Home Page Hijack

Discussion in 'Computers' started by Peter Overduin, Aug 17, 2004.

  1. Peter Overduin

    Peter Overduin Supporting Actor

    Joined:
    Jun 30, 1997
    Messages:
    776
    Likes Received:
    0
    Trophy Points:
    0
    From time to time, I run into situations where my home page default is hijacked by some sort of program or tool bar add on. Normally, Spybot or Adware will take of them and eliminate them.

    Right now, I am stuck with one that seem to be totally unable to get rid of and seems impervious to any spyware killer or the Windows XP delete functions

    Here is the address bar URL that shows up. Any ideas on how I can get rid of this puppy? Thx

    res://hydkz.dll/index.html#37049
     
  2. ThomasC

    ThomasC Lead Actor

    Joined:
    Dec 15, 2001
    Messages:
    6,526
    Likes Received:
    0
    Trophy Points:
    0
    By delete, do you mean uninstall? Go to Control Panel -> Add or Remove Programs and see if anything has been installed recently without your knowledge. I had something like that appear as my home page a while back, and it turned out to be something that had been installed.
     
  3. Peter Overduin

    Peter Overduin Supporting Actor

    Joined:
    Jun 30, 1997
    Messages:
    776
    Likes Received:
    0
    Trophy Points:
    0
    Dave; thanks. I installed the program, and as long as I keep it in the sys tray, it picks up this hijacker. It is proving to be a potent bugger. Every time I make a key stroke in windows, Spy Sweeper gives me an alert that my search and home pages have been changed. I don't even have to have IE open!

    Thomas; thanks as well. I tried that, but this little bastard is really embedded somewhere, and doesn't show up there, except in one place as a 'search assistant' and even windows won;t let me delete it. I've looked through my Programs and all that as well. Not sure how to go through my html or dll indexes, so I'll leave that for now.

    In the meantime, I have to leave spy sweeper open to keep that sucker at bay. If anyone can suggest how I can dig deeper to weed this sucker out, please let me know. Thanks
     
  4. ChrisMatson

    ChrisMatson Cinematographer

    Joined:
    Dec 14, 2000
    Messages:
    2,181
    Likes Received:
    0
    Trophy Points:
    0
    You should try the new Yahoo toolbar.
    I just installed it a few days ago and it has found things that AdAware and SpyBot leave behind.
    Worth a shot:
    http://companion.yahoo.com/
     
  5. Michael Harris

    Michael Harris Screenwriter

    Joined:
    Jun 4, 2001
    Messages:
    1,344
    Likes Received:
    0
    Trophy Points:
    0
    I too had a home page hijacker and used all the tools out there to fix my system to no effect. I even tried editing the registry. Ultimately I used XP's restore and rolled back 24 hours before the hijacking occured.
     
  6. Chris

    Chris Lead Actor

    Joined:
    Jul 4, 1997
    Messages:
    6,788
    Likes Received:
    0
    Trophy Points:
    0
    There is only one tool I know of that gets it almost every time. And it is NOT that user intuitive..

    It's called About Buster.

    http://www.majorgeeks.com/download4289.html

    It will run, and you need to run it several times. NOTE: It will KILL all apps running when you start it, so that it is the only process running when it goes, so be out of everything when you run it.

    Very effective. I want to go back and emphasize this: This is NOT an overall spyware removal tool ala Adaware SE or Spybot, it's not a popup stopper ala Yahoo, it is just a tool that removes and resets all BHO's connected to IE to return them to the way they should be [​IMG]

    Lots of spyware will stay after this is finished.. it only searches out for BHOs and manages just them.
     
  7. Peter Overduin

    Peter Overduin Supporting Actor

    Joined:
    Jun 30, 1997
    Messages:
    776
    Likes Received:
    0
    Trophy Points:
    0
    Interesting; it actually highlights the very hijacker I am having problems with and the process looks a little complicated - I'll try it and let you know. Obviously, I must not be the only one who got this.
     
  8. Al.Anderson

    Al.Anderson Cinematographer

    Joined:
    Jul 2, 2002
    Messages:
    2,589
    Likes Received:
    80
    Trophy Points:
    4,110
    Real Name:
    Al
    Peter, go check out http://www.spywareinfo.com/. It's great site with experts that will help you out. In the meantime download HijackThis. Despite the strange name (seems the s/w might be working against you - it's not). A dump of HijackThis will be required for those guys to help you; but often you can use it yourself to figure out what wrong and delete spyware. It worked for a few problems I had.

    As for "the best" anti-spyware program, I don't think there is one. The guys at Spywareinfo will recommend Spybot Search & Destroy. If I had to pick just one I'd agree. (As a bonus it's free.) But I use Spybot in conjuction with Spysweeper and Ad-Aware; and each finds things the other miss.
     
  9. Wayne Bundrick

    Wayne Bundrick Cinematographer

    Joined:
    May 17, 1999
    Messages:
    2,358
    Likes Received:
    0
    Trophy Points:
    0
    Peter, let us know how it goes.

    It sounds like you have a parasite attached to the explorer process. It obfuscates itself by having a random name for the DLL, so you can't google its name to learn how to remove it.

    One of my coworkers got into some nasty shit and it took me four hours to get it cleaned out. One of the problems was one of these explorer process parasites, which the anti-spyware programs were able to detect but could not remove. But the anti-spyware programs did tell me the name of the parasite, from which I was able to google a site that had instructions and tools to remove it.
     
  10. Peter Overduin

    Peter Overduin Supporting Actor

    Joined:
    Jun 30, 1997
    Messages:
    776
    Likes Received:
    0
    Trophy Points:
    0
    Well then; I have done the About Buster thing, and this little bastard seemed to know what was coming and did an "update' of itself. At first I thought it was a windows update, but this little sucker wouldn't even let me get into windows until I clicked 'ok.' While I can't verify it, I think what happened was that the hijacker has cleverly come with something that actually alerts it when it is threatened.

    I don't know whether to be seriously pissed, or respectful here. This puppy seems to have it all. Oh well, I love a challenge, and Spy Sweeper, when open, does allow me to keep my home page tp MSN. It alerts me everytime I open the browser that this little bastard has tried to alter it, so I simply have one extra click to get to my own default.

    This is getting really interesting, and I appreciate all the links and info. Keep em coming, and I WILL beat this one! BTW, I do run Spy bot and Adaware on a regular basis, and as yet they can't deal with this fella. I've gone to Tucows as well and tried several programs from that site, also to no avail.
     
  11. Chris_Liberti

    Chris_Liberti Stunt Coordinator

    Joined:
    Dec 25, 2003
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    0
    I have this puppy to and have not had any luck getting rid of it yet
     
  12. Chris

    Chris Lead Actor

    Joined:
    Jul 4, 1997
    Messages:
    6,788
    Likes Received:
    0
    Trophy Points:
    0
    Try copying the winsock out of a known good windows and porting over the registry entries? (Export/import registry?)

    Yeah, at a certain point you either keep pulling your hair out or say f*** it and format and re-install and start using FireFox [​IMG]
     
  13. ChadLB

    ChadLB Screenwriter

    Joined:
    May 5, 2002
    Messages:
    1,523
    Likes Received:
    0
    Trophy Points:
    0
    Has anyone tried logging into safe mode and do a end task on the services. From what I have heard you have to do it quickly and there are I think 3 of them. If you don't do it quickly it just recreates a new service under a different name.....
     
  14. Wayne Bundrick

    Wayne Bundrick Cinematographer

    Joined:
    May 17, 1999
    Messages:
    2,358
    Likes Received:
    0
    Trophy Points:
    0
    To solve the problem on my coworker's computer, I had to run a program which detected that specific spyware and told me the names of the offending file and its backup copy, then boot into the recovery console and delete them.
     
  15. John Watson

    John Watson Screenwriter

    Joined:
    Jul 14, 2002
    Messages:
    1,937
    Likes Received:
    0
    Trophy Points:
    0
    All these posts (and hundreds more) always raise the question - is this a serious enough crime to warrant more police work?

    In many cases, it is a business that is behind the high-jacking. They get paid pennies (albeit many times) to generate hits.

    The Internet is such a slimey place, that many of us are ready to get off.

    I'd like to see highjackers, virus writers, spam generators, etc,. do serious jail time.

    And Bill Gates will have to redesign the pc paradigm to make his "safe computing" program meaningful.
     
  16. Peter Overduin

    Peter Overduin Supporting Actor

    Joined:
    Jun 30, 1997
    Messages:
    776
    Likes Received:
    0
    Trophy Points:
    0
    If Chad and Wayne are correct - and I don't doubt them - I understand how it was likely able to replicate itself after being detected by About Buster under a different name. It no longer comes up in a Buster check. If it can re-name or replicate itself under several guises at once, I have my work cut out for me...sigh.

    The most convenient option so far has been Spy Sweeper, as I noted above. Well then, I underdstand threads stay on the HTF for a year or so...it may take me that long to root this little sucker out!

    Thanks again for your help.
     
  17. EricWilliam

    EricWilliam Agent

    Joined:
    Aug 31, 2004
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    0
    not sure if you are still having the problem with the home page takeover, but i may have a solution. i also had the problem and found a program on majorgeeks.com the name of the program is hsremove. it can be found in the spyware tools section. hope this helps!
     
  18. Jeremy Anderson

    Jeremy Anderson Screenwriter

    Joined:
    Nov 23, 1999
    Messages:
    1,049
    Likes Received:
    0
    Trophy Points:
    0
    XP Service Pack 2 adds a feature in the TOOLS section called MANAGE ADD-ONS. That lets you go through and remove any add-on extensions to Internet Explorer. Once you've found it there (usually in the guise of some unknown toolbar), you should be okay.

    I got a particularly nasty one once that used the IE toolbar extension to propagate a virus to my machine... so every time I scanned for viruses and spyware and rebooted, they'd come right back as soon as IE loaded. The aforementioned HIJACKTHIS was invaluable for getting rid of this menace, as it let me disable the offending toolbar so that Spybot could eliminate it.
     
  19. Benson R

    Benson R Supporting Actor

    Joined:
    Mar 24, 2000
    Messages:
    741
    Likes Received:
    0
    Trophy Points:
    0
    I redid my whole computer recently to get rid of a homepage hijack, and it worked but I was probably surfing somewhere I shouldnt, and now I have a new one.

    I tried using manage add ons from sp2, and running latest versions of spybot and adaware as well as a couple others mentioned here.

    This one definetly puts itself back in, only after I startup. I tried looking in startup in msconfig, but cant find any offenders. Any help? When I get home I'll post the name of the search page in case anyone had it before.
     
  20. Chris_HA

    Chris_HA Agent

    Joined:
    Aug 4, 2001
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    0
    Guys, GET OFF OF Internet Explorer.

    Yeah, I know the truth hurts, but the HOURS I have spent fixing clients/friends/family removing this crap is ridiculous. Yeah, it's pretty easy to accidently pick up a malicious BHO these days, even by accident. Get onto a browser that is not affected.

    As for the previous posted, you probably have a program that has installed itself as a service. You are first going to have to identify what the process is. Have you run HijackThis?
     

Share This Page