IE6 keeps jumping to MSN.COM behaving like a spyware hijack.
Hello Techs,
I have a problem with internet explorer (IE6 with xp pro & sp2) where it keeps reverting to msn.com despite going into internet options and then use current, or blank for that matter. I’ve never had this problem before, especially straight after a fresh OS rebuild where browsing the net was strictly limited to trusted sights to obtain drivers, etc.
The symptom arose more or less immediately when I’d finished patching and then went about the paces of data migration, so no action other than rebuilding has forced this problem to appear. The OS installation had sp2 as part of the installation rather than as a separate addition.
To accompany the OS I immediately installed, after the patching, the free Zonealarm as firewall, Windows Defender beta and Lavasoft Adware Personal as anti-spyware, and then Avast anti-virus. I have tried the best breed spyware and anti-virus detection software - Spybot, CWshredder, Spydoctor, webspy, etc; all revealing nothing suspicious.
I have spent considerable time reading the existing postings, applied the advice given – ran sfc scannow, ran the ie.inf install, but still the browser points to msn.com. I have never seen anything like it.
I have also installed firefox as a secondary browser, with IE being the default browser, could this be the culprit?
Would downloading and re-installing sp2 solve the problem or make it worse, or do nothing?
Your contributions are (obviously) welcomed as it is rather urgent as I have spent nearly 2 days building this thing - its a raid 0 (stripe) setup , Dell 9150 intel on board raid controller, and am not in the slightest bit interested in starting again, but at the same time want this build to be as best as it will ever be....
I am quite experienced, been in the IT support industry for nearly 20 years and this is a real first for me to throw my hands up and ask for help.
I will publish hijack-this dump some point in the next 24 hours but would entertain contributions in the meantime.
Eternal student, I normally use windows defender for everyday protection and scanning and lavasoft personal edition for alternative scanning. I had extended my search for the 'bad apple' thats causing the problem by installing all the other best breed spyware/adware scanning software but to no avail.
War1, I ran the script and indeed it greyed out the url box where you would have you home page in the internet options box so now I cannot have a home page, so now a new problem and the existing persists where clicking the internet explorer still launches MSN.COM.
So, I am now one step backwards! Can the action you offered be reversed?
0
ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.
One of a set of tools we're offering as a way to say thank you for being a part of the community.
Windows Defender will reset your homepage to msn.com. Choose Advanced Tools–>Browser Hijack Restore, and highlight Start Page. Click “Change restore settings to a new URL,” type in your normal home page, then click OK. From now on, when Microsoft blocks a home page hijacking, it will let you keep your own home page, and won’t do a hijacking on its own.
After a major Windows Update, Microsoft will reset your homepage to msn.com
press Enter and navigate to this subkey and change your start page:(example is yahoo.com mail)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Start Page"="http://mail.yahoo.com/"
Gee', this situation is becoming interesting but frustrating at the same time and a unique experience.
War1, I ran the script again and it reversed the action which is good but cannot figure out this bit -
"Choose Advanced Tools–>Browser Hijack Restore, and highlight Start Page. Click “Change restore settings to a new URL,” type in your normal home page, then click OK. From now on, when Microsoft blocks a home page hijacking, it will let you keep your own home page, and won’t do a hijacking on its own."
Which advanced tools do you mean?
Rpggamergirl, I actually ran that line the other day after reading some of the other tips before writing here and I got the big red 'X' Cannot edit Start Page: Error writing the value's new contents. I ran it again just to make sure and the same message appeared.
Here is a log of hijack this....
Logfile of HijackThis v1.99.1
Scan saved at 20:48:43, on 13/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
You have the MSN Toolbar Search. If you did not install it, uninstall from Add/Remove Programs.
0
pointybumAuthor Commented:
Hello War,
Yes, I did install it - I use it for indexing my hard drive - do you think that piece of software has any relation to the problem I am currently experiencing?
I decided to go into the registry again, but in safe mode, and had successfully removed the the start page from hkey_current_user, software, microsoft, internet explorer, main, as advised in one of your previous postings elsewhere in the Browser section. This worked, it deleted so I rebooted and checked to see if explorer defaults to MSN.COM, and guess what, it still does!
So, went back into regedit and navigated but this time to hkey_local_machine, software, microsoft, internet explorer, main, and I see the start page line, defaulting to http://www.microsoft.com/isapi/redir.dll?prd={SUB_PR...
Any thoughts?
Rgs
G.
0
pointybumAuthor Commented:
One more thing, I've temporarily removed windows defender just so as to eliminate any possibilities that it might be the cause.... I will leave it off, as will all spyware products, until as such I get a resolution.
0
pointybumAuthor Commented:
Also, I went to Yahoo's UK home page and selected make yahoo my home page to see what would happen (hoping the web script would be aggresive enough to over-ride the msn defaults) and all I got was a relentlessly spinning hour glass, but in task manager is still shows as running so something is obviously blocking the change request.....
Keep Avast active, it does nothing to your homepage. Defender will prevent you from changing it. Did you remove it from startup or uninstall it. Uninstall should be the correct answer for now.
What is that epMon.exe? Looks like it should be uninstalled.
As War1 suggests, uninstall MSN Toolbar also.
StatBar is also questionable to me.
0
pointybumAuthor Commented:
Ok, epmon is a cpu utilisation program I have been using for over a year with no issues - installed on over a 100 computers, as with Statbar which is a similar product which sits above the taskbar giving cpu utilisation readout, memory usage, and network traffic, etc.
I have uninstalled windows defender using add/remove, not just removed it from startup.
Like I said at the beginning of my posting the MSN.COM default happened before installing the above software so I feel they are unrelated but will remove out of curiosity and report back.
Would re-installing service pack2 wipe all existing settings and perhaps cure the problem, or would that just make things worse, or make no difference.
Shouldn't need to reinstall SP2 at this point in time unless you have uninstalled it. Have you run a Win Update lately?
Have you tried uninstalling the MSN Toolbar? And rebooting?
0
pointybumAuthor Commented:
Hello Mtz1of4,
I havent as of yet uninstalled msn seach tool bar yet (presently at work and pc is at home) but will do shortly.
And yes, I had patched everything up prior to realising the msn default problem, and then yesterday there were 7 or 8 updates and I allowed those to download and install too.
Can I ask your thoughts on re-applying sp2 - what are the ramifications should i re-install sp2 - would it make any difference, and if I were to reinstall sp2 would i need to remove the current sp2 first....
You may need to restart the machine and run another HijackThis and post your Log to this page and then select Save Analysis and then paste the link in your reply. http://www.hijackthis.de/index.php
Also, do a search for your IERESET.INF and see what it says.
0
pointybumAuthor Commented:
Hello Mtz,
I have removed msn search desktop, rebooted and it still does it.
I ran hijack, posted the results and everything is graded safe with the exception of epmon and statbar which I have explained before as being unrelated and harmless.
With reference to the RO headings and their absence I cannot offer a response to that as I am not technical enough. If they're missing then would that be the reason for my issues, and if so, is there a remedy?
I did the IREREST.INF search amd found two files - 1 is called layout, stored in c:\windows\inf\ and the other is called setup, stored in c:\windows\repair\
I also did sfc /scannow, rebooted and still no joy.
; IMPORTANT NOTE:
; IE branding dll (iedkcs32.dll) uses the following entries to restore the default MS values.
; In the vanilla version of IE, the values must be the same as their corresponding non MS_* values.
; For example, START_PAGE_URL and MS_START_PAGE_URL must have the same URL in the IE version released by MS.
MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
Does yours reference MSN.com? How does yours compare to mine?
0
pointybumAuthor Commented:
Hi Mtz,
There were other symptoms with explorer that concerned me too, that typing a new url into the explorer window and clicking to launch would sometimes take ages, like half a minute before jumping to experts exchange for example, and yet, if I clicked explorer to launch a new window, or go into firefox and fire up google, the pages launch instantly so something is definately not right and wasnt prepared to live with such an anomaly despite the great advice/fixes given.
So, with that said, I decided to flatten the pc and rebuild it and it wasnt a decision taken lightly as it does take some 8 hours to reformat the drives under raid 0 stripe configuration and then some more hours configuring to my requirements.
I am going to use my original xp pro sp2 than my back-up copy to ensure the installation is sound.
When back up and running, probably in the next 7/8 hours, I will report back with an update and award points for helping out.
Well, I have rebuilt my pc and everything is fabalousy perfect.
There must have been a dirty file somewhere in the MFT as I did harbour a suspicion to windows defender and/or msn search desktop hijacking explorer but couldnt totally agree with your thought processes as I've never experienced such an anomaly before, and that I do test new product releases aggresively for a few months on work computers before applying to my own homel computer.
So,its got to be a dirty file, akin to the infamous semi colon bug found on the stealth bomber so it no longer belly flops the tarmac just after take off... :)
Awards time - I would like to split between you to chaps as you've have both been helpful... How do I do it??
Because many of them will actually lock IE from changing homepage.