1
   

Please Help! New Approach to Search Problem

Forums: Computers
Email this Topic Print this Page
 
 
squinney
 
Reply Wed 29 Sep, 2004 05:08 pm
1. Okay, my HJT log looks fine. We've gone through that.

Figured I would try a new approach.

This is a my log showing IE settings. Does anything look weird or out of place (especially the redirects)?

________________________________________________________

Internet Explorer Settings:

Default_Page_URL http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

Default_Search_URL http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

Local Page C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page

Search Page http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page

Start Page http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

SearchAssistant http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant

CustomizeSearch http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\

www http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www

provider gogl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\provider

Local Page C:\WINDOWS\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page

Search Page http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

Start Page http://www.nc.rr.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

Use Search Asst no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Search Asst

__________________________________________________________


Does that look like your IE6 settings?



2. The html page www.findwhatevernow.com keeps showing up in my temp internet files, but I can't find what is triggering it. If I delete it, it shows up again almost immediately.


In IE6, I click on Tools, Internet Options, Settings, View Files (temporary Internet Files) and all of the files for my homepage appear along with this one "e" page that says

e search/ http://findwhatevernow.com/search/ HTML Document 10KB None (expiration date!)

I can't find it in Cache and can't figure out what the trigger is for it to load - or where to find it to delete it. (actually, just deleting it would be nowhere close to what I would like to do with it and all of the people associated with it!!!!) Evil or Very Mad



Let me know if I'm way off base or getting warmer on solving this problem. Thanks in advance!
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 939 • Replies: 7
No top replies

 
squinney
 
  1  
Reply Wed 29 Sep, 2004 05:32 pm
Bump!


Hmm, Don's probably having a nice dinner.

Craven's prolly still at work...

Monger?


Anyone?
0 Replies
 
fishin
 
  1  
Reply Wed 29 Sep, 2004 06:03 pm
If you open IE6, go into "Tools", "Internet Options...", "Settings" and look in "View Objects" what is listed?

You should get a list of all of your IE Plug-ins and Add-ons. It may be hiding in there.

(I'm not famaliar with "E Search" so I'll have to do some digging on their setup.)
0 Replies
 
fishin
 
  1  
Reply Wed 29 Sep, 2004 06:16 pm
Just as a quick follow-up - It looks like "Findwhatevernow.com" uses something that screws around with your Outlook Express configuration. Every time you open Outlook Express it reloads their hijack. Surprised
0 Replies
 
squinney
 
  1  
Reply Thu 30 Sep, 2004 08:45 am
Exactly, fishin. And, I can't figure out where it is hiding to "re-hijack" everytime.

the "e" above was just my attempt to indicate that it is an html/internet page/link. ( As in, the icon next to it in the list)

Yes, it is in my tools, settings, view files. But, deleting it here doesn't make any difference when I open IE again. I can clear all cookies, delete all temp files, clear history, empty cache, blah, blah, blah. I can't find where it is hiding to get rid of the trigger.

Any ideas?
0 Replies
 
squinney
 
  1  
Reply Thu 30 Sep, 2004 05:01 pm
Anyone?
0 Replies
 
timberlandko
 
  1  
Reply Thu 30 Sep, 2004 05:45 pm
You might wanna try this, squinney:

Disconnect from the 'net and boot into safemode. Go to Start > Run. The Run dialog will appear. Type "regedit" (without the quotes) and click OK. The registry editor will open.
Navigate to the key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\
In the right pane, delete the value {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7}, if it exists.
Exit the registry editor.
Restart your computer, again into safemode.
Go to Start > Search > All Files and Folders. Configure Search to look in ALL files and folders, including hidden and system files and folders. Search for, and if found, delete:
FWNToolbar.dll(
(If present, it should be found in your C:\Windows\System if you are running Windows 95/98/Me, in C:\WINNT\System32 if you are running Windows NT/2000, or C:\Windows\System32 if you are running Windows XP).

Then search for and delete if found any files named or containing FWN* or Findwhatever*. Be sure to include the asterisk to find any variations on those file names.

While still in safemode, empty all of your "Temp" folders, for all users, including all offline content from IE cache, and C:\Windows\Temp (just delete the contents, not the folders themselves). Then empty your recycle bin. Open IE (ignore any Not Connected" or "Cannot Display Page" warnings), go to Tools, and manually type in the entire (http://www.whateveretc.whatever) url for your desired homepage, confirm your entry, and exit "Tools"

Reboot normally, connect to the 'net, and let us know what happened.

BTW, the current versions of both Spybot S&D and AdAware ought to be able to find that critter, though they may not be able to remove it. I believe Spybot, if properly configured, should prevent reinfestation, though.
0 Replies
 
squinney
 
  1  
Reply Thu 30 Sep, 2004 06:43 pm
Thanks, Timber. Will give it a try after the Debate and let you know what happens. I found those instructions using Bears computer, but didn't do it in safe mode. Didn't find the files mentioned doing it the way I did, so will try safe mode, disconnected from internet and see what happens.

I am up to date on all of my spyware detecters. Nothing can find it. Switched to AdAware SE last week per Cravens suggestion, and it found over 200 things the original AdAware didn't find, but not this.

Anyway, THANK YOU! Will check back later to let you know how it goes.

Also found this ( http://www.dbforums.com/t858980.html ) which is more complicated, so will try your way first.
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » Please Help! New Approach to Search Problem
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 04/27/2024 at 07:10:59