Solved

Explorer HiJacked on Launch; Help!!

Posted on 2003-12-09
20
4,901 Views
Last Modified: 2010-04-13
Greetings,

I know I've had to dela with this issue before but I can't find the reference.  When I start up Internet Explorer my home page is hijacked with some stupid web site called Search-Space.com.

When I go to Tools/Internet Options/General, I can not change the Home Page option (It won't highlight!)

I ran SpyBot and got rid of a bunch of nasty cookies, but rebooting did no good.   Remind me what I need to do, please.

John Esler
(EslerJJJ)
0
Comment
Question by:eslerjjj
  • 9
  • 4
  • 4
  • +1
20 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9909212
Check for adware and sypware

spybot here
http://spybot.safer-networking.de/
Download
http://spybot.safer-networking.de/index.php?lang=en&page=download

AdAware
http://www.lavasoftusa.com/

Spycop:
http://www.spycop.com/

Hijack This and BHODemon and Browser Hijack Blaster

Hijack This http://www.spywareinfo.com/~merijn/files/hijackthis.zip | Written by a member of our support forums and based on our Hijacked! article, this program scans the locations in your computer system that may be modified by browser hijackers and fixes any problems found. An easy-to-understand tutorial is available at TomCoyote.org.

http://www.spywareinfo.com/downloads.php?cat=sp#det
BHODemon http://www.spywareinfo.com/downloads/bhod/ | Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. This program is my choice for BHO detection and is highly recommended.

Browser Hijack Blaster http://www.wilderssecurity.net/bhblaster.html | Running silently in the background, Browser Hijack Blaster only springs into action when an attempt is made. It watches and protects the following items: IE Homepage, IE Default Page, IE Search Page, BHOs. Whenver one of the above items is changed, or a BHO is added, you are immediately provided with information on the item, along with the option to keep the change, or revert to your previous settings.

General and overall information about Spy/Adware
http://www.cexx.org/adware.htm
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9909213
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9909215
Also run  hijackthis and post us the log

Sunray
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9909216
Run this Hijack This http://www.spywareinfo.com/~merijn/files/hijackthis.zip and post the results.
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9909222
Also check these registry keys and if you see search-space, delete that key


HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar

Sunray
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9909232
You may want to repair or reinstall IE if you still find Home page option ( not being highlighted) after removing spyware

Repair IE :
-----------

Start > Run rundll32 setupwbv.dll,IE6Maintenance "C:\Program Files\Internet Explorer\Setup\SETUP.EXE" /g

or

Start > Run rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\windows\inf\ie.inf

Reinstall IE:
-------------

Description of the Internet Explorer Repair Tool
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q194/1/77.asp&NoWebContent=1

How to Reinstall or Repair Internet Explorer and Outlook Express in Windows XP
http://support.microsoft.com/?kbid=318378

or

Repair Internet Explorer 6
http://www.theeldergeek.com/repair_ie6.htm

How to Uninstall Internet Explorer 6
http://support.microsoft.com/?kbid=293907

Sunray
0
 
LVL 44

Accepted Solution

by:
CrazyOne earned 100 total points
ID: 9909289
This one supposedly handles

Supposedly this will remove this and it is free

CoolWebShredder
http://www.spychecker.com/program/cwshredder.html
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9909345
>>>When I go to Tools/Internet Options/General, I can not change the Home Page option (It won't highlight!)


Start > Run gpedit.msc

User Configuration > Administrative Templates > Windwows Componenents > Internet Explorer

Double Click Disable changing home page settings and if it is set to Enabled then set it to Not configured

This is what MS says about this policy

"Prevents users from changing the home page of the browser. The home page is the first page that appears when users start the browser.

If you enable this policy, the settings in the Home Page area on the General tab in the Internet Options dialog box appear dimmed.

If you disable this policy or do not configure it, users can change their home page.

If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General page" policy removes the General tab from the interface.

This policy is intended for administrators who want to maintain a consistent home page across their organization."
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9909362
Logon as administrator - use regedt32 to open the registry.... go to key:
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main - and check your security for they key.  If you can't find it - use regedit first to locate the URL and the key that's in the Local Machine - then use regedit32.....

cheers
0
 

Author Comment

by:eslerjjj
ID: 9909377
Greetings again,

Per many of your suggestions, I ran "HiJack This" and am including the log per your instructions.  What now, oh wise souls?

Eslerjjj



Logfile of HijackThis v1.97.7
Scan saved at 6:55:04 PM, on 12/09/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\System32\cusrvc.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\System32\WMRUNDLL.EXE
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NALNTSRV.EXE
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\NOVELL\GroupWise\GrpWise.exe
C:\winzip80\winzip32.exe
C:\DOCUME~1\e20110\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pgeweb/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PGE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINNT\NavExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [QuickTime Task] c:\winnt\qttasks.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://pgeweb/
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINNT\msxml4.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.dom
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.dom
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pge.enron.com,enron.com,corp.dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = pge.enron.com,enron.com,corp.dom
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pge.enron.com,enron.com,corp.dom


0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 44

Expert Comment

by:CrazyOne
ID: 9909390
Get rid of these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pgeweb/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PGE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9909391
Get rid of these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pgeweb/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PGE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9909400
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://pgeweb/
0
 

Author Comment

by:eslerjjj
ID: 9909410
Crazyone,

Per your suggestion:

(Run gpedit.msc;User Configuration > Administrative Templates > Windwows Componenents > Internet Explorer, Disable changing home page settings.

It was already set to "Not configured"

Eslerjjj
0
 

Author Comment

by:eslerjjj
ID: 9909422
Crazyone,

Just saw your last email.  A question before I make your deletions.   The homepage I would like to have back (had it until an hour ago) is the http:\\pgeweb.  Your instruction included getting rid of both lines that referenced that.  Is that really what you want me to do??

Eslerjjj
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9909461
Yeah go ahead you can reset it later after doing the cleanup.
0
 

Author Comment

by:eslerjjj
ID: 9909511
Oh collected wisdom of expert-exchange,

Probably several of you figured this out, btu I'll give the credit to Crazyone.  While waiting for your very last email, I saw an earlier one that suggested running this:

CoolWebShredder
http://www.spychecker.com/program/cwshredder.html

It did the trick and freed up the internet options so I could reset the homepage.

Thank you all for comments and good suggestions.

Eslerjjj


0
 
LVL 13

Expert Comment

by:Gnart
ID: 9911301
I tried the gpedit.msc a couple of times before I posted the checking of the security on the option.  It did not dimmed the homepage setting in IE....

cheers
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9913552
Hmmm interesting Gnart it dimmed it for me. I can't access the home page settings at all from the Internet Options
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9914162
I just tried it again and it didn't dimmed.  I can't be hijacked, LOL.  I am going to reboot and see if it works.  BTW, I wonder if logon as administrator effects its setting..... we'll find out...

cheers
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A Short Story about the Best File Recovery Software – Acronis True Image 2017
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now