Help! Search site won't go away! - HTML forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Help! Search site won't go away!

browser homepage hijacked and I can't change it back

gregor

8:35 pm on Feb 16, 2004 (gmt 0)

10+ Year Member

This isn't necessarily a web development issue but it is browser related and I need some serious help with it.

For the last few days I've been struggling with a problem in IE6. Hy homepage was set to Google.ca but has been hijacked by "a search site". I've never even visited this site! Every time I open IE I check out Tools>Options and reset my homepage to Google. I've Restricted that site (via Tools>Options>Security) and have even gone so far as to run "regedit" and perform the following:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Search Bar -------> Modify > Delete
Search Page ------> Modify > Delete
Start Page -------> Modify > Delete

^ All three of these preferences were set to that search site (without my doing), deleted and then reset to Google.ca (yes, I did this). Upon restart today guess what site IE had bookmarked as my homepage. Right! "the same search site"! ARRRGHGH! I've managed to find a forum in which someone has encountered the same issue, the only problem is that it's in German (Google and you find it).

So, if anyone can read German and figure out how the individual got rid of this, or can recommend how I do it that would be great!

Sorry mods if this doesn't belong here ... Thanks again!

[edited by: tedster at 12:18 am (utc) on Feb. 17, 2004]
[edit reason] remove specifics [/edit]

korkus2000

8:42 pm on Feb 16, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Do you have this file on your PC?

c:\Windows\Update12.js or just Update12.js. Have you run spybot search and destroy and adaware?

gregor

8:49 pm on Feb 16, 2004 (gmt 0)

10+ Year Member

Thanks ... yes I've run Adware but still it remains. I'm at work now but will d'load Spybot Search and Destroy, run it and see what happens. What exactly is "update12.js". Should I run a search for the file and just delete it if found?

gregor

10:55 pm on Feb 16, 2004 (gmt 0)

10+ Year Member

I just ran Spybot S&D and Adware. Looks as though a lot was cleaned out. I also found "update12.js" in C:\Windows. Deleted the file and emptied the recycle bin. Registry looks as though it has been restored as well.

Any other tips?

korkus2000

12:23 am on Feb 17, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Is it still happening? The js is from that german thread I translated.

gregor

1:34 am on Feb 17, 2004 (gmt 0)

10+ Year Member

Is it still happening? The js is from that german thread I translated.

I restarted my machine, opened IE6 and sure enough there was Google. Reboot ... same thing. Another reboot and again, Google as my homepage.

However, after running some other programs and fiddling about I opened up IE to browse again ... this time, though, the site in question is default. I've taken a look a look at the registry and "Search Bar", "Search Page" and "Start Page" are all set to it again!

I have no idea how to solve this!

*Edit: I've also found a file in C:\Windows called "update911.js". The script looks quite suspicious ... Just did a quick Google and there seems to be other that have had this thing go undetected by Search & Destroy/Adware. I'll delete it and see what happens.

rcjordan

1:49 am on Feb 17, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Run hijackthis, it's not like spybot/adaware, it gives a roster of files that look suspicious. You can find it on doxdesk.com.

gregor

2:04 am on Feb 17, 2004 (gmt 0)

10+ Year Member

Run hijackthis, it's not like spybot/adaware, it gives a roster of files that look suspicious. You can find it on doxdesk.com.

Done. Can I PM you the results? Looks okay to me but I wouldn't mind a second opinion ...

gregor

2:26 am on Feb 17, 2004 (gmt 0)

10+ Year Member

Just finished running CWShredder as well. Hopefully the problem has been resolved.

thehittmann

6:30 am on Feb 17, 2004 (gmt 0)

10+ Year Member

I was going to recommend hikjackthis aswell, I've found that to be great for getting rid of unwanted nasties in the past.

sun818

7:51 am on Feb 17, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

A good brute force way is to search all your files containing the text of the web site you are being taken to.

niggle

4:00 pm on Feb 18, 2004 (gmt 0)

10+ Year Member

My son's computer has this problem. It's a Trojan/virus.

I found some details at [sophos.com...]

I have yet to try thie removal instructions.
Hope this helps you!

Jeff