Every time I visit here I get a browser take over the next time I connect. It adds some pretty digusting stuff to our favorites list and I'm not sure what else it may be trying to do. Ad-Aware will remove it but, it comes back. Here's what Ad-Aware says about it.

Vendor:Possible Browser Hijack attempt
Category:Malware
Object Type:RegData
Size:-
Location:Software\Microsoft\Internet Explorer\Main "Start Page" ("res://mshp.dll/index.html#37049")
Last Activity:3-27-2004
Risk LevelMedium
Comment:Possible browser hijack attempt
Description:Possible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

Anybody else get this? Any suggestions?

Dave

Try Spy Bot to remove it.
Is your start page on MSN? Move it to this BBS

I too would try spybot.

After you scan with spybot there is an optional boxcheck that doesn't allow anyone to change the browser. To change it, the box needs to be unchecked.

I just had the exact same thing happen yesterday & is still going on. I've run SpyBot 5 times so far & keep coming up with more along with pop up ads whilst it's running!!! I'm still fighting it. There's this one Casino that keeps installing itself too. When that starts I have to do an alt ctrl delete to shut it down. Sure would like to find all this shit & get it removed from the system!!!

..........b

Yep I had the same thing and it would always come back.

It is attaching itself to another prorgarm, then when you blow it off it comes back. I ended up blowing off most of my games and ran spybot a couple of times on start-up.

Once I was sure it was gone I reloaded the games I wanted and the problem was solved.
It was the kliz (sp?) worm.

Spybot / Adaware work well, and you can always run Hijackthis to get a log of what's going on with your system, and post it.


Hijack this download

Hijack this download page incase the direct download doesn't work

Sang

You can also run the google tool bar as it has a pop-up blocker that works fairly well.

I run Netscape browser and Mail programs at home and Microsoft at work. Microsoft gets 10 times more hits and problems than Netscape does. Netscape is still free and keeps Big Bill from owning everything on the web.
I haven't been hijacked yet with my home browser. It only seems to happen when I run Explorer.

I ended up getting the Spysweeper from Webroot.....I had a nasty attachment that was recurring and AdAware and SpyBot wouldn't kill it....

Spysweeper has a subscription service for updates while the others did not....at least back then.

EVERYONE should run this software. It's free and will clear a lot of spyware crap off your PC.

http://www.safer-networking.org/index.php?...p?page=download

Scroll down and download Spybot Search and Destory 1.2

Also the updates.

Install the software, then the updates.

Close everything down. and run the program

Then immunize your PC against future crap.

You will be surprised how much stuff gets to your computer. Also your computer MAY run faster if it finds a lot of stuff and clears it off.

My neighbor has 3 boys that are always surfing the net (for porn, I'm sure). Anyways, they had so much stuff, that Windows took about 10 minutes to boot.

Yep, my key while at clients. Spybot Search and Destroy 1.2 with all the updates get install on every machine I touch now. Make sure you immunize and lock the browser (also on the immunize tab, you have to scroll down to see it).

When that doesn't work, hijackthis. Another free tool that just digs deeper. I have even totally cleaned house with hijackthis when necessary and then just installed any start program as necessary. If you delete everything with hijackthis, it will erase your default Explorer page so don't be shocked if you bring up IE and it goes to a blank page. Save a log (option in the program) just in case you need to add anything back.

Bagle-Q kicked my ass on a couple computers last week. Comes in email and you don't have to execute anything to launch it. Got a hold of it now, but it's a nasty little virus that came in under the radar...

sm

I did the Spybot install but had to install Ad-Ware due to ads poping up without having any sites open. Also installed Google tool bars for watching & stopping pop ups. I think I'm finally clean

...........b

Also, Hotbar was made my Satan. If you have it, remove it. I have found more slow systems due to Hotbar then anything else recently.

sm

I agree with Mikez, Spysweeper from webroot.com rules!
you can try before you buy and I bought it because out of all I've tried it is the best!

major attempt at browser change for me too. i get the message with the attempt to change from mynetzero.net/s/search?r=minisearch, to websearch.drsnsrch.com/sidesearch.cgi?uid=1864807806id=5.0. i have to hit "restore old settings" about 6 times before the notice goes away. then, everytime i open a new page the notice reappears. i am getting major popups that i NEVER got before, over the last couple of weeks. i run spybot regularly and get the no threats found.

k

Mozilla Firefox and Thunderbird I just switched over to this browser and e-mail software. It's free and because it is different enough from the MS stuff, it is not as susceptible to all the crap out there. Quite frankly, it has made surfing for porn enjoyable again.

Mozilla

i seem to get the b.c. notice frequently when ever there is an update from mc. i am computer skills lacking. it's all a big "what do i do?" to me.

k

Dave, you might have to remove the bug manually from the registry... Every day I have to kleen out the crap that the web puts into the client machines. And yes even Netscape gets hit!
Gain, CoolWebSearch and Bargin Buddy are what we see here at work, but he porn ones are REALLY hard to kill.
PM me if you need a home visit...

you might as well come by my place too dino. i would have you walk me through on the phone, but if i have to be online, the computer gets in the way of the telephone.

k

Hacking the registry doesn't always stop the problem. They usually hide in hkey_local_machine\software\microsoft\windows\currentversion\run

You delete the entry, and in a second or two it pops back up again. However if you can find out the name of the file, you can do a google search on it and 99% of the time you will get some comprehensive instructions on removal.

travis, how is the hk_local_machine... actually performed? do you mean go to goggle and type in the new registry to find it? example, i clicked on a ebay link in a thread, the change in browser notice came up and i went through the nurmerous clicking to retain the current one, back here and the notice came back, and went throught the drill again.

k

download mozilla. problem solved.

A file is downloaded into your temp directory, it places an .exe file probably in your windows or windows\system directory, it then places a call to start that .exe file in the "run" entry of the registry; thus every time you boot your computer and login - the file is launched. If you delete the entry, a few seconds later that file in your temp directory re-enters that run command. It's a pain, you can't delete the file in windows as it is running and in use most of the time. A trick that has worked for me a couple times is to put a bogus .exe filename in the registry in place of the one you want to delete, reboot then delete the registry entry, the file in the windows dir and also the one in your temp area.

They all operate a little differently - so you may have to dream up a few different ways to get around it.

What I meant by a google search was, take a look in the "run" area of your registry, write down each of the .exe files that are running, rule out the ones you know are supposed to be there (and if you don't this is where google will help). After you wrote down all those file names, hit google and search for each of those files. If you have a popup program running and you did a search on the .exe file, you most likely will get a ton of sites that tell you how to remove that program. make sense?

i sent the data to you travis. for you other computer guys, here is what is going on with me. "Your I.E. search page has been changed". from http://mynetzero.net/s/search?r=minisearch, to http://websearch.dsnsvch.com/sidesearch.cg...867807806id=5.0

it takes 6 restore old search page clicks to make the notice go away. if i click on the link for the wcc the notice is there all over again. i have a notation in the registry of,

Default Reg SZ value not set. ? i did not intend to add the links. first time i've ever added one and i didn't mean to.

k

Just some little tricks that might help you along the way.

ALT F4 Kills the active window. Its a lot easier than searching for the "X" in the top right of the window especially when many of the pop-ups purposfully make the windows so big that the X is outside the viewable section of window. Closing a window quickly may also prevent it from opening up additional windows itself.

Some registry folders are not writable while Windows is running. So you can tell it to delete an item, and the computer will at first act like it did it, but won't actually delete the reference. A cheap trick here is to rename the folder itself, then delete the item and then rename the folder back.

Hope some of this helps.

I was scourged with the "About:blank" take over
I did spybot... no help. it kept coming back. I did adaware... nadda...... I did another one that MSN voted best download for free 30 day trial, it did better than the rest but the "blank" shit thing eventually came back.
The only way I got rid of it was to do a complete restore of my computer

It's O K now......

.........b

QUOTE (joe buckle @ Feb 21 2005, 12:32 PM)

download mozilla.  problem solved.

nope, problem *NOT* solved because he would still have the spyware on his computer!

and if it's one of the better spy-apps, it'll read your online banking password just as well from a mozilla displayed web-page than from a IE displayed web-page!


dude, make sure to get rid of *ALL* that spycrap before you even think about installing another browser !!!

Andy

QUOTE (Bruce Allert @ Feb 21 2005, 07:03 PM)

I was scourged with the "About:blank" take over

huh?
"about:blank" is one of the default settings for your browsers homepage!

i have this as my default setting ...
Andy

are there any concrete indicators in the registry for the shite? for the example i displayed, would my i have to be off line to try to delete the attempted i.e.change?

k

When I've run into computers that are severely corrupted with Spyware, I find it helpful to disconnect from the internet while I'm doing the cleanup.

Are you on broadband cable/DSL? Do you have a firewall?

-Rusty

dial up. i won't give comcast another penny other than my basic cable. the way it was explained to me, there are not enough houses on my street to warrent quest making dsl available. firewall?, i don't know. the laptop came to me, legally i want to add, fully loaded at a near free price. i run spybot regularly and know to go offline to run it. most times i get "no immediate threat detected". until yesterday i was not even aware of the registry, let alone how to find it. another member was kind enough to offer some help and i sent some data from the registry to him to look at. some people can walk through a computer and operations. i had never even touched one until 2001.

k

QUOTE (SirAndy @ Feb 21 2005, 08:28 PM)

QUOTE (Bruce Allert @ Feb 21 2005, 07:03 PM) I was scourged with the "About:blank" take over huh? "about:blank" is one of the default settings for your browsers homepage! i have this as my default setting ... Andy

Something cause this to become a pop up and take over while I'd surf the net. It wouldn't let me view Ebay! Open Ebay then POOF I'd be at the aboutblank page. Try this site & same thing I tried everything to get that to stop. Did a Google search about it and it seems I wasn't the only one to have this happen. I dunno

.........b

microsoft has a great antispyware. It if free in beta form right now. It notifies you of any changes to the registry. This has fixed stuff on my computer that the others couldn't.

I do this everyday for clients, the ones you delete in the registry that keep coming back are sevices that are running at that time. To delete them, you need to boot the computer into safe mode. Then delete the registry entries. Then go into the windows explorer and manually go through all executables in your windows and system and system32 folders and delete the ones that dont belong there. Its easy to tell, if you hold the curser over the file name, it will tell you who wrote it, if it doesnt say anything but the file name and date, its probably not supposed to be there. Group all files by name, it makes it easier. Also, look at the date of the file as well. Check your startup folder also, remove anything you dont want in there. Any DO use Mozilla instead of Internet Exploder.

Also, you need to check all of the keys in the registry, not just local machine. And Microsoft does not sugguest that you edit your own registry, they will not support you if you do it without guided help. Their exact words when I was taking their classes were, "If you dont know what you are doing, Dont edit the registry, changes are immediate and not reversable."

that's the problem scott. i don't know what i'm doing and the constant notifications are driving me crazy. did you take one of those intensive ms tech programs? do offense, half of your proceedure's tech references gave me a headache. for instance, what is booting the computer into a safe mode?

k

Yes, I took a lot of classes from Microsoft, got certified back in the early 90's. There are books out there on mastering the Windows registry. At least there used to be.

Edited for spelling, sometimes I just go to fast.

"matering" . tylenol please.

k

I don't think an amateur should do any file deletions. That strategy should only be used by someone who is very knowledgeable. From an amateur's perspective, we don't know what's important and what's not important. Deleting the wrong files could give you a non-functional computer.

IMO, it's much better to use the free downloadable versions of Spybot and Spysweeper (as per a recent review in PC World Magazine, both of those together will provide excellent coverage), and also purchase a one-year downloadable subscription to McAfee Antivirus (rated better than Norton at finding and removing viruses and trojans).

QUOTE (rhodyguy @ Feb 22 2005, 06:23 AM)

for instance, what is booting the computer into a safe mode?

i highly recommend you not touching the registry by hand ...


start in safe mode, open the task manager (ctrl-alt-delete), take a screenshot,
restart normally and post it here.
we'll be able to tell you which tasks to kill.

then start in safemode again, open the task manager (ctrl-alt-delete), kill all the threads we told you to, then run spybot ...

that should do the trick ...
Andy

all well and good. reread what i've been posting roger.

andy, please explain the following:

1. what is "starting in safe mode"?
2. "alt clear delete" is what i have to type to enter the password. is that what you mean?
3. what is, and how does one take a screenshot to post here? how the heck would i post it?

i'll be waiting. if someone wants to call me collect and walk me through this, it would be most excellent also.

k

-open "help and type "safe mode" to learn how to start this way. You press F8 or CTRL while the computer starts up. Help will tell you.
-"Ctrl-Alt-Del" also will cause "task manager" to pop up once the computer is running
-After the "Task Manager" is open, press the key that says "print screen" or "prt scrn", something like that, then open a blank word doc and press "edit", then "paste", then save it to the desktop with a name like "tskmgr22feb05".

the computer will soon be flying out the door, to the concrete floor in the garage. this all started the other night when the other occupent of the house used the computer. now the printer doesn't work, flashes back and forth between the feed and power light on. i ran spybot about 1/2 hour ago and there was all kinds of shit, that was not there last fri.

k

something more. repeated spyboting this comes up even after restarts and spybot reruns.

IE Pluggin Typelib (all in red)

HKEY_CLASSES_ROOT\Typelib\{58D419E8-1321-4DD2-A6FC-7B41C14DCD79}

i'll run sb again and get the company info provided.

k

to quote frank barone-"HOLY CRAP!!!". took the laptop in to the tech at my wife's school this afternoon. there was an unbelievable ammount of crap on there. lots that spybot wouldn't touch. 2 others specificly that were tough, Vx2.zserve and one called Admilli.serv. the microsoft Beta 1 (?) was loaded and will run at a predertermined time on a daily basis. things move along twice as fast and i'm not getting a bho change notice everytime i make a move other than scrolling down the page.

k