It's Cyber Monday - fantastic 70% discount

Buy Now

Limited time offer:

03

Days

/

00

Hrs

/

04

Min

/

04

Sec

Homepage redirect virus!

Posted 6/21/2004 3:13 AM
#1178
User avatar

Patrick Green Member

Date Joined Nov 2016
Total Posts: 7
I have a similar problem, but its not MSN. <br/> <br/> <br/> <br/>It happened once before, and after 3 weeks of frustration I reformatted to get rid of the bastard. Now it's back, but the redirect is for a different site. <br/> <br/> <br/> <br/>It shows as about:blank, but its not pulling up any microsoft related. Its some search engine on msie.tv <br/> <br/> <br/> <br/>I've tried 6 kinds of spyware removal, 3 antiviruses, nothing can find it. <br/> <br/> <br/> <br/>At the same time, theres another bug I found which may be related... on restart my Recent Documents are changing back to reflect a list from a couple months ago... I suspect theres a little prog somewhere that keeps overwriting my registry from the day it installed itself, and thus putting itself back in active. I tried reinstalling my registry from my earliest backup after I reinstalled XP to get the last bastard out... but it didn't work... so either I'm wrong or I caught the bastard before I backed up my registry for the first time... which was like a few days after my reformat....ARG! <br/> <br/> <br/> <br/>So... any suggestions? Where in the registry is the home page set? Help!
Posted 6/21/2004 10:18 AM
#1184
User avatar

eagle Advanced member

Date Joined Nov 2016
Total Posts: 492
:smhair: Chill patrick, <br/> you don't need to reformat to get rid of this, first turn off recovery program that's why it keeps rewriting, viruses tend to write themeselves into the recovery. second go into regedit go to the edit key highlight the find key click it type in the trojan and see if it pops up, if it does delete it. then do a disk clean to remove all restore points, then restart. do another scan with bullguard, if it's still there send scan logs to [url=support@bullguard.com]support@bullguard.com[/url] and make sure you get all the latest updates from microsoft. Oh btw- msie.tv is probably micrsoft internet explorer .tv <br/> <br/> after all ie is how most viruses travel. <br/> <br/> Good luck, <br/> <br/> Eagle :smilewinkgrin:
Posted 6/22/2004 10:30 PM
#1212
User avatar

Patrick Green Member

Date Joined Nov 2016
Total Posts: 7
Ok couple things then. <br/> <br/> <br/>Whats recovery? <br/> <br/> <br/> <br/>I found the keys in the registry that keep getting updated. Theres a dll in my system32 directory that seems to be restoring the redirect every few seconds. Its in active memory but I cant find it with anything but hijackthis, except hijackthis cant remove it - it tells me its been removed but then when i refresh the folder its there again. Last night I managed to delete it - and then this morning there was another dll with a slightly different name causing the same problem. <br/> <br/> <br/> <br/>Oh and bullgaurd cant detect it. I just downloaded a fresh version to be sure. <br/> <br/> <br/> <br/>I wish someone had told me about that system restore thing before - its not disabled, but even though i've been running xp for 3 months there aren't any automatic restore points - it seems pretty useless to me unless one remembers to make a restore point every now and again. <br/> <br/> <br/> <br/>What else can I try?
Posted 6/23/2004 1:19 PM
#1227
User avatar

eagle Advanced member

Date Joined Nov 2016
Total Posts: 492
Patrick, <br/> <br/>please turn off the restore you actually don't need it. as far as the dll file goes, go into regedit, go to edit key, highlight the find button when the window comes up, type in the file or whatever your looking for it will find it then, delete it. do a disk, clean empty your temp internet files and your cookies, then defrag the darn thing. that should help if not write back we'll try something else. <br/> <br/> Eagle :smilewinkgrin: <br/> <br/><br /><br /> <br/>P.S. windows sets the restore point even if you don't, there in the default settings.
Posted 6/23/2004 8:52 PM
#1231
User avatar

Jerry Member

Date Joined Nov 2016
Total Posts: 7
Eagle, <br/> <br/> <br/>How do you get into the regedit part of our xp computer system. Ive got the same darn virus. thanks. <br/> <br/> <br/> <br/>Jerry
Posted 6/24/2004 12:30 PM
#1242
User avatar

eagle Advanced member

Date Joined Nov 2016
Total Posts: 492
Hi jerry, <br/> <br/> simple go to start, run, click on that, when the window pops up type regedit and hit ok. when you get into regedit go to the edit key,click it then scroll down to the find tab,highlight and click. when that window pops up type in the name of the virus and click ok. the do the other stuff I was telling Patrick. that should help if not write back and we'll try something different. <br/> <br/> Eagle :smilewinkgrin:
Posted 6/24/2004 11:21 PM
#1259
User avatar

Patrick Green Member

Date Joined Nov 2016
Total Posts: 7
I did that the first day. <br/> <br/> <br/>I assure you, there are no default restore points. If there were, I would have tried one to backstep the damn thing. If I had known about system restore before I got this problem, I would have used it regularly. It looks like a fantastic tool and I have 100 free gigs I don't need - it can make all the points it wants... <br/> <br/> <br/> <br/>Here's what I've already done, and pretty much the order in which I did it. <br/> <br/> <br/> <br/>I deleted my cookies and temp files. I ran ad-aware to no result. <br/> <br/> <br/> <br/>I went into the registry under local machine and current user, and checked the keys related to IE start pages, search pages, etc. All of them pointed to a html file in a temp directory in docs&settings. So I deleted that folder and fixed the keys. <br/> <br/> <br/> <br/>About 15 seconds later the folder reappered and the keys reverted. I researched the problem, and followed someones suggestkon of scanning with hijackthis. So I did that and deleted all the things it brought up. This wiped out every program that loaded at startup (which was cool by me cuz I meant to do that anyway), and also found the dll in my system32 directory that was affecting the registry keys, which it also pointed out (and which I had already identified manually were the correct ones). So after booting in safe mode (it was running active and I couldnt delete it in normal) I deleted the offending dll and the offending temp dir with the offending html file as well as correct the offending registry keys (manually not with hijackthis). On reboot the problem came back... I reran hijackthis and found another dll with a different name causing the same problem. I repeated the whole procedure and a different dll appeared the third time. <br/> <br/> <br/> <br/>I suspect that somewhere is an executable or another dll that runs either constantly or periodically and creates the detecable dll, which is then picked up by hijackthis or bulguard or whatever and serves as a decoy of sorts. It does te dirty work and it reloaded with a randomly generated name (or one from a list within the main prog) to escape quarantine routines. Or something like that, you get the idea. <br/> <br/> <br/> <br/>Unfortunately, none of the tools I have tried yet have been effective at finding anything except the first dll - which covers me for one and only one reboot when the next one is created. <br/> <br/> <br/> <br/>bullgaurd called it trojan.startpage.IS but I have not been able to dig up anything on removal for it at all... variants of trojan.startpage are common, and I haven't found any procedure for removal any more comprehensive than what i've already done. <br/> <br/> <br/> <br/>day 1-a c:\winxp\system32\gpjjhaa.dll infected: Trojan.StartPage.IS <br/> <br/> <br/>day 1-b c:\winxp\system32\cmn.dll infected: Trojan.StartPage.IS <br/>day 2-a c:\winxp\system32\ikg.dll infected: Trojan.StartPage.IS <br/> <br/> <br/> <br/> <br/>Now how can bullguard be able to give it a name but theres no info on it anywhere on the forums faqs archives or any bullguard page??? If someone has seen this particular variant before - why isn't there any info on it published? <br/> <br/> <br/> <br/>The best i've been able to do today is with a new version of bullguard I can quarantine the active dll on boot up - which means that my home page is set to about:blank until I update it, and any change is erased on reboot. Also, this semi-fix does not affect my search page or other buttons - all of which have been changed to the offending html file and all of which I can fix only manually with hijackthis or manually - bullguard aparently doesnt concern itself with unusual registry activity. <br/> <br/> <br/> <br/>So what have I missed? I've tried norton, mcaffee online, bullguard, hijackthis, cwshredder, in normal and safe mode, and i've come up empty.
Posted 6/25/2004 12:49 PM
#1273
User avatar

eagle Advanced member

Date Joined Nov 2016
Total Posts: 492
what Os are you running, if it's XP you should be able to turn off the restore, if not which OS are you running the ways are different.With XP try disk clean with restore on then turn it off. and then clean regedit. and restart let me know, other than that take your logs vshield scan logs and send them to [url=support@bullguard.com]support@bullguard.com[/url] they could help better than I. And if it's stumpin the puppy they would like to know. <br/> <br/> Eagle :smilewinkgrin:
Posted 6/28/2004 12:20 AM
#1339
User avatar

Patrick Green Member

Date Joined Nov 2016
Total Posts: 7
Xp, and restore is enabled, but there are no restore points. <br/> <br/> <br/>I give up. I'm gonna reformat.
Posted 6/28/2004 5:40 AM
#1340
User avatar

eagle Advanced member

Date Joined Nov 2016
Total Posts: 492
Patrick if it's anything like blaster formatting won't get rid of it. I found that out the hard way! send your scan logs to [url=support@bullguard.com]support@bullguard.com[/url] they can really help, And if you don't have bullguard then download the 60 day trial, what you got to lose? :confused: <br/> <br/> Eagle :smilewinkgrin:
Posted 6/29/2007 6:50 PM
#49797
User avatar

backflipdan1 Member

Date Joined Nov 2016
Total Posts: 3
I NEED HELP: HI JACK THIS SOMEBODY <br/> <br/>Logfile of HijackThis v1.99.1 <br/>Scan saved at 19:06:15, on 29/06/2007 <br/>Platform: Windows ME (Win9x 4.90.3000) <br/>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) <br/> <br/>Running processes: <br/>C:\WINDOWS\SYSTEM\KERNEL32.DLL <br/>C:\WINDOWS\SYSTEM\MSGSRV32.EXE <br/>C:\WINDOWS\SYSTEM\mmtask.tsk <br/>C:\WINDOWS\SYSTEM\MPREXE.EXE <br/>C:\WINDOWS\SYSTEM\MSTASK.EXE <br/>C:\WINDOWS\SYSTEM\SSDPSRV.EXE <br/>C:\WINDOWS\EXPLORER.EXE <br/>C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE <br/>C:\WINDOWS\TASKMON.EXE <br/>C:\WINDOWS\SYSTEM\SYSTRAY.EXE <br/>C:\WINDOWS\SYSTEM\WMIEXE.EXE <br/>C:\WINDOWS\SYSTEM\IRMON.EXE <br/>C:\WINDOWS\SYSTEM\ATI2EVXX.EXE <br/>C:\WINDOWS\SYSTEM\ATIPTAXX.EXE <br/>C:\WINDOWS\SYSTEM\ATI2CWXX.EXE <br/>C:\PROGRAM FILES\NETGEAR\WG511SCU\UTILITY\GEAR511.EXE <br/>C:\WINDOWS\SYSTEM\QTTASK.EXE <br/>C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE <br/>C:\MICROSOFT SECURITY ADVISER\MSCTRL.EXE <br/>C:\MICROSOFT SECURITY ADVISER\MSAVSC.EXE <br/>C:\MICROSOFT SECURITY ADVISER\MSSCAN.EXE <br/>C:\MICROSOFT SECURITY ADVISER\MSIEMON.EXE <br/>C:\MICROSOFT SECURITY ADVISER\MSFW.EXE <br/>C:\WINDOWS\RunDLL.exe <br/>C:\PROGRAM FILES\EASYBUTTON\EZBUTTON.EXE <br/>C:\WINDOWS\PROFILES\DANIEL DULIEU\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE <br/> <br/>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK <br/>O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\ORANGE3\ORANGE3.DLL <br/>O2 - BHO: H - {875DFA42-0F20-449b-B8AE-4795E5A30B98} - rtreywem.dll (file missing) <br/>O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\ORANGE3\ORANGE3.DLL <br/>O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX <br/>O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun <br/>O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe <br/>O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s <br/>O4 - HKLM\..\Run: [SystemTray] SysTray.Exe <br/>O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme <br/>O4 - HKLM\..\Run: [IrMon] irmon.exe <br/>O4 - HKLM\..\Run: [ATIPOLAB] ati2evxx.exe <br/>O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe <br/>O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe <br/>O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe <br/>O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe <br/>O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide <br/>O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime <br/>O4 - HKLM\..\Run: [Microsoft security adviser] C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE <br/>O4 - HKLM\..\Run: [msctrl.exe] \Microsoft Security Adviser\msctrl.exe <br/>O4 - HKLM\..\Run: [msavsc.exe] \Microsoft Security Adviser\msavsc.exe <br/>O4 - HKLM\..\Run: [msscan.exe] \Microsoft Security Adviser\msscan.exe <br/>O4 - HKLM\..\Run: [msiemon.exe] \Microsoft Security Adviser\msiemon.exe <br/>O4 - HKLM\..\Run: [msfw.exe] \Microsoft Security Adviser\msfw.exe <br/>O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme <br/>O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe <br/>O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe <br/>O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe <br/>O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY <br/>O4 - HKCU\..\Run: [Microsoft security adviser] C:\MICROSOFT SECURITY ADVISER\MSSADV.EXE <br/>O4 - HKCU\..\Run: [msctrl.exe] \Microsoft Security Adviser\msctrl.exe <br/>O4 - HKCU\..\Run: [msavsc.exe] \Microsoft Security Adviser\msavsc.exe <br/>O4 - HKCU\..\Run: [msscan.exe] \Microsoft Security Adviser\msscan.exe <br/>O4 - HKCU\..\Run: [msiemon.exe] \Microsoft Security Adviser\msiemon.exe <br/>O4 - HKCU\..\Run: [msfw.exe] \Microsoft Security Adviser\msfw.exe <br/>O4 - Startup: EZbutton.lnk = C:\Program Files\EasyButton\EZButton.exe <br/>O4 - User Startup: EZbutton.lnk = C:\Program Files\EasyButton\EZButton.exe <br/>O8 - Extra context menu item: orange search - <a target="_blank" href="file://C:\Program">file://C:\Program</A> Files\ORANGE3\Cache\SelectedContextSearch.htm <br/>O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm <br/>O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm <br/>O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk <br/>O21 - SSODL: WyWPvo - {392111E8-938B-BB42-C534-805066268BC6} - C:\WINDOWS\SYSTEM\TLYD.DLL <br/> <br/><br /><br />
Posted 6/29/2007 10:59 PM
#49804
User avatar

eagle Advanced member

Date Joined Nov 2016
Total Posts: 492
Find a fellow named touch PM him he knows hi jack this better than anyone I know. <br/> <br/> <br/> eagle :smilewinkgrin:
Posted 6/29/2007 11:02 PM
#49806
User avatar

eagle Advanced member

Date Joined Nov 2016
Total Posts: 492
Patrick, <br/> <br/> to get to restore go to control panel, basic info on your computer, a window should pop up look for the restore tab click it, either put check in the box, that will turn off restore. <br/> <br/><br /><br /> <br/> Eagle :smilewinkgrin:
Posted 9/26/2007 10:48 PM
#54266
User avatar

jvanbro1 Member

Date Joined Nov 2016
Total Posts: 1
I know this might be a little late. But I've experienced problems with this "Microsoft Security Advisor" mssadv and it's associated files twice now. They reset admin rights on all kinds of stuff, delete icons, files, and launch popups and programs. The way to get rid of it manually is to <br/>1. reboot and launch safe mode with the F8 key <br/>2. write down the files in C:\programs\Microsoft Security Advisor\ <br/>3. Delete them <br/>4. Run a search on your c drive for each of the file names you write down and delete those too. <br/> <br/>That's about it.
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Monday, December 5, 2016, 9:38 AM (GMT +1)
There are a total of 61,160 posts in 13,449 threads.
In the last 3 days there were 2 new threads and 3 reply posts.

Who's online

This forum has 37,968 registered members. Please welcome our newest member, Old shape.
There are currently no users on-line.