here's my problem.
every time i turn on my computer for the first time that day, my homepage is changed to "hotsearch.com"
ive ran ad aware and norton, but despite their best efforts, my problem remains.
i do know how to change my homepage back to the one i want (google.ca), but as i said, every day, it gets changed.
any ideas on how i can manually fix it and/or programs to do so for me?
tnx

Try SpybotSD, available at download.com


That should take care of it. There will most likely be more links coming.

Download : HijackThis (http://tomcoyote.com/hjt/) and then post the log file here.

i ran hijackThis (thank you Agent_Steal) but there's no need to post the results, i can take it from here. thank you all for you're time and help
smif123

Good luck!

Check out CWShredder................I think that it was a cool web search clone?

Also look at spybot search & destroy

And the cloaking tools for your anti scumware?

;)

SpyWare Sucks.


--PuRe

SpyWare Sucks.

[rant on]

Uh huh. And your point? This helps how? I'm sorry but I fail to see the point of the post. If you had suggested that perhaps he look at using a browser other than IE (most commonly "hijacked" browser) or using a host file (http://www.mvps.org/winhelp2002/hosts.htm) that blocks many of the ads that bring this on, then you'd be adding to the discussion. If you want to discuss the merits or flaws of spyware, fine. Start a thread. But putting in a post that says "spyware sucks" is no different than the newbie who goes around putting in "thanks!" posts all over.

But that's just my opinion.

[/rant off]

*We now return you back to your regular postings*

hahaha good comment Mittens...god i was like wtf is he talking about, i think we all know that spyware sucks oh plus his post did suck, he didnt mention adware

CWShredder................
God nihil you reminded me on that crap again when i had it and i never heard of it before until you helped me ;)

Also look at spybot search & destroy
I did a scan on mine yesterday and i was like wow, i had like 260 spyware/adware files and registries, but one good thing, 0 on antivirus scan :D

anyways...yea i dont want Mittens to go after me cause my post is useless too so I'll say it myself

...wtf did you post for..? Freaking Post whore :mad:

You know what, it's comments like the last two that make people leave this site. We all know spyware sucks, so what if I post it, and so what if it doesn't help anyone. I should be able to say what I like. And for your information, if you looked at my last 10 posts in profile, you'd see a pattern of me helping people out, and giving useful information.

You people need to grow up, and direct your attention/anger/frustrations on things that you can change.....not on non-sense.


--PuRe

I should be able to say what I like.

As should we then. If we disagree, then it is within our choices to do so. I'm sorry, PuReExcTacy, but I did think it was a useless add-on. I did not say you did it all the time but I said what it felt and looked like. You may not agree and that's fine but I still felt it was worthwhile to comment because I did feel it was unnecessary post.

Now, all of that said perhaps you should be directing your own anger towards Spyware here: FTC holding Spyware Workshop (http://www.antionline.com/showthread.php?s=&threadid=256099).

Ok...Extacy might be right and so might be Mittens but if i dont say this right now then its gonna be all a big deal about this little post, people post like crazy in non-sensical and they could very well be called post whores so lets not make a big deal about this little shitty post, right?

well, as nice as it is to see this thread turned into a theological debate on peoples rights to point out the obvious, my origional problem remains. today when i went into internet explorer, once again, i was sent to hot-searches.com. but this time, the page didnt load, i got the old, 'The page cannot be displayed' error message.
ill run hijackThis again and post the log file here.


Logfile of HijackThis v1.97.7
Scan saved at 11:16:47 AM, on 3/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DaRkWiNg\My Documents\prgms\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-searches.com/search.php?v=6&aff=2848728
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=2848728
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-searches.com/index.php?v=6&aff=2848728
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

thankyou again for any help you can give

hi

Use CWShredder (http://www.spywareinfo.com/~merijn/cwschronicles.html) it will take care of the Cool Web Search Trojan hot-searches.com.

AD-Aware and Norton are not able to detect CWS Trojans well most of the time at least they never did that for me

Now can we continue with the thread hijakang thing :D j/k

[edit]

Nihil has already Advised it; have you tried it should have worked
:confused:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-searches.com/search.php?v=6&aff=2848728
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=2848728
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-searches.com/index.php?v=6&aff=2848728

Perhaps deleting these three would be good?

I'm sorry we took your thread off topic earlier. Did SwordFish_13's advice fix your problem?

If not, try this:

If you have had your Internet Explorer's clicks hijacked by an invisible toolbar that installs itself and keeps changing your homepage to hot-searches.com and steals your clicks to lender-search.com, then do the following to remove it. Follow these steps only if you feel comfortable working with regedit. Warning: Don't edit your registry if you haven't done this before (I'd hate to be responsible for you having to reinstall your OS.)

First copy these instuctions and close out IE if that's what your using. Delete xplugin.dll it's in the \system32\ folder. Also delete the files tmksrvu.exe and tksrv98.exe (IE being closed, if you can't delete xplugin.dll, cut and paste somewhere else and then delete)

Open registry, do find and delete all "hot-searches.com" and "lender-search.com" keys (that I found were in folders located UNDER Explorer Bars or a similar name for toolbars), delete the folders there.

Also using "hot-searches.com" and "lender-search.com", find, open and rename strings under Internet Explorer (rename these to your favoite hompage, search page, etc).

Do the same with finding and deleting all "81.211.105.69" and "81.211.105.68" (last one not found for me) keys.

You should be rid of it now. Hope this helps you out.


--PuRe

cwshredder will not work against the latest browser hi-jacks and although removing the reg entries is necessary it will not prevent them from being re-written on the next re-boot.

i ran accross this friday at a remote location. after running adaware which removed 50 items most of which where not cookies i found the browser to be hi-jacked. ran cwshredder and hi-jackthis and removed all offending entries but they kept coming back. i promptly ran pslist on the next reboot and found a process ???2 (can't remember the letters) running. i did a search for it and found an exe with that name in winnt\temp after killing the process i deleted it. their were a few other exes with most of the names beginning with "~*.exe" they were not temp files. there was alse an index.html file which when opened in ascci mode (C:\>type index.htm |more /*just love cli */) contained the offending address that were poping up with the js discription of the pop-up windows, etc. i deleted them and the corresponding directories. when i opened ie i got an error and the browser had to be closed but when it re-opened the pop-ups seem to be gone. i re-booted and tryed again and this seemed to work. guess i'll see monday. wether it did or didn't fix it ill be installing trojanremover from moosoft just for the excellant reg protection it provides and if something does try to write to the registry ill be able to see what it is and not have to run regedit to remove it.

let me add my little bit here.. you really shouldn't need to search through the registry and delete the keys as PuRe suggested.. hijackthis will find/remove them.. but I suppose it wouldn't hurt to check and see. a few things that others haven't mentioned is that you need to have windows explorer set to allow viewing of hidden files.. hijackthis sometimes won't see them if it isn't set that way.. under windows explorer, go to tools, folder options, view tab and make sure that "show hidden files" is check marked. the other thing is that this location is NOT the normal location of a hosts file.
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

look at these posts/threads (http://www.google.com/search?num=100&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&c2coff=1&q=C%3A%5CWINDOWS%5Cnsdb%5Chosts&btnG=Google+Search)

I would look at what else is in that nsdb folder

Delete the following with HJT (make sure all browser windows are closed when you do the fix) as well as the ones recomended by Ms. Mittens:

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

Also, looking at your 04's it appears perhaps you have edited some out?? Or you are running in selective startup mode?? Either way you may be masking some problems - just make sure you know that what is omitted is ok.

With your hosts file - look at the link that sumdumguy gave you - from a quick look through it appears that Spybot S&D will eliminate that from the log. Always a good idea to run SPybot when haing problems of this nature anyway - just be sure to update it.

And just to set the record straight on CWShredder: It works just fine when it is a CWS hijacking. This is not. For CWS hijackings it's a wonderful tool - elimates the need to peruse the registry manually.

its been two days since i did what you guys suggested, and my problem has not returned.
thank you all very much for your time and help
-smif123

hey meeeeeee just to set the records straight it is the best tool ive seen so far but is still not effective against the latest variants

http://www.spywareinfo.com/~merijn/index.html

March 24, 2004:

[Update] If your browser has been hijacked to drxcount.biz, real-yellow-page.com, list2004.com or linklist.cc:

We are working on a fix for this one and drawing near to an automated solution. This is by far the most sophisticated CWS variant seen to date, and it will take some time before CWShredder will be able to remove it.

Tedob1.... sorry about that. I took your comment as meaning that CWShredder is an outdated tool - which it certainly is not. So my apologies, and yes, you are quite right, there are several new strains that aren't included in CWShredder yet.