Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1827
  • Last Modified:

IE6 keeps jumping to MSN.COM behaving like a spyware hijack.

Hello Techs,

   I have a problem with internet explorer (IE6 with xp pro & sp2) where it keeps reverting to despite going into internet options and then use current, or blank for that matter.  I’ve never had this problem before, especially straight after a fresh OS rebuild where browsing the net was strictly limited to trusted sights to obtain drivers, etc.

   The symptom arose more or less immediately when I’d finished patching and then went about the paces of data migration, so no action other than rebuilding has forced this problem to appear.  The OS installation had sp2 as part of the installation rather than as a separate addition.

   To accompany the OS I immediately installed, after the patching, the free Zonealarm as firewall, Windows Defender beta and Lavasoft Adware Personal as anti-spyware, and then Avast anti-virus.  I have tried the best breed spyware and anti-virus detection software - Spybot, CWshredder, Spydoctor, webspy, etc; all revealing nothing suspicious.

   I have spent considerable time reading the existing postings, applied the advice given – ran sfc scannow, ran the ie.inf install, but still the browser points to  I have never seen anything like it.

  I have also installed firefox as a secondary browser, with IE being the default browser, could this be the culprit?

  Would downloading and re-installing sp2 solve the problem or make it worse, or do nothing?

   Your contributions are (obviously) welcomed as it is rather urgent as I have spent nearly 2 days building this thing - its a raid 0 (stripe) setup , Dell 9150 intel on board raid controller, and am not in the slightest bit interested in starting again, but at the same time want this build to be as best as it will ever be....

    I am quite experienced, been in the IT support industry for nearly 20 years and this is a real first for me to throw my hands up and ask for help.

    I will publish hijack-this dump some point in the next 24 hours but would entertain contributions in the meantime.


  • 11
  • 6
  • 5
  • +2
2 Solutions
What anti-spyware program are using ?

Because many of them will actually lock IE from changing homepage.
Greetings, pointybum !

It could be an OEM issue where the computer reverts the the original home page.  Run this script to disable the behavior

Best wishes!
pointybumAuthor Commented:
Eternal student, I normally use windows defender for everyday protection and scanning and lavasoft personal edition for alternative scanning.  I had extended my search for the 'bad apple' thats causing the problem by installing all the other best breed spyware/adware scanning software but to no avail.

War1, I ran the script and indeed it greyed out the url box where you would have you home page in the internet options box so now I cannot have a home page, so now a new problem and the existing persists where clicking the internet explorer still launches MSN.COM.

So, I am now one step backwards!  Can the action you offered be reversed?
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

>> Can the action you offered be reversed?

Yes, you can run the script again.

Windows Defender will reset your homepage to  Choose Advanced Tools–>Browser Hijack Restore, and highlight Start Page. Click “Change restore settings to a new URL,” type in your normal home page, then click OK. From now on, when Microsoft blocks a home page hijacking, it will let you keep your own home page, and won’t do a hijacking on its own.

After a major Windows Update, Microsoft will reset your homepage to
Have you tried these?

Click Start > Run > type in

press Enter and navigate to this subkey and change your start page:(example is mail)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Start Page"=""

If your homepage is lock you can unlock it with Kelly's Unlock homepage.reg:
pointybumAuthor Commented:

Gee', this situation is becoming interesting but frustrating at the same time and a unique experience.

War1, I ran the script again and it reversed the action which is good but cannot figure out this bit -

"Choose Advanced Tools–>Browser Hijack Restore, and highlight Start Page. Click “Change restore settings to a new URL,” type in your normal home page, then click OK. From now on, when Microsoft blocks a home page hijacking, it will let you keep your own home page, and won’t do a hijacking on its own."

Which advanced tools do you mean?

Rpggamergirl, I actually ran that line the other day after reading some of the other tips before writing here and I got the big red 'X' Cannot edit Start Page: Error writing the value's new contents.  I ran it again just to make sure and the same message appeared.

Here is a log of hijack this....
Logfile of HijackThis v1.99.1
Scan saved at 20:48:43, on 13/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Globe Software\StatBar\StatBar.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Desktop Sidebar\dsidebar.exe
C:\Program Files\EPMon\epmon.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Gordon & Renny\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe"
O4 - HKCU\..\Run: [EPMon] C:\Program Files\EPMon\epmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



>> Which advanced tools do you mean?

It is the Advanced Tools in Windows Defender.
You have the MSN Toolbar Search.  If you did not install it, uninstall from Add/Remove Programs.
pointybumAuthor Commented:
Hello War,

   Yes, I did install it - I use it for indexing my hard drive - do you think that piece of software has any relation to the problem I am currently experiencing?

   I decided to go into the registry again, but in safe mode, and had successfully removed the the start page from hkey_current_user, software, microsoft, internet explorer, main, as advised in one of your previous postings elsewhere in the Browser section.    This worked, it deleted so I rebooted and checked to see if explorer defaults to MSN.COM, and guess what, it still does!

   So, went back into regedit and navigated but this time to hkey_local_machine, software, microsoft, internet explorer, main, and I see the start page line, defaulting to{SUB_PR...

   Any thoughts?


pointybumAuthor Commented:
One more thing, I've temporarily removed windows defender just so as to eliminate any possibilities that it might be the cause....  I will leave it off, as will all spyware products, until as such I get a resolution.
pointybumAuthor Commented:
Also, I went to Yahoo's UK home page and selected make yahoo my home page to see what would happen (hoping the web script would be aggresive enough to over-ride the msn defaults) and all I got was a relentlessly spinning hour glass, but in task manager is still shows as running so something is obviously blocking the change request.....
Marc ZCommented:
Keep Avast active, it does nothing to your homepage.  Defender will prevent you from changing it.  Did you remove it from startup or uninstall it.  Uninstall should be the correct answer for now. is the analysis of the Hijack this log.

What is that epMon.exe?  Looks like it should be uninstalled.

As War1 suggests, uninstall MSN Toolbar also.

StatBar is also questionable to me.  
pointybumAuthor Commented:

Ok, epmon is a cpu utilisation program I have been using for over a year with no issues - installed on over a 100 computers, as with Statbar which is a similar product which sits above the taskbar giving cpu utilisation readout, memory usage, and network traffic, etc.

I have uninstalled windows defender using add/remove, not just removed it from startup.

Like I said at the beginning of my posting the MSN.COM default happened before installing the above software so I feel they are unrelated but will remove out of curiosity and report back.

Would re-installing service pack2 wipe all existing settings and perhaps cure the problem, or would that just make things worse, or make no difference.


Marc ZCommented:
Thanks for the info.

Shouldn't need to reinstall SP2 at this point in time unless you have uninstalled it.  Have you run a Win Update lately?
Have you tried uninstalling the MSN Toolbar? And rebooting?

pointybumAuthor Commented:
Hello Mtz1of4,

   I havent as of yet uninstalled msn seach tool bar yet (presently at work and pc is at home) but will do shortly.

   And yes, I had patched everything up prior to realising the msn  default problem, and then yesterday there were 7 or 8 updates and I allowed those to download and install too.

   Can I ask your thoughts on re-applying sp2 - what are the ramifications should i re-install sp2 - would it make any difference, and if I were to reinstall sp2 would i need to remove the current sp2 first....


Marc ZCommented:
I don't believe you can uninstall SP2 if it was part of the original install.  I have never found a reason to uninstall SP2 and have never actually done that so I can't say how it will affect your machine.  I guess you could try to re-apply it or you could try running the system file checker.

Although the more I look around on this, the more I'm thinking the msn search bar is the culprit.

Spysweeper will lock your home page, Spybot can lock your home page, Defender can lock your home page.

Looking through your Hikack This log again, why do I not see any R0 headings?

You may need to restart the machine and run another HijackThis and post your Log to this page and then select Save Analysis and then paste the link in your reply.

Also, do a search for your IERESET.INF and see what it says.
pointybumAuthor Commented:
Hello Mtz,

   I have removed msn search desktop, rebooted and it still does it.

   I ran hijack, posted the results and everything is graded safe with the exception of epmon and statbar which I have explained before as being unrelated and harmless.

   With reference to the RO headings and their absence I cannot offer a response to that as I am not technical enough.  If they're missing then would that be the reason for my issues, and if so, is there a remedy?

   I did the IREREST.INF search amd found two files - 1 is called layout, stored in c:\windows\inf\ and the other is called setup, stored in c:\windows\repair\

   I also did sfc /scannow, rebooted and still no joy.

Marc ZCommented:
MY IERESET.INF is located in the C:\WINDOWS\inf folder and contains this when I open it in Notepad.

AdvancedINF=2.5,"You need a new version of advpack.dll"


DelReg=DeleteTemplates.reg, DeleteAutosearch.reg

HKCU,"Software\Microsoft\Internet Explorer\Main","Start Page",0,%START_PAGE_URL%

HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Page_URL",0,%START_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Search_URL",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","1",0,""
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","2",0,""
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","3",0,""
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","4",0,""
HKCU,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%

; NOTE (andrewgu) ie5.5 b#108259 - autosearch settings are not properly reset
HKCU,"Software\Microsoft\Internet Explorer\SearchUrl","Provider",0,""

HKLM,"Software\Microsoft\Internet Explorer\Search","SearchAssistant",0,"{SUB_RFC1766}/srchasst/srchasst.htm"
HKLM,"Software\Microsoft\Internet Explorer\Search","CustomizeSearch",0,"{SUB_RFC1766}/srchasst/srchcust.htm"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\SafeSites",%SAFESITE_VALUE%,0,"*"

HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","5"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","6"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","7"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","8"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","9"

; NOTE (andrewgu) ie5.5 b#108259 - autosearch settings are not properly reset
HKCU,"Software\Microsoft\Internet Explorer\Main","AutoSearch"


; IE branding dll (iedkcs32.dll) uses the following entries to restore the default MS values.
; In the vanilla version of IE, the values must be the same as their corresponding non MS_* values.
; For example, START_PAGE_URL and MS_START_PAGE_URL must have the same URL in the IE version released by MS.

Does yours reference  How does yours compare to mine?
pointybumAuthor Commented:
Hi Mtz,

  There were other symptoms with explorer that concerned me too, that typing a new url into the explorer window and clicking to launch would sometimes take ages, like half a minute before jumping to experts exchange for example, and yet, if I clicked explorer to launch a new window, or go into firefox and fire up google, the pages launch instantly so something is definately not right and wasnt prepared to live with such an anomaly despite the great advice/fixes given.

   So, with that said, I decided to flatten the pc and rebuild it and it wasnt a decision taken lightly as it does take some 8 hours to reformat the drives under raid 0 stripe configuration and then some more hours configuring to my requirements.

   I am going to use my original xp pro sp2 than my back-up copy to ensure the installation is sound.

   When back up and running, probably in the next 7/8 hours, I will report back with an update and award points for helping out.


Gord, sorry you had to reformat and reinstall Windows. Maybe that is the fastest way to fix the problem.
Marc ZCommented:
Gord, Thanks for the update,

Keeps us in the loop.
pointybumAuthor Commented:
Hello Mtz and War,

  Well, I have rebuilt my pc and everything is fabalousy perfect.

  There must have been a dirty file somewhere in the MFT as I did harbour a suspicion to windows defender and/or msn search desktop hijacking explorer but couldnt totally agree with your thought processes as I've never experienced such an anomaly before, and that I do test new product releases aggresively for a few months on work computers before applying to my own homel computer.

  So,its got to be a dirty file, akin to the infamous semi colon bug found on the stealth bomber so it no longer belly flops the tarmac just after take off...  :)

  Awards time - I would like to split between you to chaps as you've have both been helpful...  How do I do it??
pointybumAuthor Commented:
Ah, just figured it out...
Marc ZCommented:
Thanks Gordon,

Glad it's all working fine for you now.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 11
  • 6
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now