..\Run: [msiemon.exe] \Microsoft Security Adviser\msiemon.exe
O4 - HKCU\..\Run: [msfw.exe] \Microsoft Security Adviser\msfw.exe
O4 - Startup: EZbutton.lnk = C:\Program Files\EasyButton\EZButton.exe
O4 - User Startup: EZbutton.lnk = C:\Program Files\EasyButton\EZButton.exe
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O21 - SSODL: WyWPvo - {392111E8-938B-BB42-C534-805066268BC6} - C:\WINDOWS\SYSTEM\TLYD.DLL


Back to Top
 

eagle
Senior Member


Date Joined May 2004
Total Posts : 805
 
   Posted 6/30/2007 12:59 AM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
 Find a fellow named touch PM him he knows hi jack this better than anyone I know.
 
                       eaglesmilewinkgrin
Back to Top
 

eagle
Senior Member


Date Joined May 2004
Total Posts : 805
 
   Posted 6/30/2007 1:02 AM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
Patrick,
  to get to restore go to control panel, basic info on your computer, a window should pop up look for the restore tab click it, either put check in the box, that will turn off restore.


  Eaglesmilewinkgrin
Back to Top
 

jvanbro1
New Member


Date Joined Sep 2007
Total Posts : 1
 
   Posted 9/27/2007 12:48 AM (GMT +2)    Quote: Homepage redirect virus!Alert an admin about: Homepage redirect virus!
I know this might be a little late. But I've experienced problems with this "Microsoft Security Advisor" mssadv and it's associated files twice now. They reset admin rights on all kinds of stuff, delete icons, files, and launch popups and programs. The way to get rid of it manually is to
1. reboot and launch safe mode with the F8 key
2. write down the files in C:\programs\Microsoft Security Advisor\
3. Delete them
4. Run a search on your c drive for each of the file names you write down and delete those too.

That's about it.
Back to Top
 
New Topic Post reply to : Homepage redirect virus! Printable version of : Homepage redirect virus!
 
Forum Information
Currently it is Saturday, November 01, 2014 1:29 AM (GMT +2)
There are a total of 60,718 posts in 13,336 threads.
In the last 3 days there were 2 new threads and 5 reply posts. View Active Threads
Who's Online
This forum has 36606 registered members. Please welcome our newest member, Condor.
4 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Bullguard dosent update to latest versions (20)10/31/2014 1:28:48 PM (klimek69)
Cheap Kitchens Newcastle (0)10/31/2014 11:45:29 AM (wayahpanas)
COMPUTER PROBLEMS (2)10/31/2014 3:00:32 AM (Deb1957)