homepage locked to google

cheekyweegit

Hiya

I'm trying to fix my friends son's Fujitsu Siemens Laptop which was running really slow.

It's running windows xp home edition with service pack 2 installed and I've made sure that all updates are up to date. It's running on an intel celeron processor 1.5mhz, 40 gig hard drive with approximately 6.5 gig used and is showing 448mb ram.

It had nortons a/v which I've uninstalled and put on avast a/v, lavasoft adaware and spybot search and destroy along with spy sweeper. It's also using the windows firewall just now as I've not got round to putting on another but it will probably be zone alarm as that's what I use at home with no problems and I've also got administrator priviledges so I can tinker so to speak.

Nortons had picked up nothing with a full scan before being uninstalled, avast picked up 15 viruses / dangers and lavasoft / spybot 180 between them, spy sweeper 63 infections and 121 remenants of infections. It says that you need to buy the product to get them cleaned.

None of the above picked up the W32.Myzor.FK@yf worm which had hijacked internet explorer. I followed instructions from a web page to use spy sweeper combined with Smitfraudfix to get rid of it which it seems to have done but the home page seems to have locked itself to https://www.google.co.uk which is what i was trying to set it to before googling the worm fix. I can get into the internet options no problem to change the settings then click apply, but this just highlights your choice and then when you click on ok to close internet options down, then the home button, it stays at google. I'm beat!

I also ran trend housecall just before typing this up and it came up with another 3 trojans / adware problems which it fixed. How many things can one computer have?

House call and the W32.Myzor.FK@yf worm fix were run with system restore turned off - it's currently switched back on.

I'm typing this in firefox as I don't trust internet explorer is not harbouring something and wondered if any of you guys could offer any suggestions as to what might be wrong and a fix.

Not sure if this will help but here is a HIJACKTHIS LOG for you which might give you further information.

Logfile of HijackThis v1.99.1
Scan saved at 13:53:28, on 16/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\andrew\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange
O2 - BHO: (no name) - !!53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FKMyMateCluster] C:\Program Files\FK MyMate Boy\skinkers.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: !!09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: !!3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: !!44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: !!44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O20 - Winlogon Notify: OdysseyClient - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Many thanks in advance.

Browntoa

just taking a look now, back in 5 minutes

Browntoa

it looks clean apart from this, which you should tick and fix

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe

I see you are using Spybot, this has an option to stop the home page being changed , is that on ??

Browntoa

it is under advanced mode on spybot

if not using advanced mode then click on "Mode" and change to advanced

some more options will tehn appear on the bottom left, click on the "tools" button

double click on the "IE Tweaks" line on the screen

untick the "Lock IE Start page" option

cheekyweegit

Browntoa wrote:

it looks clean apart from this, which you should tick and fix

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe

I see you are using Spybot, this has an option to stop the home page being changed , is that on ??

Thank so much for getting back to me so quickly, just rised the Virtools thingy and had noticed on google about spybot locking the home page, but i cant find out where to check this. Any idea's? I've had a browse round it looking for where it might be locked but no options regards this seem to show anywhere.

Thanks again in advance for your help.

Ok found the page i need in spybot under the advanced settings and nothing is checked in there re the home page.

Going to uninstall and reinstall it.

for anyone else reading its Mode>advanced then Tools>i.e. tweaks

cheekyweegit

Thanks again,

Looks like our last postings crossed.

Just uninstalled spy bot and rebooted and its still the same.

Any other ideas?

Did anyone every tell you what a gem you are and i really appreciate this.

Browntoa

I've not used Spysweeper, has it got the same home page protection ??

Browntoa

yes it does !!!

The immunization functionality can be customized. You can activate or deactivate shields which will guard against home page hijackings, tracking cookies, and in-memory spyware. In particular, this last option could come in handy on slower computers, which need all the performance you can squeeze out of them.

don't ask me where it is though !!! under "Shields " ????

cheekyweegit

Hi again.

Can't thank or praise you enough for your help. I cheated as nowt seemed to work in the options in Spy Sweeper so I uninstalled and rebooted it and guess what ? Yip home page is working again normally again on loading internet explorer although its slow when you press the home button and you can change it to what you want and it doesn't default to the locked page. :T :T :T

Your knowledge and help has been much appreciated as well as educational to me.

I'm am now offering you a public big hug and sloppy kiss to say thanks again. Failing that a cuppa tea and chocolate biscuit?

Browntoa

no problem, I'm guilty of installing things and not really reading the instructions and what it does....lol