Home Page changes to allways4u.com

Computing.Net > Forums > Security and Virus > Home Page changes to allways4u.com

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Home Page changes to allways4u.com

Name: FSUNoles68
Date: November 1, 2004 at 11:57:04 Pacific
OS: XP Pro
CPU/Ram: 128 MB RAM

Comment:

I have my IE hijacked!! It seems to love the page allways4u.com. Everytime I go to a webpage it will bring it up for about 5 seconds then it goes to allways4u.com. It is really annoying. Anyway if anyone has this problem and have found a solution I wouls appreciate a response. Thank you.
FSUNoles68

Sponsored Link

Ads by Google

Response Number 1

Name: najitech
Date: November 1, 2004 at 13:07:01 Pacific

Reply:

Try downloading and running the free program Hijack This. It will generate an extensive log file of ALL your running programs and processes (good and bad). You will want to examine the checklist carefully, and then place a checkmark in the checkboxes that correspond to spyware- or virus-related activity. You should be able to find one that includes "allways4u.com" in its description. If you are not sure about some of the other entries, you can do a Google search to check for known spyware connections.

Response Number 2

Name: FSUNoles68
Date: November 2, 2004 at 06:02:43 Pacific

Reply:

Thanks for the quick response, but I have checked my HJT logs. There are two that I have tried to delete and they keep coming back. If you need I can post the log.
Thanks,
FSUNoles68

Response Number 3

Name: FSUNoles68
Date: November 2, 2004 at 06:46:20 Pacific

Reply:

Here is my HJT log.
Logfile of HijackThis v1.98.0
Scan saved at 8:42:01 AM, on 11/2/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\windows\msbb.exe
C:\Program Files\Comdata\Shared\Applications\CDAtl.exe
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\shchost.exe
C:\WINDOWS\srchost.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\TMWSuite\VisualDispatch\tts_vdis.exe
C:\Documents and Settings\administrator.FREIGHTWAYSINC\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allways4u.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allways4u.com
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD0F87A-5047-8CB7-DD29-11C2A7EEE3CA} - C:\PROGRA~1\ABOUTS~1\Bash For.exe (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.exe
O4 - HKLM\..\Run: [KIND ONCE DEAD GPL] C:\Documents and Settings\All Users\Application Data\Bone size kind once\LIST64.exe
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O4 - HKLM\..\Run: [rsretwv] C:\WINDOWS\rsretwv.exe
O4 - HKCU\..\Run: [AutomatedTaskLauncher] C:\Program Files\Comdata\Shared\Applications\CDAtl.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Wendows Deafult Configuration] C:\WINDOWS\shchost.exe
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\srchost.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {46559F55-BB65-11D1-A426-0006296815D1} (CheckVersion Class) - https://www.powertrack.usbank.com/PowerTrack/PT_Application/Distributables/PTVERSIONCHECKER.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FREIGHTWAYSINC.COM
O17 - HKLM\Software\..\Telephony: DomainName = FREIGHTWAYSINC.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FREIGHTWAYSINC.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FREIGHTWAYSINC.COM
Once again thank you for your help

Response Number 4

Name: Abnormal
Date: November 2, 2004 at 13:36:22 Pacific

Reply:

First, move Hijack This to a permanent directory like c:\program files\hijack this\hijackthis.exe. This way we can make backups if something goes wrong.
Or
Create a specific folder on your hard drive called HijackThis to keep its backups.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HijackThis.
Download and unzip HijackThis.exe into this folder.
Updated version here.
http://www.lurkhere.com/~nicefiles/
When you run HijackThis from the HijackThis folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.
Scan again.
Put a check next to these, click "fix checked" and reboot.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allways4u.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allways4u.com
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {FDD0F87A-5047-8CB7-DD29-11C2A7EEE3CA} - C:\PROGRA~1\ABOUTS~1\Bash For.exe (file missing)
If you don't know what this is, remove also
O4 - HKLM\..\Run: [KIND ONCE DEAD GPL] C:\Documents and Settings\All Users\Application Data\Bone size kind once\LIST64.exe
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O4 - HKLM\..\Run: [rsretwv] C:\WINDOWS\rsretwv.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [Wendows Deafult Configuration] C:\WINDOWS\shchost.exe
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\srchost.exe
You may need to show hidden files.
Then
Go to safe mode
and delete these files.

msbb.exe
rsretwv.exe
shchost.exe
srchost.exe
Download Ad-Aware se and update it.
Set it for full scan.
http://www.lavasoftusa.com/support/download/
Online scan, set it to auto clean.
http://www.ravantivirus.com/scan/
After your done post another log,

Good luck

Response Number 5

Name: FSUNoles68
Date: November 3, 2004 at 12:30:17 Pacific

Reply:

Here is my new log. I did as suggested and I don't think that cured the whole problem. I still have allways4u in the homepage. Anyway let me know if you have anymore suggestions. You guys have been great!!
Logfile of HijackThis v1.98.2
Scan saved at 2:20:11 PM, on 11/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Comdata\Shared\Applications\CDAtl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack this\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allways4u.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allways4u.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.exe
O4 - HKCU\..\Run: [AutomatedTaskLauncher] C:\Program Files\Comdata\Shared\Applications\CDAtl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {46559F55-BB65-11D1-A426-0006296815D1} (CheckVersion Class) - https://www.powertrack.usbank.com/PowerTrack/PT_Application/Distributables/PTVERSIONCHECKER.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FREIGHTWAYSINC.COM
O17 - HKLM\Software\..\Telephony: DomainName = FREIGHTWAYSINC.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FREIGHTWAYSINC.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FREIGHTWAYSINC.COM
O19 - User stylesheet: (file missing)

windows7 download.com popodino.com netsurfnetwork.com	tenzy.com www.mi-products.com www.camira MXJVC.com
See More

Response Number 6

Name: Abnormal
Date: November 3, 2004 at 15:54:10 Pacific

Reply:

Good job removing your other crap.
Run CwShredder from above link.
If you still have the hijack, we will try
the updated version.

Response Number 7

Name: Abnormal
Date: November 4, 2004 at 02:13:27 Pacific

Reply:

The new version
http://www.download.com/3000-8022_4-10301587.html

Response Number 8

Name: Abnormal
Date: November 4, 2004 at 15:00:07 Pacific

Reply:

Can't find info on this one
O4 - HKCU\..\Run: [AutomatedTaskLauncher] C:\Program Files\Comdata\Shared\Applications\CDAtl.exe
may not be causing your problem.
Are you a truck driver?
FREIGHTWAYSINC.COM
A quote from the other person with your problem.
Author: kir3000
BIG BIG THX. It helped !!!
CWShredder!!! its MAGIC !! Ad-Aware SE not works ((((
it was HIDDEN.DLL file
THANK YOU!!!

Response Number 9

Name: FSUNoles68
Date: November 5, 2004 at 07:05:15 Pacific

Reply:

Thank you for all of your help. No I am not a truck driver. :) I have tried the CwShredder, but not the current version so I will give that a try.
FYI, I work for a computer consulting company. We have been working on this little problem for a week now and you have been a BIG help. Thank you.
p.s. "Comdata" is the software they use to communicate with the truckers. Freightways, Inc. is a trucking company.
FSUNoles68

Response Number 10

Name: garyontheriver
Date: November 5, 2004 at 23:55:04 Pacific

Reply:

Check out articles 323869 at Microsoft's site. They explain how to reset your homepage once you're sure you've gotten rid of the viruses in your system.

Response Number 11

Name: FSUNoles68
Date: November 8, 2004 at 06:19:39 Pacific

Reply:

FINALLY!!! Thank you SO much for those of you who helped! It seems that once we deleted those enrties, and files, all we needed to do was set the homepage back to the way it was. Right now everything looks great!! Thank you once again.
FSUNoles68

Sponsored Link

Ads by Google

Cannot Remove Virus from ...

virus scanning an email

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Home Page changes to allways4u.com

home page change and random pop-ups

Summary

www.computing.net/answers/security/home-page-change-and-random-popups/7875.html

Home Page Changes Every Bootup

Summary

www.computing.net/answers/security/home-page-changes-every-bootup/23442.html

home page changed, new desktop icon

Summary

www.computing.net/answers/security/home-page-changed-new-desktop-icon/9524.html

From the Geek Dictionary
operating system - The software which manages the components of a computer and may allow for h...

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
wordpad missing

sound does not work

Capture Card Problem Recording

Visual Menu - Batch Files

coloured lines and boxes on screen

All Awaiting Reply

Tom's News
Droid Gets Porn App Marketplace

App Developer Hires Hacker, Security Firms Pissed

America Spends $595M Online on Black Friday

Man Pleads Guilty Selling Fake Chips to Navy

Threatening Rap on YouTube Lands Two in Jail

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE