Explorer HiJacked on Launch; Help!!

Greetings,

I know I've had to dela with this issue before but I can't find the reference.  When I start up Internet Explorer my home page is hijacked with some stupid web site called Search-Space.com.

When I go to Tools/Internet Options/General, I can not change the Home Page option (It won't highlight!)

I ran SpyBot and got rid of a bunch of nasty cookies, but rebooting did no good.   Remind me what I need to do, please.

John Esler
(EslerJJJ)
eslerjjjAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CrazyOneCommented:
Check for adware and sypware

spybot here
http://spybot.safer-networking.de/
Download
http://spybot.safer-networking.de/index.php?lang=en&page=download

AdAware
http://www.lavasoftusa.com/

Spycop:
http://www.spycop.com/

Hijack This and BHODemon and Browser Hijack Blaster

Hijack This http://www.spywareinfo.com/~merijn/files/hijackthis.zip | Written by a member of our support forums and based on our Hijacked! article, this program scans the locations in your computer system that may be modified by browser hijackers and fixes any problems found. An easy-to-understand tutorial is available at TomCoyote.org.

http://www.spywareinfo.com/downloads.php?cat=sp#det
BHODemon http://www.spywareinfo.com/downloads/bhod/ | Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. This program is my choice for BHO detection and is highly recommended.

Browser Hijack Blaster http://www.wilderssecurity.net/bhblaster.html | Running silently in the background, Browser Hijack Blaster only springs into action when an attempt is made. It watches and protects the following items: IE Homepage, IE Default Page, IE Search Page, BHOs. Whenver one of the above items is changed, or a BHO is added, you are immediately provided with information on the item, along with the option to keep the change, or revert to your previous settings.

General and overall information about Spy/Adware
http://www.cexx.org/adware.htm
0
sunray_2003Commented:
Also run  hijackthis and post us the log

Sunray
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

CrazyOneCommented:
Run this Hijack This http://www.spywareinfo.com/~merijn/files/hijackthis.zip and post the results.
0
sunray_2003Commented:
Also check these registry keys and if you see search-space, delete that key


HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar

Sunray
0
sunray_2003Commented:
You may want to repair or reinstall IE if you still find Home page option ( not being highlighted) after removing spyware

Repair IE :
-----------

Start > Run rundll32 setupwbv.dll,IE6Maintenance "C:\Program Files\Internet Explorer\Setup\SETUP.EXE" /g

or

Start > Run rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\windows\inf\ie.inf

Reinstall IE:
-------------

Description of the Internet Explorer Repair Tool
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q194/1/77.asp&NoWebContent=1

How to Reinstall or Repair Internet Explorer and Outlook Express in Windows XP
http://support.microsoft.com/?kbid=318378

or

Repair Internet Explorer 6
http://www.theeldergeek.com/repair_ie6.htm

How to Uninstall Internet Explorer 6
http://support.microsoft.com/?kbid=293907

Sunray
0
CrazyOneCommented:
This one supposedly handles

Supposedly this will remove this and it is free

CoolWebShredder
http://www.spychecker.com/program/cwshredder.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CrazyOneCommented:
>>>When I go to Tools/Internet Options/General, I can not change the Home Page option (It won't highlight!)


Start > Run gpedit.msc

User Configuration > Administrative Templates > Windwows Componenents > Internet Explorer

Double Click Disable changing home page settings and if it is set to Enabled then set it to Not configured

This is what MS says about this policy

"Prevents users from changing the home page of the browser. The home page is the first page that appears when users start the browser.

If you enable this policy, the settings in the Home Page area on the General tab in the Internet Options dialog box appear dimmed.

If you disable this policy or do not configure it, users can change their home page.

If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General page" policy removes the General tab from the interface.

This policy is intended for administrators who want to maintain a consistent home page across their organization."
0
GnartCommented:
Logon as administrator - use regedt32 to open the registry.... go to key:
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main - and check your security for they key.  If you can't find it - use regedit first to locate the URL and the key that's in the Local Machine - then use regedit32.....

cheers
0
eslerjjjAuthor Commented:
Greetings again,

Per many of your suggestions, I ran "HiJack This" and am including the log per your instructions.  What now, oh wise souls?

Eslerjjj



Logfile of HijackThis v1.97.7
Scan saved at 6:55:04 PM, on 12/09/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\System32\cusrvc.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\System32\WMRUNDLL.EXE
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NALNTSRV.EXE
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\NOVELL\GroupWise\GrpWise.exe
C:\winzip80\winzip32.exe
C:\DOCUME~1\e20110\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pgeweb/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PGE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINNT\NavExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [QuickTime Task] c:\winnt\qttasks.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://pgeweb/
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINNT\msxml4.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.dom
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.dom
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pge.enron.com,enron.com,corp.dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = pge.enron.com,enron.com,corp.dom
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pge.enron.com,enron.com,corp.dom


0
CrazyOneCommented:
Get rid of these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pgeweb/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PGE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
0
CrazyOneCommented:
Get rid of these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pgeweb/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PGE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
0
CrazyOneCommented:
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://pgeweb/
0
eslerjjjAuthor Commented:
Crazyone,

Per your suggestion:

(Run gpedit.msc;User Configuration > Administrative Templates > Windwows Componenents > Internet Explorer, Disable changing home page settings.

It was already set to "Not configured"

Eslerjjj
0
eslerjjjAuthor Commented:
Crazyone,

Just saw your last email.  A question before I make your deletions.   The homepage I would like to have back (had it until an hour ago) is the http:\\pgeweb.  Your instruction included getting rid of both lines that referenced that.  Is that really what you want me to do??

Eslerjjj
0
CrazyOneCommented:
Yeah go ahead you can reset it later after doing the cleanup.
0
eslerjjjAuthor Commented:
Oh collected wisdom of expert-exchange,

Probably several of you figured this out, btu I'll give the credit to Crazyone.  While waiting for your very last email, I saw an earlier one that suggested running this:

CoolWebShredder
http://www.spychecker.com/program/cwshredder.html 

It did the trick and freed up the internet options so I could reset the homepage.

Thank you all for comments and good suggestions.

Eslerjjj


0
GnartCommented:
I tried the gpedit.msc a couple of times before I posted the checking of the security on the option.  It did not dimmed the homepage setting in IE....

cheers
0
CrazyOneCommented:
Hmmm interesting Gnart it dimmed it for me. I can't access the home page settings at all from the Internet Options
0
GnartCommented:
I just tried it again and it didn't dimmed.  I can't be hijacked, LOL.  I am going to reboot and see if it works.  BTW, I wonder if logon as administrator effects its setting..... we'll find out...

cheers
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.