Homepage Hijacked

[gizmodog]

Hi! I accidently clicked on something that gave somebody permission to change my homepage in Internet Explorer. I've tried changing it but it just keeps coming back. The name of the page is http//searchpage.cc/ and it's listed as http//nkvd.us/ in my Homepage box in Internet Options. This thing is driving me nuts. When I type any URL into the adress box it goes straight to the search page and even knocks me off other sites. Is anybody familiar with this thing? Any help trying to unload this is greatly appreciated. My next step it to reload Windows(XP Home) but I don't want to resort to such drastic measures. Is there a site with some removal type software anywhere for this. Thanks to everybody! Chris.

 

[Mem]

Download these programs,HijackThis.,I would also recommend Spybot 1.3 ,SpywareBlaster as well. ,CWShredder..

 

[gizmodog]

Thanks for the reply Mem! I have spybot 1.2 and had run it. It found 2 copies of something called Prolivation but wouldn't remove them. If I try to download any of your other recommendations I get redirected to the damn search page. This thing is ridiculous. Would it be possible to remove in the registry?

 

[Mem]

gizmodog try this guide here .

What is Prolivation.com?

Prolivation.com takes over your ability to view webpages by attaching the URL

prolivation.com/cgi-bin/r.cgi?

in front of any web page you try to visit. In essence, this destroys the ability to view web pages since currently the domain prolivation.com is actively registered but dormant. The script itself allows the site to monitor visited URLs and/or redirect the requests, add popups, etc. Adult sites may be substituted for the requested site.

How does Prolivation.com hijack my homepage?

The hijacker edits the registry as well as editing the file to reset the home and search pages for Internet Explorer. Because of these changes to your system the hijacker program is difficult to remove.

How to I Remove Prolivation.com?



Follow these instructions to manually remove the prolivation.com hijacker from your system.

Click on Start, Run
Type in REGEDIT and press Enter
In the left column, click the plus signs (+) next the the following items
HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS
CURRENTVERSION
URL
Click on the Default Prefix folder
In the Right Pane, double-click on (DEFAULT) in the name column, and change the value to http:// and click OK
Now in the Left Pane, click on Prefixes
In the Right Pane, double-click on FTP in the name column and change the value to ftp:// and click OK
Double-click on GOPHER in the name column and change the value to gopher:// and click OK
Double-click on HOME in the name column and change the value to http:// and click OK
Double-click on MOSAIC in the name column and change the value to http:// and click OK
Double-click on WWW in the name column and change the value to http:// and click OK
Close REGEDIT

Because this hijacker may change the default home and search page URLs, its also wise to check the following file for changes.

Open My Computer, and click on Tools
Click on Folder Options
Click on the View tab
Make sure "Show Hidden Files and Folders" is dotted and "Hide extensions for known file types" is unchecked
Click on Ok
Double-click on Drive C in My Computer
Double-click on Windows
Double-click on the INF folder
Right-click on IERESET.INF, and OPEN WITH Notepad.exe
Find the [Strings] and make sure it does not contain "prolivation.com"
If it is set to "prolivation.com" change the start_page_url and search_page_url values.
For IE 6, this would be:
START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
SEARCH_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
Save the file

In case you`ve problems getting to the page I`ve pasted it above for you.

 

[crimson117]

Originally posted by: gizmodog
Hi! I accidently clicked on something that gave somebody permission to change my homepage in Internet Explorer. I've tried changing it but it just keeps coming back. The name of the page is http//searchpage.cc/ and it's listed as http//nkvd.us/ in my Homepage box in Internet Options. This thing is driving me nuts. When I type any URL into the adress box it goes straight to the search page and even knocks me off other sites. Is anybody familiar with this thing? Any help trying to unload this is greatly appreciated. My next step it to reload Windows(XP Home) but I don't want to resort to such drastic measures. Is there a site with some removal type software anywhere for this. Thanks to everybody! Chris.

You might consider using Mozilla/Firefox browser in the future, although starting now wouldn't help solve your current IE problem.

 

[Chebago]

I would guess that the reason that it wouldn't let you delete it is because the program was still running, what you can try is to hit CTRL-ALT-DELETE and then under processes, find the one that would correspond to the name, "Prolivation" obviously it could be named anything but you might get lucky and it will be very similar, then just end the process and it will let you delete the file.

you could also boot into safe mode...this is done by hitting f8 during the black windows xp boot screen (it sometimes is hard to catch it at the right moment but it can be done) and then deleting the files.

My sister had the same problem, good luck. Oh, I would alos recommend Firefox because once you go tabbed browsing, you'll never go back.

 

[gizmodog]

Thanks for the info guys! I'll try some of this stuff when my schedule permits but I probably wont have time til the weekend. Thanks again for all the help.

 

[gizmodog]

I managed to download Spybot 1.3 but it won't remove the hijacker. I went through the instructions for removing Provilation.com with the registry editor several times and that isn't working either. Every time I change the registry line it just changes back after a moment. Is it legal to stick something like this in someones computer?

 

[tomcas1]

I found that it takes both Spybot and Ad-aware combined to remove homepage hijacking. Be sure and update each time before scaning. For Spybot, if you are in the US select the US mirror before downloading and make sure everything is checked (select all) to delete after finding sypware. Chances are you will have to provide permission, at least initially, to restart and allow Ad-aware to start first to remove some of the sypyware. Once you get your homepage back there is a registry setting change that should prevent future hijacking but it's not 100% certain.
http://www.mvps.org/winhelp2002/ietips.htm

 

[gizmodog]

I have Ad-aware 6.0 and Spybot I.3 but neither are removing it. I finally managed to download a copy of hijack this and so far it won't remove the files either. It seems to me that somebody went to a lot trouble to work around these fixes.

 

[amdskip]

CW shredder will take care of it and it fits on a floppy.

 

[OZEE]

CWShredder may NOT take care of it unless it's a CWS (Cool Web Search) hijack.

Spywareblaster is an awesome program, but it won't fix this problem. It's purpose is to prevent this problem from happening in the future.

Check the stickied-thread at the top of the s/w forum. That's got all the info you need. PM me if you need more help with HiJackThis -- honestly, it should only be used by someone who really knows what they're doing with it or you can really screw up your computer! Ask before deleting ANYTHING with HJT!!!!

 

[gizmodog]

I went ahead and used HiJack This. I tried to delete 4 lines that had the nkvd.us included in them. Every time I delete them they're back again when I rescan. I also tried CWShredder with no luck. I've been trying to download the CWS smartkiller removal tool but for some reason I'm not getting a complete download. I'll try later to get it. Thanks OZEE for steering me to the thread in the software forum. I've tied everything except the smartkiller removal tool.

 

[gizmodog]

Wow! I finally got rid of the hijacker called Prolivation. CWShredder is what finally worked when I used it after booting into safe mode. I've been haunted by this thing for a month. Many Thanks to everybody who replied. I plan on trying a different browser in the future. Again thanks for the great advice!

 

[OZEE]

Good job! HJT is a powerful tool, but those nkvd.us entries weren't going away because something else kept reloading them... Once you learn to use HJT you'll learn what program that was.

Congrats!