trackhits.cc hijacked homepage

[eps49]

Hi,
My homepage gets changed to about:Blank with a little search window in the center with a bunch of links under it ( see attached Image), also just about everytime I do a search on a web page I'll get a small pop up window asking me if I want to search for that particular thing that I typed. (I also see on the bottom bar of the window that the window constantly tries to connect to trackhits.cc)

Please help, I also attached my HiJack this log.

THANKS

 

[IronDuke]

Start by reading these two stickies by RealBlackStuff

How to remove Begin2Search / CoolWebSearch and other Nasties.

How to remove Trojans and its ilk!

 

[eps49]

Didn't work

I followed all the info at those links & It's still there, Please review the attached file that was saved while in safe mode.

Thanks

 

[vhunter]

If you save a log in Safe Mode, chances are that the files needed to know what's wrong won't be there.

Spybot Search & Destroy has an Internet Explorer plugin that prevents the changing of homepages and search pages. Try running that.

Also, consider switching to Firefox or Opera.

 

[eps49]

New File

Please see the new hijackthis log file, I activated the IE tweak from spybot & it did nothing, also I used to use Firefox, however it slowed my computer to a crawl so I stopped using it.

Thanks for any help.

 

[howard_hopkinso]

Boot into safe mode, and turn off system restore.

Open your task manager, and end task for(if there)

winfr32.exe
javatp32.exe


Run HJT with no other programmes open, and let HJT fix the following.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\muxen.dll/sp.html#28129%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\muxen.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\muxen.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\muxen.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\muxen.dll/sp.html#28129%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\muxen.dll/sp.html#28129%resultposition.net
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {F9DA97FE-F0E5-E090-AD3F-ADF726067B86} - C:\WINDOWS\system32\winag.dll

O4 - HKLM\..\Run: [winfr32.exe] C:\WINDOWS\system32\winfr32.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netei32.exe (file missing)

Close HJT, and go into the following directories. Delete the bold files(if there)

C:\WINDOWS\system32\winfr32.exe
C:\WINDOWS\javatp32.exe
C:\WINDOWS\system32\winag.dll

Reboot your computer, and turn system restore back on.

Regards Howard

 

[eps49]

Thanks

Thanks for the quick reply,

I have played around with some files & I got rid of this crap manually, then I did the Hijackthis thing you said before I saw your reply & I believe (Hope) it's all gone, my startpage is back to normal.

Now what I have done is, I worked with Microsoft Antispyware program, running (Big Help), Task Manager window & Win32 window, open together along with the Google homepage, I then googled every file that was created since the problem began & anything suspicious I ended task (if it was a running process) then deleted it from the win32 folder (including bad .dll files), then when Microsoft Anti... asked to allow or block the program I always said Block, it took about a half hour because it tried to run a bunch of different programs & I believe I stopped and deleted all of them, then I ran a hijackthis scan & fixed all the things that looked bad & it's all good now. Obviously emptied the temp, prefetch folders, etc.

Thanks, For your help.

 

[howard_hopkinso]

Run another HJT scan, and see if any of the entries I listed above are still there.

If they are, then just follow the instructions I gave you.

If not. Well done.

Regards Howard

 

[eps49]

Done

I ran another HJT scan and it looks clean except for 023 netei32.exe (file missing), fix it does nothing, however, either we got rid of the problems or they are being blocked by Microsoft anti spyware. See attached new HJT log file.

Thanks Again

 

[howard_hopkinso]

Sorry I forgot to include.

023 entries need the following in order to get rid of them because they run as services.

Click start/run, and type services.msc into the run box, and press enter.

When the services window opens, maximise it, and scroll through the list untill you find the entries you are looking for. Once you find it, right click on it and select stop if it`s running. Then select properties, and set the startup type to disabled. click apply/ok, and restart your computer.

Once again sorry for not mentioning that earlier.

BTW. I can confirm that you latest HJT log is clean.

Regards Howard