How do you change the "DEFAULT" home page in Internet Explorer 5x ?

[Cybordolphin]

Mini..... no prob.

At first glance this sounds like a really stupid topic I know.

Well I downloaded the software mentioned to remove the trojan. No luck. It is still writing into the registry. Damn.... pretty good little bug!

I still have the trojan.... after I updated the Moosoft, and even tried disabling the antivirus while scanning.

If anyone has any other info... please post.

Thanks.

 

[Floydian]

Hmm, if it is a form of spyware, this program might help remove it (it removed a buncha other simpler spyware from my computer like advert's and some other stuff):
Ad-Aware
It scans folders/files, registry

 

[Noriaki]

<< They have been routing all of my sisters web activity through their website. It appears they have captured all of their passwords, credit card information, and I think even snapshots of their computer. >>

I'd be considering legal action against this company. I would talk with a lawyer. And don't let it drop becuase they send you a uninstaller. If they are capturing passwords and credit card numbers I'd push it.

You might want to try ZoneAlarm...see if any program other than IE is accessing the net....

 

[Noriaki]

oops double post

 

[AmigaMan]

Look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to find out which program is being loaded at startup. Remove that entry, remove the directory and all files in it where the program was loaded. Reboot and see if that doesn't rid yourself of the spyware. The program is being loaded at startup and probably checks to see what the default homepage is and changes it to whatever they want it to be. You may have to stop the program from running by hitting Cntl-Alt-Del once if in 98/95/Me or going to the task manager in NT or W2k and stopping the process. Then delete the registry key. Hopefully this works for you!

 

[jasonlee123]

I dont think the problem is still happening cause I just tried both sites and nothing. Must have got busted.

 

[Cybordolphin]

Well I got rid of &quot;Gohip.com&quot;... that one was pretty easy.

BUT... this &quot;sureseeker.com&quot;, is a bit tougher. It also installed a worm virus called
w95.hybris.worm.... and I believe the trojan &quot;SUBSEVEN&quot;.

I will try the second trojan remover.... and see if that kills it.

Anyone with any other information on &quot;sureseeker.com&quot;.... would appreciate a post.
I found a site that discussed the trojan and viruses.... but not exactly how to remove the &quot;Sureseeker.com&quot; program that is holding their website as the default in the browser.

Thanks for the post(s)

 

[road]

The default URL manifests itself in more than one spot in the registry, the one in your &quot;user&quot; HKEY is the main culprit as thats the one that controls the rest, but removing that alone isn't sufficient you have to remove all the others too. These Stupid folks at sureseeker, think they drum up the hits on their site by doing crap like this.. unethical FOOs.

Another silly but sure fire way is to uninstall IE and then let microsoft do it's dirty work, and update the registry by itself.

Hope this helps.

 

[Cybordolphin]

From what I have been reading ..... the program they have, actually writes to the registry every time you start windows. So I don't believe changing the registry will work.

 

[road]

Format!!! no j/k... reinstall the OS.. takes 2 hours but worth the trouble.

 

[Cybordolphin]

I already tried reinstalling the OS. That did not take care of it either. However.... I only did a reinstall over the old install. I did not uninstall the OS first. I don't want to lose any of their files, and info..

 

[extro]

See this virus description at McAfee: http://vil.nai.com/vil/virusSummary.asp?virus_k=98882



A search of Dejanews for the keywords &quot;sureseeker default home page&quot; found:

From: Sandi Hardmeier MVP (sandi_hardmeier@mvps.org)
Subject: Re: Default Home Page
Newsgroups: microsoft.public.windows.inetexplorer.ie5.browser
Date: 2000-12-10 02:46:48 PST


Bengrey,

You have been infected with a virus.

The virus is called JS.Seeker trojan (It is also known as HTA.runme
trojan).

This trojan is malicious script embedded in HTML code which may be run
by an unsuspecting internet user visiting the seedier side of the
Internet. This trojan exploits a bug in Internet Explorer which allows
it to store files on the users machine. Removeit.hta is stored in C:\
drive and runme.hta is stored in the Windows Startup directory.

When the machine is rebooted the runme.hta file will be executed, when
run this file changes the default URL for the Internet Explorer to be
changed to www.sureseeker.com.

The trojan possesses a basic stealth capability. When runme.hta is run
it will modify registry entries so that the file will be deleted after
it has been run. Removing this file is an attempt by seeker to hide the
fact that the machine has been attacked/compromised.

Most anti-virus software will detect the attempt to write the
removeit.hta and runme.hta files to your computer. Other viruses and
trojans exploit the same bug in Internet Explorer, so please download
and install the following patch to Internet Explorer:

http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

 

[Bud Guy]

Man, that sux!! I checked on SARC, came up with this:

http://service1.symantec.com/sarc/sarc.nsf/html/JS.Seeker.html

There's instructions on removing this virus. Good luck!
Shane

 

[TravisBickle]

if I get this idea right, this stuff is highly illegal if sureseeker or gohip did it themselves. why don't we get a petition together? you could mail copies to the press even if you people wouldn't pay to take it to court.

 

[MrCadaver]

Shi* man if this is subseven then it's serious. My friends here on the lan play around with subseven just for kicks (L33T H4X0R$), and it basically gives the person complete control over your pc. Not only can they get images of your desktop (i.e. watch what you're doing), they can navigate through windows, start programs, delete files, anything that you can do except they're doing it over the phone line. PLUS they can do crazy stuff like send you false error messages and windows boxes, things like that. If it is subseven (or backdoor_g, it's other main name), then you need to get rid of it quick. It seems weird that a full harddrive scan by Norton (with the latest virus list) wouldn't catch it.
Umm, just to clarify, we only use sub7 on each other. Not other people. We're not that L33T.

 

[Cybordolphin]

Thanks.

I have read on the &quot;sureseeker.com&quot; trojans.... but I still have not found a way to remove it/them. I am rid of the &quot;subseven&quot;. I am rid of the &quot;gohip&quot;.

But I am still trying to find the program that is loading the &quot;sureseeker&quot; into my registry.

I will read the latest post...... and see if they contain a fix.

Preciate the input.

 

[Cybordolphin]

Ok...

Think I got it.

This is what I had to do&quot;

1) Updated antivirus
2) Download Moosoft software and update
3) Sanned with Moosoft and found/removed &quot;SUBSEVEN&quot; trojan
4) Scanned with antivirus and deleted ALL infected files containing
JSSeeker and 95.Hybris.worm (found total of 18 files)
4) Found and deleted Homereg111.reg and Prefs.JS
5) Manually edited registry (all backup copies were shot).

It appears to have fixed it... thanks for the input.

Will let ya know if it surfaces again.

Now off to download ALL the upgrades from MS. To patch some of the weak links.

Aren't children great........ lol. I found more porn on my sisters computer..... than at an all boys summer camp! Will have to keep a few of those for myself. Scanned of course.