Question

IE - HomePage Stuck on http://213.159.117.132/redir.php

Asked by: SeanOdom

It started with one PC in my network with the IE Homepage stuck on http://213.159.117.132/redir.php.  Now there are three and these are machines that the people in no way would go to porn sites or places like that.  No matter what I do I cannot get rid of it.  Here's what I have done so far:  Ran Adaware(With updated DATS), ran SpyCop(With Updated DATS), ran Norton Corporate Edition (With Updated DATS).  Went in to the registry and changed every instance of the line "http://213.159.117.132/redir.php".  Before I am even done it has replaced it. I have also ran repair of IE and reinstalled IE.  To no luck.  

I have also cleared the RUN, and RUN ONCE folders in the registry.  A preculiar command comes back calling to run either Lykopex.exe or P99EU.exe which I have replaced in the C:\WINNT\SYSTEM32 directory with other files.   When logging in sometimes a small box appears called "Installer" but it locks up with "Not Responding" in the Task Manager - Applications Tab.   One of these PC's will suck to have to rebuild - I have spent so much time on this problem this morning - I have techs rebuilding the other two.

I need the big brains on this.   ComputerCops.biz has a help request for it too as I noticed but no resolution.  The winner of this also gets shipped a couple of autographed books as well.

Sean Odom, CCIE, MCSE, CCNX
Sybex/Que Cisco Author
<email address removed by sirbounty, ref http:help.jsp#hi99 for furhter information.>

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-05-28 at 12:20:15ID21006165
Topic

Windows 2000 Operating System

Participating Experts
5
Points
500
Comments
22

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. secure a homepage
    how can a homepage be secured? i mean that eg. i upload my homepage to a server, then is that all the security be handle by the server site? can i do anything to make my homepage more secure?
  2. Return user to homepage
    Is there a way with php or javascript to have a link point the browsers home page, but not knowing what the homepage is?

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: sirbountyPosted on 2004-05-28 at 12:25:37ID: 11183426


Check these links for online virus scanners.  It's recommended to run at least two of these.  
  Norton/Symantec --> http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
  Trend Micro -->     http://housecall.antivirus.com/housecall/start_corp.asp
  Panda ActiveScan--> http://www.pandasoftware.com/activescan/
  McAfee Security --> http://us.mcafee.com/root/mfs/default.asp
  Stinger -->         http://download.nai.com/products/mcafee-avert/stinger.exe

These links Check for Spyware:
  Spybot-S&D -->  http://www.safer-networking.org/
  HijackThis -->  http://www.spychecker.com/program/hijackthis.html
  Ad-Aware -->    http://www.netsecurity.about.com/library/blfreespyware.htm
  Web Shredder--> http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder
  Pest Patrol --> http://www.pestpatrol.com/downloads/eval/download.asp
  PCHell removal->http://www.pchell.com/support/spyware.shtml

  Make sure that after downloading these, that you update them.  It helps to try at least two of these.
  If all else fails, download HijackThis and post the log that is generated after running it on your system.

 

by: munkyxtcPosted on 2004-05-28 at 12:29:26ID: 11183459

What OS is running on this/these systems?  

Also, do you have a hijack this log handy?

 

by: munkyxtcPosted on 2004-05-28 at 12:31:11ID: 11183475

If these machines are running XP, have you cleaned out the prefetch folder?  the fact that the installer comes up on restart leads me to believe something may be hung up in there.  This only applies to xp of course

 

by: SeanOdomPosted on 2004-05-28 at 12:39:20ID: 11183549

All Are running 2000 Pro and here is the HiJackThis log File

Logfile of HijackThis v1.97.7
Scan saved at 12:36:23 PM, on 5/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Intel\Alert on LAN\winnt\proxy\aolnsrvr.exe
C:\winnt\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\winnt\Program Files\Executive Software\Diskeeper\DkService.exe
C:\winnt\system32\hidserv.exe
C:\Program Files\Intel\LDCM\bin\IIDS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\winnt\system32\regsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\winnt\system32\MSTask.exe
C:\winnt\System32\snmp.exe
C:\Program Files\HP\Insight Manager 7 SP2\WebDmi\WebDmi.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\System32\CPQNiMgt\CPQNIMGT.EXE
C:\winnt\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\winnt\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\Program Files\Intel\LDCM\bin\ssm.exe
C:\winnt\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\winnt\System32\CPQMGMT\CPQWMGMT.EXE
C:\winnt\system32\MsgSys.EXE
C:\winnt\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\winnt\system32\wlanSTA.EXE
C:\winnt\system32\sccmgr.exe
C:\Program Files\Washer\washer.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
C:\Documents and Settings\smo\Desktop\HijackThis.exe
C:\winnt\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Unified Messaging Client\LINEMGR.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [wlanSTA.EXE] wlanSTA.EXE START
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a

 

by: munkyxtcPosted on 2004-05-28 at 12:48:52ID: 11183636

I would check the boxes for these registry entries,

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php

and remove these keys from the registry -- backup the reg first though

They are calling the app.  I'll look through it and see what else I can find in the log.

 

by: SeanOdomPosted on 2004-05-28 at 12:51:25ID: 11183657

I have already checked and removed everything that was found on HiJack.  I rescan right afterwards and it is clear.  Within 20 seconds it has returned.  -Sean

 

by: munkyxtcPosted on 2004-05-28 at 12:55:12ID: 11183700

hmmm...Ok, let me keep going through the log, and see what I can come up with.  

Also, when you said that it has returned; are we referring to the same registry entries that are present in the hijack log posted above?

 

by: rj-smithPosted on 2004-05-28 at 12:58:46ID: 11183732

1. Update your Anti-Virus software
2. Download Ad-Aware from www.lavasoftusa.com
3. Update Ad-Aware
4. Run WindowsUpdate and apply all security fixes
5. Disconnect your PC from the Internet
6. Run Ad-Aware, remove all suspicious items.
7. Run your AV software.
8. Open Internet Explorer and modify settings as required.

Hopefully that will solve your problem.

 

by: munkyxtcPosted on 2004-05-28 at 13:00:55ID: 11183754

I just noticed that IE 5.0 is installed.  Do you require this for testing/beta purposes; or could you update to 6.0?  That wouldn't be a bad idea either.  

 

by: munkyxtcPosted on 2004-05-28 at 13:04:32ID: 11183792

After ad-aware was run; did if give you a popup window that said something like ' cannot remove the following:  XXX will proceed with removal on restart' ?  If the the hijack is being run from and active process this could cause it to continually be coming back...just a thought

 

by: SeanOdomPosted on 2004-05-28 at 13:12:02ID: 11183852

RJ-Smith -  I have done all that.

Munkyxtc - IE 6 was installed when we first started and reinstalled.  We decided to try and downgrade to the earlier version.  As for patches we use SUS here so all the latest patches are installed once per day.

Munkyxtc - There was one process to eliminiate on a reboot and I am running it again to see what the process is.  

 

by: nomorefoodPosted on 2004-05-28 at 13:12:10ID: 11183854

Whatever is doing it probably has 213.159.117.132 encoded as a string in the application.  If all else fails, go to command line: cmd.exe and navigate to the root and search for applications with that address.  It will take awhile but it should find it (and this method is more reliable than using 'Find Files or Folders'.

Start->Run->cmd.exe

cd /d c:\
findstr /i /s /m 213.159.117.132 *.*

And then investigate any files it finds.  If that doesn't work, you may want to try searching for redir.php   since the address could possibly automatically generated.

 

by: SeanOdomPosted on 2004-05-28 at 13:12:49ID: 11183859

Munkyxtc - Removing the registry keys completely has been tried.

 

by: munkyxtcPosted on 2004-05-28 at 13:15:20ID: 11183884

I was just questioning the the part where you said they returned.  I didn't know if they were the same keys or different; or perhaps I just misunderstood the post.

 

by: SeanOdomPosted on 2004-05-28 at 13:16:13ID: 11183896

Munkyxtc - Ad-Aware no l longer states that it needs to reboot to end a process.

nomorefood - I am trying this now.  I had no idea you could search like that.  

 

by: SeanOdomPosted on 2004-05-28 at 13:20:49ID: 11183935

munkyxtc - The identical keys return redirecting to http://213.159.117.132/redir.php

 

by: vpstylePosted on 2004-05-28 at 13:22:44ID: 11183949

Hey there :)
Read this article:
http://computercops.biz/postx44951-0-15.html&sid=ed63de21fc38dcdb4da9ed4ea7a28519

They had the same problem.
in the end:
"Ok Grift, that did it... If you don't have it working yet, goto safemode and search for the files 'system.exe' and 'system32.dll' delete both restart and all should be working normal again."
"well, i deleted system32.dll and all registry thingies that were associated

my spyguard caught the thing once when i rebooted (i had to delete in safe mode) but... since then it hasnt' tried to set itself up

soooooo, we'll see how long this lasts, i was getting popups every few seconds before saying that it has tried to change my homepage"

Hope it works for you. :)
~~Vaporz

 

by: munkyxtcPosted on 2004-05-28 at 13:22:49ID: 11183951

well, isn't this just the little browser hijack from hell

I'm gonna take a mental [smoke] break, I'll check on the status when I get back

 

by: vpstylePosted on 2004-05-28 at 13:24:57ID: 11183960

Oops The link I provided was to the second page of the post. but you can just click the title of the post and it'll bring you to page 1 (where the person first asks about what's going on).

Sorry about that. :)~
~~vaporz

 

by: nomorefoodPosted on 2004-05-28 at 13:34:24ID: 11184031

I haven't looked at vpstyle's link, but another option would be to do the following:

1) download regmon from sysinternals
2) start it and setup up the filter for 'redir.php'
3) delete the keys
4) see what process adds them

(I'm not into the brute force method of downloading every damned anti-spyware thing there is and running it).

 

by: SeanOdomPosted on 2004-05-28 at 14:46:06ID: 11184493

VPSTYLE - Was almost technically correct.  Delete the c:\winnt\system32\system32.dll and the file c:\winnt\system.exe in Safe mode.  But this worked and is the resolution.  munkyxtc gets an A+ for effort.  Both of you can get some books if you would like.  E-mail me your address at sodom@surewest.net.  Thanks!  -Sean

 

by: vpstylePosted on 2004-05-28 at 16:28:29ID: 11184931

I'm everything worked out for you!! :D

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...