Before any of you suggest it, I'm not changing browsers.
Recently I clicked on a picture, and got f'ed over. My homepage is always set to (res://tagpa.dll/index.html#96676), I've used ad-aware, Norton, cleared all internet folders, and tried deleting it manuually, to no avail. I've also downloaded IE6SP1 and tried to reinstall, however while installing it says that it has not been logo certified by Microsoft (or something similar), I got it off microsoft.com. A google search came up with nothing on tagpa.dll.
Has anybody had any experience with this? Right now I'm looking towards a reformat, but wanted to know any other options so that I don't waste 10CDs backing everything up.
I've had similar situations where something like that has happend to me but it was more of just a browser hijacker. I'm sure somebody has had your same problem and I think what you should do is make a log of your scan after you scan with a program called HijackThis (I don't have the link on hand) and then post it on the Computer Cops (http://www.computercops.us/) forums. More likely than not, they will be able to help you with your problem.
Sounds similar to what happend to me. The dll name is random as far as I can tell. It's injected into explorer.exe-- to delete it you need to eject it, or kill explorer.exe and delete it. After that, ensure your winnt folder isn't shared (this was one of the side effects of the infection) and run through the registry and delete all references to the dll in HKEY_LOCAL_MACHINE & HKEY_CURRENT_USER \SOFTWARE\Microsoft\Internet Explorer. Finished? Now, switch browsers.
My friend had a problem with an IE hijack, and nothing would solve it. Every time he uses his computer, it comes back. He runs some protection programs now, so every time it reinstalls itself he's instantly alerted. Fortunately, the only time he gets it is when IE is running, or something that uses IE is running (outlook, etc.). I convinced him to change browsers, and since he's been on Mozilla he gets it a lot less.
I found hijackthis... http://www.spychecker.com/download/download_hijackthis.html
Running it now, and posting on computer cops, thanks Hazard.
You could also run your AV and spybot or adaware in safe mode. Or run trendmicro's housecall. http://www.trendmicro.com
Quote from: iago on June 16, 2004, 10:02 AM
My friend had a problem with an IE hijack, and nothing would solve it. Every time he uses his computer, it comes back. He runs some protection programs now, so every time it reinstalls itself he's instantly alerted. Fortunately, the only time he gets it is when IE is running, or something that uses IE is running (outlook, etc.). I convinced him to change browsers, and since he's been on Mozilla he gets it a lot less.
I had the exact... same... problem. Something I did fixed it though, because it's gone now.
Quote from: j0k3r on June 16, 2004, 11:01 AM
I found hijackthis... http://www.spychecker.com/download/download_hijackthis.html
Running it now, and posting on computer cops, thanks Hazard.
No problem, they'll help you out from here.
No reply after 7 hours... Decided I'd reformat. Checking out opera, maybe I'll try Mozilla too before I reformat.
Quote from: j0k3r on June 16, 2004, 08:34 PM
No reply after 7 hours... Decided I'd reformat. Checking out opera, maybe I'll try Mozilla too before I reformat.
Opera is great there's a few neat features in it, like the refresh timer among other things.
Fox 0.9 (http://mozilla.org/products/firefox) is pretty slick.
There's a few things I'm not liking about it, like how there's an ad at the top, and the status bar at the bottom disappears when it's not in use, making the page look jumpy. It also looks a little bit different from IE, not sure what it is.
Edit: Ah, zoom was at 110%, and the advertisement at the top moves the page down a little bit, anyone know if it's possible to hack that out or get a keygen?
Edit2: I do like how it caches page in ram, so that the back button loads them isntantly.
Quote from: j0k3r on June 17, 2004, 05:19 AM
and the status bar at the bottom disappears when it's not in use, making the page look jumpy
That's optional, I forget where the option is, though.
You can put it in the address bar, but I don't want it there.
I just tryed Opera for the first time today. It's the first *non-EI* browser I've ever used and I love it.
Pros:
- It's very customizable.
- It's easy to install and use.
- I especially like how I can right click on just about any toolbar or button and choose to remove it.
- I also like this referrer logging feature iago told me about.
- Tabbed browsing is a god-send.
- I like how I can choose to have the browser load with no pages loaded.
- It's pretty. :)
Cons:
- I hate the god damn banner at the very top.
- I don't like how the page will load and then all the little pictures will start popping up everywhere. It reminds me too much of AOL. If the page isn't fully loaded I don't want to see it yet. >:(
Quote from: Eli_1 on June 17, 2004, 01:02 PM
- I hate the god damn banner at the very top.
I don't even notice it most of the time, you'll get over it. Plus, it's a tiny banner, especially on linux :)
Quote
- I don't like how the page will load and then all the little pictures will start popping up everywhere. It reminds me too much of AOL. If the page isn't fully loaded I don't want to see it yet. >:(
There's probbaly an option to turn it off, but, again, you'll get over it :)
Quote from: iago on June 17, 2004, 01:20 PM
Quote
- I don't like how the page will load and then all the little pictures will start popping up everywhere. It reminds me too much of AOL. If the page isn't fully loaded I don't want to see it yet. >:(
There's probbaly an option to turn it off, but, again, you'll get over it :)
Yea there was an option for it, thanks iago.
Tools -> Preferences -> Windows -> Redraw when loaded
Offtopic but with that avatar you should only say angry things and he should have his finger in the air and be saying I'm doing this as hard as I can.:)
I guess I'll laso leave a list of tips and tricks for firefox:
http://texturizer.net/firefox/tips.html
Also, in your browser type about:config for an easy way to alter the configuration.
Did you ever get any help from anyone at the ComputerCops website jok3r?
FWIW, while I take reasonable precautions against virii, trojans, vulnerabilities, sometimes things get through. When it happens, I always reformat and reinstall the OS, then restore my system from a clean backup, and roll forward with other installs. It is the quickest, safest method that doesn't cost much in time or disk space.
You have to assume that once exploited, your system is their system. There are too many places in MS Windows to hide things, and no one security system can find and identify them all. That is why a good backup is your best protection.
Quote from: Eli_1 on June 17, 2004, 01:54 PM
Yea there was an option for it, thanks iago.
Tools -> Preferences -> Windows -> Redraw when loaded
Thanks man, I'd never bothered going into there, turned off pop ups too.
Quote from: Hazard on June 18, 2004, 09:54 AM
Did you ever get any help from anyone at the ComputerCops website jok3r?
http://www.computercops.us/postp210740.html#210740
:-\
Grok -- The only things I care about are my music downloads and game files, because it would take about 10hours to re-download everything I have. Fortunately I did back them up and I buy all my games.
Actually, it'd be nice if I could save my computer and internet settings too, then reload them from CD, does XP offer this feature?
Well, I fixed this problem on my sisters computer. I'll tell you how I did it.
If I remember correctly, it keeps replicating itself with tons of random .dll files, and randomly named exe files. First, I deleted the .dll file that the IE browser uses as its homepage. Then, I deleted "C:\WINDOWS\system32\syssg32.dll {66EF0D72-55A0-257D-BE1E-869C17411C8A}", that file seemed to be the culprit of most of the replication, considering once I deleted it, nothing else ever popped back up. Then, I went into the C:\WINDOWS folders, and system32 folders, and had to deleted the randomly named dll and exe files that would be running in the task manager. Youll recognize them because they are randomly named, and around 4 letters long, and you won't know wtf they are :-P. Then I hit up the registry, and deleted a bunch of the entries that pointed to those file names. The keys i looked in were:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and then the HKEY_CURRENT_USER equiv. of those keys also. After that it hasn't popped up again.
edit: after that I installed TCMonitor, moosoft.com (http://www.moosoft.com), it's a great registry monitoring program.
Well, I found tagpa.dll in the system32 folder and deleted it but I think it will come back, the rest of youre instructions (syssg32.dll, registry, 4 letter proccesses) didn't exist.
Right now I took what I did with my mail button and gmail, and applied it to the shortcut. It overrides the homepage and takes me where I told it to by adding the address of the webpage after the target path for the shortcut. I'm still getting the popups though and need to reinstall.