Homepage being reset

OverLoad

a little after i got building my computer my homepage on internet explorer was being reset. now ive used adaware and spybot both, but to no evail.
heres the link **BE CAREFUL WHEN CLICKING ON THIS LINK** --Mr. K nasty little bugger
with some help from bikr he showed me how to get rid of it but i really dont know what to look for.

primesuspect

Make sure you update to the latest adaware definitions.

Download HijackThis.

A link can be found in this article along with some other handy instructions.

KingFish

start -> run -> type "msconfig" -> click "startup" tab
find the entry that says aelaunch.exe, uncheck it. click apply and then ok. find out where the file is located and delete it. if it won't let you delete it because it's active in memory, do ctrl-alt-del, click "processes" tab, highlight aelaunch.exe and click the "end process" button at the bottom of the window. click yes to the warning that pops up. hope this helps. also, check out prime's fabulous article on spyware for more ways to keep your 'puter from getting hijacked in the future.

KingFish

primesuspect

Also, that "System Tray" (SysTray.exe) is a trojan. Kill it.

profdlp

LimeShop is an adware stinker, too. Post your HijackThis log here.

You have some work to do!

Kwitko

Klounada is one of the CoolWebSearch vermin. These guys get nastier and nastier, employing more sinister tricks with every new version. Download and run CWShredder to remove that baddie. You might also want to include klounada.com in your hosts files and have it point to 127.0.0.1.

OverLoad

logfile from hijack this:

Logfile of HijackThis v1.97.7
Scan saved at 7:06:52 AM, on 3/26/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\acoustic.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\javaw.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Folding@Home\FahCore_65.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ben\My Documents\New Folder (2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://klounada.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://klounada.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://klounada.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://klounada.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://klounada.com/index.htm
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TBTray] acoustic.exe
O4 - HKLM\..\Run: [Launcher] aelaunch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LimeShop] javaw -cp "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Folding@home 4.00.lnk = ?
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Kwitko

Not sure:
C:\WINDOWS\System32\wuauclt.exe (May or may not be a trojan)

Remove:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://klounada.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://klounada.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://klounada.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://klounada.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://klounada.com/index.htm

I'd download a copy of TrojanHunter (they have a 30-day eval) and check to see if that wuauclt.exe is the legit Windows Update file or a trojan horse.

KingFish

Mr. Kwitko wrote:

I'd download a copy of TrojanHunter (they have a 30-day eval) and check to see if that wuauclt.exe is the legit Windows Update file or a trojan horse.

I found his trojan horse. It looks mighty difficult to remove though.

KingFish

Kwitko

KingFish wrote:

I found his trojan horse. It looks mighty difficult to remove though.

KingFish

Oh, a wise guy, eh?