please help my son and my nephew have both had thier browsers {ms internet explorer} taken over by weesnich.de.vu. it has taken over homepages. when home page is set to something else weesnich.de.vu comes back. it also makes lots of popups come up, some which are sick. we realy need to get rid of this. thanks.

try this
http://www.cybertechhelp.com/forums/showthread.php?s=&threadid=5907

Let us get a look at your startups, Go here and download and run Startup log. http://home.earthlink.net/~rmbox/Reticulated/Toys.html

Copy and paste the results in a reply. Everything but the stubpaths.txt (If the log is real long, split it in two and paste each half in a seperate reply)


If you need an unzipped version of startup log click the Only IE link at the bottom of the page.


Spybot Search & Destroy may clean this hijacker.

Installing and running Spybot:

http://beam.to/spybotsd

1 -- create a new, 'host' folder in a convenient location (not on the desktop)

2 -- download the spybot program to it and run the setup file.

3 -- go to the Start Menu, find the program and run it. Click the "online" tab and "Search for Updates", then make your selection and click "Download Updates". You will not need to update the "main" program and can probably ignore the language and PGP (Pretty Good Privacy) updates.

4 -- run the scan (click "check all"). You will see some boxes checked and others not. Remove the pre-selected items. The others are mainly "cleanup" options (you can disable this feature by clicking Settings > FileSets, and unchecking "Usage Tracking". "System Internals" should be unchecked as well unless you are confident you know what it deals with).

5 -- it is a good practice to reboot afterwards, even if not prompted.


Here is a good program to prevent malicious scripts like this from running:ScriptSentry (http://www.jasons-toolbox.com/scriptsentry.asp)

I done virus scan. ichecked for.hta files. i tryed the note pad thing but did not get the option "answer yes to have it imported into the registry.
i ran msconfig and un checked every thing that i did not know what it was.
i also ran regedit and searched for it in there and changed every refrence to it. i deleted all cookies and temp files. i wenmt into internetr tools and changeed home page re started and it was back. also checked start up folder but there was nothing in there.
I am downloading spybot to give it a try.
Thanks for the help so far.

I dowloaded spybot to my nephews pc and ran it. It came up with a long list of things i chose select all and to fix them. now IE has stopped working, when i try to access any websites it comes up blank.
i tried reinstalling IE also tried reinstalling windows but IE still won't work.

General troubleshooter and prevention information for browser hijacking here:

http://www.spywareinfo.com/articles/hijacked/index.html

If you didn't wipe everything out when you tried to reinstall windows, Open the spybot folder, then the recovery folder.
There will be backups of everything that spybot removed.

If the backups are there, open spybot and click the recovery button, follow the directions..

my nephew done the restore on spybot. i am not sure what else he did but when i clicked on IE i got an error box which shut it down. also got lots of error boxes on start up. I gave up and backed up c drive and formated it.
I will try spybot again and the other surgestions on my sons pc.
I will post back soon.
thanks for the help so far.

MY SONS STARTUPS AND HIJACK THIS LOG ARE.

Start-Ups checked at 30/09/2002 15:56:44.50



StartUp Log (version 1.56) - Release Date 3/11/2002


StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

------------------------------------------------------------------------

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"C-Media Mixer"="Mixer.exe /startup"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Adaptec DirectCD"="C:\\PROGRA~1\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"CMESys"="\"C:\\PROGRAM FILES\\COMMON FILES\\CMEII\\CMESYS.EXE\""
"LoadQM"="loadqm.exe"


================================================== ===========

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
"MyApp"="C:\\WINDOWS\\SYSTEM\\service.exe"
"MSMSGS"="\"C:\\PROGRA~1\\MESSEN~1\\msmsgs.exe\" /background"


__________________________________________________ ________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]



__________________________________________________ ________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce]


------------------------------------

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"
"*StateMgr"="C:\\WINDOWS\\System\\Restore\\StateMgr.exe"


----------------------------------------------------------------------------------------------------

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce]


-----------------------------------------------------------------

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=



8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

__________________________________________________ ________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file


__________________________________________________ ___________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

*(No start-ups found)*

__________________________________________________ ___________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*


__________________________________________________ ________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.................................................. ...................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.................................................. ...................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\User Shell Folders


.................................................. ...................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.................................................. ...................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\User Shell Folders


.................................................. ...................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Run]
"MyApp"="C:\\WINDOWS\\SYSTEM\\service.exe"
"MSMSGS"="\"C:\\PROGRA~1\\MESSEN~1\\msmsgs.exe\" /background"


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /uninstall"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /uninstall"

-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 44 17/09/02 22:09
-=================-

[Rename]
NUL=C:\WINDOWS\TEMP\A~NSISU_.EXE
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-




- Supplemental Environment Information -

COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
windir=C:\WINDOWS

File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini

__________________________________________________ ______________________

- End –

HIJACK THIS LOG.

Logfile of HijackThis v1.61.0
Scan saved at 16:22:08, on 30/09/2002
Platform: Windows 9x 4.90.3000

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://weesnich.de.vu
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.mywebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.mywebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsuxxxxx Internet Explorer
O2 - BHO: C:\WINDOWS\SYSTEM\FAVORITE.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MyApp] C:\WINDOWS\SYSTEM\service.exe
O9 - Extra button: Related
O9 - Extra 'Tools' menuitem: Show &Related Links
O9 - Extra button: Messenger
O9 - Extra 'Tools' menuitem: Messenger

First, Click Start > Run > type regedit Click OK

Click the + next to the following keys:

HKEY_CURRENT_USER
Software
Microsoft
Windows
CurrentVersion

Scroll down and click on the Run folder. In the right window look for C:\\WINDOWS\\SYSTEM\\service.exe
Right click on this entry, then delete it.

Then click the + next to the following keys

HKEY_USERS
. Default
Software
Microsoft
Windows
CurrentVersion

Then click on the Run folder. In the right window look for C:\\WINDOWS\\SYSTEM\\service.exe
Right click on this entry, then delete it.

Then click the + next to the following keys

HKEY_CURRENT_USER
Software
Microsoft
InternetExplorer

Then click on the Main folder In the right window look for
Window Title=Microsuxxxxx Internet Explorer
Right click on this entry and click Modify.
Change this Microsuxxxxx Internet Explorer to anything you wish, Then click OK

Then click the + next to the following keys

HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion

Then click on the Run folder. In the right hand window look for C:\\WINDOWS\\SYSTEM\\service.exe. If it is there, right click on it, then delete it.

**Startup log is not showing it there but Hijack This is.

Collapse the registry tree and reboot.

Do a find files for service.exe and delete it.

Then Open a DOS command prompt window (under Accessories in the Programs menu from 'Start'), and enter (for Windows 95/98/Me):

"%WinDir%\SYSTEM\regsvr32.exe" /u "%WinDir%\SYSTEM\favorite.dll"

and hit enter. Exit the DOS prompt and reboot

Then do a find files for Favorite.dll and delete it.
also do a find files for favboot.dll, if found, delete it.


You should now be able to change your startpage through Tools/Internet Options.

Thanks tb525.
i did the above and it worked. IE now shows the page i choose.

but microsuxxxxx is still at top, this is not a problem.
also i couldnot find microsoft in hkey_local_machine, so i searched the regestry for service.exe and no more where found.

thanks again and to everybody else who helped.

OK, Also modify the Window Title=Microsuxxxxx Internet Explorer at this location:

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main

Both locations must be the same.

ok done that. Microsuxxxxx has now gone.
thank you.