eslerjjj
asked on
Explorer HiJacked on Launch; Help!!
Greetings,
I know I've had to dela with this issue before but I can't find the reference. When I start up Internet Explorer my home page is hijacked with some stupid web site called Search-Space.com.
When I go to Tools/Internet Options/General, I can not change the Home Page option (It won't highlight!)
I ran SpyBot and got rid of a bunch of nasty cookies, but rebooting did no good. Remind me what I need to do, please.
John Esler
(EslerJJJ)
I know I've had to dela with this issue before but I can't find the reference. When I start up Internet Explorer my home page is hijacked with some stupid web site called Search-Space.com.
When I go to Tools/Internet Options/General, I can not change the Home Page option (It won't highlight!)
I ran SpyBot and got rid of a bunch of nasty cookies, but rebooting did no good. Remind me what I need to do, please.
John Esler
(EslerJJJ)
Use these tools aswell
Spyware/Adware removal tools:
--------------------------
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml
Ad-aware : http://www.webattack.com/download/dladaware.shtml
Trojan Remover :http://www.simplysup.com/
HijackThis : http://www.webattack.com/download/dlhijackthis.shtml
KL-Detector :http://www.webattack.com/download/dlkldetector.shtml
X-Cleaner Free :http://www.webattack.com/download/dlxcleaner.shtml
SpywareBlaster :http://www.webattack.com/download/dlspywareblaster.shtml
SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml
SpySites :http://www.webattack.com/download/dlspysites.shtml
Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml
Spycop: http://www.spycop.com/
BHODemon : http://www.spywareinfo.com/downloads/bhod/
Browser Hijack Blaster : http://www.wilderssecurity.net/bhblaster.html
Goodbye Spy http://www.topshareware.com/GoodBye-Spy-download-2012.htm
Other spyware removal instructions: http://www.pchell.com/support/click2findnow.shtml
online virus scanner:
---------------------
http://housecall.trendmicro.com/
http://security.symantec.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.pcpitstop.com/antivirus/default.asp
DOS based : http://www.f-prot.com/download/download_fpdos.html
Sunray
Spyware/Adware removal tools:
--------------------------
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml
Ad-aware : http://www.webattack.com/download/dladaware.shtml
Trojan Remover :http://www.simplysup.com/
HijackThis : http://www.webattack.com/download/dlhijackthis.shtml
KL-Detector :http://www.webattack.com/download/dlkldetector.shtml
X-Cleaner Free :http://www.webattack.com/download/dlxcleaner.shtml
SpywareBlaster :http://www.webattack.com/download/dlspywareblaster.shtml
SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml
SpySites :http://www.webattack.com/download/dlspysites.shtml
Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml
Spycop: http://www.spycop.com/
BHODemon : http://www.spywareinfo.com/downloads/bhod/
Browser Hijack Blaster : http://www.wilderssecurity.net/bhblaster.html
Goodbye Spy http://www.topshareware.com/GoodBye-Spy-download-2012.htm
Other spyware removal instructions: http://www.pchell.com/support/click2findnow.shtml
online virus scanner:
---------------------
http://housecall.trendmicro.com/
http://security.symantec.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.pcpitstop.com/antivirus/default.asp
DOS based : http://www.f-prot.com/download/download_fpdos.html
Sunray
Also run hijackthis and post us the log
Sunray
Sunray
Run this Hijack This http://www.spywareinfo.com/~merijn/files/hijackthis.zip and post the results.
Also check these registry keys and if you see search-space, delete that key
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKEY_LOCAL_MACHINE\Softwar
Sunray
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKEY_LOCAL_MACHINE\Softwar
Sunray
You may want to repair or reinstall IE if you still find Home page option ( not being highlighted) after removing spyware
Repair IE :
-----------
Start > Run rundll32 setupwbv.dll,IE6Maintenanc
or
Start > Run rundll32.exe setupapi,InstallHinfSectio
Reinstall IE:
-------------
Description of the Internet Explorer Repair Tool
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q194/1/77.asp&NoWebContent=1
How to Reinstall or Repair Internet Explorer and Outlook Express in Windows XP
http://support.microsoft.com/?kbid=318378
or
Repair Internet Explorer 6
http://www.theeldergeek.com/repair_ie6.htm
How to Uninstall Internet Explorer 6
http://support.microsoft.com/?kbid=293907
Sunray
Repair IE :
-----------
Start > Run rundll32 setupwbv.dll,IE6Maintenanc
or
Start > Run rundll32.exe setupapi,InstallHinfSectio
Reinstall IE:
-------------
Description of the Internet Explorer Repair Tool
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q194/1/77.asp&NoWebContent=1
How to Reinstall or Repair Internet Explorer and Outlook Express in Windows XP
http://support.microsoft.com/?kbid=318378
or
Repair Internet Explorer 6
http://www.theeldergeek.com/repair_ie6.htm
How to Uninstall Internet Explorer 6
http://support.microsoft.com/?kbid=293907
Sunray
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>>When I go to Tools/Internet Options/General, I can not change the Home Page option (It won't highlight!)
Start > Run gpedit.msc
User Configuration > Administrative Templates > Windwows Componenents > Internet Explorer
Double Click Disable changing home page settings and if it is set to Enabled then set it to Not configured
This is what MS says about this policy
"Prevents users from changing the home page of the browser. The home page is the first page that appears when users start the browser.
If you enable this policy, the settings in the Home Page area on the General tab in the Internet Options dialog box appear dimmed.
If you disable this policy or do not configure it, users can change their home page.
If you set the "Disable the General page" policy (located in \User Configuration\Administrati
This policy is intended for administrators who want to maintain a consistent home page across their organization."
Start > Run gpedit.msc
User Configuration > Administrative Templates > Windwows Componenents > Internet Explorer
Double Click Disable changing home page settings and if it is set to Enabled then set it to Not configured
This is what MS says about this policy
"Prevents users from changing the home page of the browser. The home page is the first page that appears when users start the browser.
If you enable this policy, the settings in the Home Page area on the General tab in the Internet Options dialog box appear dimmed.
If you disable this policy or do not configure it, users can change their home page.
If you set the "Disable the General page" policy (located in \User Configuration\Administrati
This policy is intended for administrators who want to maintain a consistent home page across their organization."
Logon as administrator - use regedt32 to open the registry.... go to key:
\HKEY_LOCAL_MACHINE\SOFTWA
cheers
\HKEY_LOCAL_MACHINE\SOFTWA
cheers
ASKER
Greetings again,
Per many of your suggestions, I ran "HiJack This" and am including the log per your instructions. What now, oh wise souls?
Eslerjjj
Logfile of HijackThis v1.97.7
Scan saved at 6:55:04 PM, on 12/09/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\Ati2evxx
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\System32\cusrvc.e
C:\PROGRA~1\Compaq\COMPAQ~
C:\Program Files\Network Associates\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\mcshi
C:\Program Files\Network Associates\VirusScan\vstsk
C:\Program Files\Raxco\PerfectDisk\PD
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\snmp.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.
C:\NOVELL\ZENRC\wuser32.ex
C:\WINNT\System32\WMRUNDLL
C:\NOVELL\ZENRC\WUOLServic
C:\PROGRA~1\Compaq\COMPAQ~
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NALNTSRV
C:\WINNT\System32\NWTRAY.E
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~
C:\WINNT\System32\ltmsg.ex
C:\Program Files\Compaq\EAB\EABSERVR.
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.e
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTA
C:\NOVELL\GroupWise\GrpWis
C:\winzip80\winzip32.exe
C:\DOCUME~1\e20110\LOCALS~
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-9
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-2
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKCU\..\Run: [QuickTime Task] c:\winnt\qttasks.exe
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://pgeweb/
O16 - DPF: {88D969C0-F192-11D4-A65F-0
O16 - DPF: {f760cb9e-c60f-4a89-890e-f
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CCS\Services\T
Per many of your suggestions, I ran "HiJack This" and am including the log per your instructions. What now, oh wise souls?
Eslerjjj
Logfile of HijackThis v1.97.7
Scan saved at 6:55:04 PM, on 12/09/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\Ati2evxx
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\System32\cusrvc.e
C:\PROGRA~1\Compaq\COMPAQ~
C:\Program Files\Network Associates\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\mcshi
C:\Program Files\Network Associates\VirusScan\vstsk
C:\Program Files\Raxco\PerfectDisk\PD
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\snmp.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.
C:\NOVELL\ZENRC\wuser32.ex
C:\WINNT\System32\WMRUNDLL
C:\NOVELL\ZENRC\WUOLServic
C:\PROGRA~1\Compaq\COMPAQ~
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NALNTSRV
C:\WINNT\System32\NWTRAY.E
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~
C:\WINNT\System32\ltmsg.ex
C:\Program Files\Compaq\EAB\EABSERVR.
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINNT\System32\PRPCUI.e
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTA
C:\NOVELL\GroupWise\GrpWis
C:\winzip80\winzip32.exe
C:\DOCUME~1\e20110\LOCALS~
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-9
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-2
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKCU\..\Run: [QuickTime Task] c:\winnt\qttasks.exe
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://pgeweb/
O16 - DPF: {88D969C0-F192-11D4-A65F-0
O16 - DPF: {f760cb9e-c60f-4a89-890e-f
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CCS\Services\T
Get rid of these
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - Default URLSearchHook is missing
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - Default URLSearchHook is missing
Get rid of these
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - Default URLSearchHook is missing
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-2
9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://pgeweb/
9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://pgeweb/
ASKER
Crazyone,
Per your suggestion:
(Run gpedit.msc;User Configuration > Administrative Templates > Windwows Componenents > Internet Explorer, Disable changing home page settings.
It was already set to "Not configured"
Eslerjjj
Per your suggestion:
(Run gpedit.msc;User Configuration > Administrative Templates > Windwows Componenents > Internet Explorer, Disable changing home page settings.
It was already set to "Not configured"
Eslerjjj
ASKER
Crazyone,
Just saw your last email. A question before I make your deletions. The homepage I would like to have back (had it until an hour ago) is the http:\\pgeweb. Your instruction included getting rid of both lines that referenced that. Is that really what you want me to do??
Eslerjjj
Just saw your last email. A question before I make your deletions. The homepage I would like to have back (had it until an hour ago) is the http:\\pgeweb. Your instruction included getting rid of both lines that referenced that. Is that really what you want me to do??
Eslerjjj
Yeah go ahead you can reset it later after doing the cleanup.
ASKER
Oh collected wisdom of expert-exchange,
Probably several of you figured this out, btu I'll give the credit to Crazyone. While waiting for your very last email, I saw an earlier one that suggested running this:
CoolWebShredder
http://www.spychecker.com/program/cwshredder.html
It did the trick and freed up the internet options so I could reset the homepage.
Thank you all for comments and good suggestions.
Eslerjjj
Probably several of you figured this out, btu I'll give the credit to Crazyone. While waiting for your very last email, I saw an earlier one that suggested running this:
CoolWebShredder
http://www.spychecker.com/program/cwshredder.html
It did the trick and freed up the internet options so I could reset the homepage.
Thank you all for comments and good suggestions.
Eslerjjj
I tried the gpedit.msc a couple of times before I posted the checking of the security on the option. It did not dimmed the homepage setting in IE....
cheers
cheers
Hmmm interesting Gnart it dimmed it for me. I can't access the home page settings at all from the Internet Options
I just tried it again and it didn't dimmed. I can't be hijacked, LOL. I am going to reboot and see if it works. BTW, I wonder if logon as administrator effects its setting..... we'll find out...
cheers
cheers
spybot here
http://spybot.safer-networking.de/
Download
http://spybot.safer-networking.de/index.php?lang=en&page=download
AdAware
http://www.lavasoftusa.com/
Spycop:
http://www.spycop.com/
Hijack This and BHODemon and Browser Hijack Blaster
Hijack This http://www.spywareinfo.com/~merijn/files/hijackthis.zip | Written by a member of our support forums and based on our Hijacked! article, this program scans the locations in your computer system that may be modified by browser hijackers and fixes any problems found. An easy-to-understand tutorial is available at TomCoyote.org.
http://www.spywareinfo.com/downloads.php?cat=sp#det
BHODemon http://www.spywareinfo.com/downloads/bhod/ | Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. This program is my choice for BHO detection and is highly recommended.
Browser Hijack Blaster http://www.wilderssecurity.net/bhblaster.html | Running silently in the background, Browser Hijack Blaster only springs into action when an attempt is made. It watches and protects the following items: IE Homepage, IE Default Page, IE Search Page, BHOs. Whenver one of the above items is changed, or a BHO is added, you are immediately provided with information on the item, along with the option to keep the change, or revert to your previous settings.
General and overall information about Spy/Adware
http://www.cexx.org/adware.htm