IE homepage hijack upon reboot problem

I’ve tried AdAware and two online virus scans (kinda scary how much AdAware found), but the problem persists. Any thoughts on how to prevent this from happening?

Spybot Search & Destroy has a specific setting that prevents this from happening. I’d try running that.

Much obliged!

Hmm, found some stuff that AdAware missed, but the hijack still occurs.

Plus I no longer seem to be able to post on QT3 through IE.

Are you running in easy mode, or advanced? Try running advanced and going to the Tools menu (in the left bar) and select “Browser Pages.” That should give you a list of all URLs that are registered as start or search pages for IE, and let you change them. If that doesn’t work, then you may have a virus of some sort.

I ran into this with one of my users recently. She installed some common thing (“Bargain Buddy”) that opened the door for a whole bunch of other crap. I used Spypot and AdAware, and cleaned out about 500 files. Still happening. So I went through her registry and file system looking for unusual files, deleted a few more NOT found by Spybot and AdAware - and she was STILL getting damn popups.

I ended up creating a new profile, transferring all the critical files over to the new profile, and deleting the old one. That seemed to work, though I’m really pissed I didn’t find the actual problem.

I haven’t installed anything, but this is IE we’re talking about… stuff installs itself on it all the time. I went to a bunch of sites I’d normally avoid (like the whole .box.sk domain) in order to find the Call of Duty hack (wow, that sounds bad, but it’s just for a beginner’s guide.)

I’d really rather not transfer profiles. I’ll report the thing to AdAware and maybe they can sort it out; I’m not that annoyed by the matter. However, it does worry me that some program now has a backdoor into my system… sort of like if I was using Outlook, I guess.

I seem to have been fucked by Bargain Buddy too. My kids must have agreed to it and my PC is infected with something that changes my homepage, puts porn links on my desktop, and seems to be impossible to remove. Norton found the virus, but the instructions to remove it don’t work because I need to disable system restore and I can’t – I think the virus is blocking that option.

I’m probably just going to reformat the hard drive tonight. What a pain in the ass.

Mark,

A quick google yielded these instructions (http://www.kephyr.com/spywarescanner/library/bargainbuddy/index.phtml) for removing Bargain Buddy. Don’t know if they work, but might be worth trying.

Try doing RegEdit searches for the homepages you’ve been hijacked to. If you can find the Registry Keys that do the actual hijack, you can a) delete them and b) find out more keywords to search on. By b) I mean things like the company “providing” the “software”, or the like.

Also look at the RunOnce or WinLogon keys. Sometimes malware will put stuff there to get it to run on every login just to prevent people from uninstalling it.

I’ve run into similar things at work, and eventually got rid of them completely.

Okay, see. I love me some astalavista.box.sk, even have the t-shirt (devs love it when I wear it to E3), but, apparently unlike Jakub, I’m swift enough to only visit with my browser set to maximum security, running no javascript, permitting no activescripting, no cookies, no nothing. Unless you do that, as you’re cruising around and looking for cracks, passwords, and hacks, they’ll be gleefully installing a shitload of trojans, virii, adbots, and spambots on your vulnerable virgin system.

Wear some damn protection next time, Jakub.

Eh oh I didn’t mean astalavista.box.sk in particular, just giving you guys the general idea of the sites I visited (and yes, unprotected, b/c I wasn’t expecting the astalavista experience :)

Download HiJackThis (do a search, on Tom somebodies page).

This should let you nail the swine.

If it doesn’t post the report it gives you here.

That got the sneaky rat!

Linky?

/me is too lazy to search. ( plus it’s 2.24 A.M )

Honestly! Type it into google and the first page you get is the one you want:

http://mjc1.com/mirror/hjt/

this is a mirror of pages found at Tom Coyote’s web page:

Why not just use Mozilla or Firebird or Opera - some browser that dont get hijacked by adware, spyware and other annoying stuff all the time?