I've done a through scan using NAV on all files, ran easy cleaner and
adaware and still no luck. Any help would be greatly appreciated!
Probably the same as this:
Copied from some newsgroup:
This took some homework, but I figured it out. Amazing the security
holes that Microsoft put into their software, isn't it? Turns out,
this malicious bit of JavaScript also alters your hosts file -- this
is a special file in windows that can redirect web sites to IP
addresses. To fix it, do a file search for a filed called 'Hosts'.
It's location may vary depending on which version of windows you are
running. There's also a file called lmhosts, but I don't think it
gets affected. Open 'hosts' with notepad and erase this line:
66.40.16.218 auto.search.msn.com
Reboot your computer, and it will be back to normal.
----
How to Restore the Default AutoSearch Search Page
http://support.microsoft.com/support/kb/articles/q179/4/02.asp
----
Then in Win9x you can go into IE: Tools/Internet Options - Security Tab -
Customise and enter the site to block as the afforementioned IP address.
HTH
TB
This is a new virus, apparently being distributed unwittingly through
pop-up ads on a number of sites which subscribe to pop-up advertising
services. Yet another reason why sites using pop-up ads should quit
it!
It's apparently a malicious javascript which installs a file called
sp.dll in your Windows directory, and puts "regedit -s
c:\windows\sp.dll" in the startup Run command lines in your registry
to restore the settings if you delete them.
To fix it you must:
1. Move and rename the file sp.dll from your Windows directory (if you
look at it with a text editor, you will see that it is actually a
registry .reg file containing the entries for jethomepage)
2. Run regedit, search for the regedit command line above in the "Run"
section of your registry, and delete the entry containing it.
3. Also in regedit, search for every occurance of "jethomepage.com" in
your IE search entries (there are *lots* of them - thanks again
Microsoft), and change it back to the default search page you want.
There is another suspicious file called ce.exe (ostensibly a pop-up ad
program) which may be associated with installing sp.dll, so make sure
that you get rid of that and all references to it as well. Do NOT run
the purported "uninstaller" for ce.exe. There programs have been
compressed and encrypted so that their content cannot be read.
Felix,
Thank you VERY much!!! I appreciate your help!! You where right on, that
was definitely my problem. I knew it was a Trojan but I couldn't find any
info on it. Would you mind telling me where you found out about it? In any
case thank you again I really appreciate it!
I had to remove it from a system on which it had just showed up, so I
was able to search for all files created or modified "today" on the
system as a starting point. sp.dll was one of the candidates that
showed up.
Seeing the entries for "jethomepage.com", I also searched the registry
and the C: drive for any text containing "jethomepage.com". That would
have found it too, since the file wasn't encrypted.