Browser HiJacking!!!

[JayMan]

Hey all...

I'm currently looking after a mates house & pets (and PC) while he's away on holidays.

Today i have noticed that for some reason everytime i reboot the PC, the browser's homepage gets reset back to "www.sexpatriot.net" or something like that... And also 2 links are added to the favourites.

I have run both adaware & spybot, both of which have had no luck fixing the problem. And am currently running housecall antivirus to see what it picks up.

Has anybody got some suggestions which may help me to fix this up before my mate gets back from holidays?

Thanks all

JayMan

[TOAD6147]

Have you used all the latest Ad-aware updates? If Spybot and Ad-aware don't fix it I don't know what can. Have you gone through Add/Remove Programs and Task manager to look for suspect programs running in the background? I had a similar problem with my daughter's computer but it from her looking for game sites and not knowing to resist clicking everything it said to. It took me hours to get it fixed and it seems to me I had to uninstall IE Sp and then update and repair it. It was a PAIN!

[JayMan]

Yeh ad-aware & spybot were both in their latest versions.

Hmm... Seems i may have fixed it now....

Not sure exactly how tho...

Housecall found a possible virus, something to do with java... I know i did install sun java2 to allow me to use icq2go. So i uninstalled sun java2.

Also i ran a program called CWShredder which someone else with the same problem (google search) was suggested to try & also "HijackThis".

After a reboot, it now seems fine... Fingers crossed...

Everything so far is running clean again (all the above mentioned programs), might see how housecall goes now.

JayMan

[JayMan]

Housecall still got those files with the virus & wouldn't clean/delete them.

So's i just manually deleted them no worries.

JayMan

[Martoch]

What OS is it JayMan? You can use the group policy editor to specify the home page...more stable than going through IE to do so.
I realize this is a little off the virus subject...but it's good to know info for future use.

[PeterGriffin]

Surf'n XXX on your mates computer, eh?

Haha

[JayMan]

Martoch, tiz running winXP (but he hasnt' run all the updates, probably why it got done).

lol Peter, nah not surfing for that... <cough>warez<cough>....

JayMan

[tchang]

ok, its not that hard, just follow the steps and u will be fine again

1. Start > run > type regedit

2. find
[HKEY_CURRENT_USER\Software\Policies\Microsoft]
delete theInternet Explorer folder

3. find
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="the page u want"

now enjoy ur browser is back to normal

[JayMan]

Quote:

Originally posted by tchang
ok, its not that hard, just follow the steps and u will be fine again

1. Start > run > type regedit

2. find
[HKEY_CURRENT_USER\Software\Policies\Microsoft]
delete theInternet Explorer folder

3. find
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="the page u want"

now enjoy ur browser is back to normal

Trust me, this had been done already, multiple times. There was something that kept re-hijacking every boot up. Also the hosts file (file which stores IP address for popular webpages to speed up browsing time) had been taken over aswell, so some pages were directed to a different IP address e.g. www.yahoo.com was being directed to some "royalsearch" or something like that. I think it was hijackthis which picked up on those.

JayMan

[U-96]

on spybot the immunize settings allow you to lock the homepage and hosts file from editing. try locking it down then following the regedit suggested by tchang.
chances are there was a nasty little ActiveX script dropped into the browser. Probably sitting in the root or WINNT(for example) folders. Check the dates on files to find new stuff that coincides with your *ahem* browsing