IE6 keeps jumping to MSN.COM behaving like a spyware hijack.

What anti-spyware program are using ?

Because many of them will actually lock IE from changing homepage.

Greetings, pointybum !

It could be an OEM issue where the computer reverts the the original home page.  Run this script to disable the behavior
http://www.dougknox.com/security/scripts_desc/nosethomepage.htm


Best wishes!

Eternal student, I normally use windows defender for everyday protection and scanning and lavasoft personal edition for alternative scanning.  I had extended my search for the 'bad apple' thats causing the problem by installing all the other best breed spyware/adware scanning software but to no avail.

War1, I ran the script and indeed it greyed out the url box where you would have you home page in the internet options box so now I cannot have a home page, so now a new problem and the existing persists where clicking the internet explorer still launches MSN.COM.

So, I am now one step backwards!  Can the action you offered be reversed?

>> Can the action you offered be reversed?

Yes, you can run the script again.

Windows Defender will reset your homepage to msn.com.  Choose Advanced Tools–>Browser Hijack Restore, and highlight Start Page. Click “Change restore settings to a new URL,” type in your normal home page, then click OK. From now on, when Microsoft blocks a home page hijacking, it will let you keep your own home page, and won’t do a hijacking on its own.

After a major Windows Update, Microsoft will reset your homepage to msn.com

Have you tried these?

Click Start > Run > type in
regedit

press Enter and navigate to this subkey and change your start page:(example is yahoo.com mail)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Start Page"="http://mail.yahoo.com/"


If your homepage is lock you can unlock it with Kelly's Unlock homepage.reg:
http://www.kellys-korner-xp.com/regs_edits/HomePageUnlock.reg

Gee', this situation is becoming interesting but frustrating at the same time and a unique experience.

War1, I ran the script again and it reversed the action which is good but cannot figure out this bit -

"Choose Advanced Tools–>Browser Hijack Restore, and highlight Start Page. Click “Change restore settings to a new URL,” type in your normal home page, then click OK. From now on, when Microsoft blocks a home page hijacking, it will let you keep your own home page, and won’t do a hijacking on its own."

Which advanced tools do you mean?


Rpggamergirl, I actually ran that line the other day after reading some of the other tips before writing here and I got the big red 'X' Cannot edit Start Page: Error writing the value's new contents.  I ran it again just to make sure and the same message appeared.

Here is a log of hijack this....
Logfile of HijackThis v1.99.1
Scan saved at 20:48:43, on 13/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Globe Software\StatBar\StatBar.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Desktop Sidebar\dsidebar.exe
C:\Program Files\EPMon\epmon.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Gordon & Renny\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe"
O4 - HKCU\..\Run: [EPMon] C:\Program Files\EPMon\epmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Rgs

Gordon.

>> Which advanced tools do you mean?

It is the Advanced Tools in Windows Defender.

You have the MSN Toolbar Search.  If you did not install it, uninstall from Add/Remove Programs.

Hello War,

   Yes, I did install it - I use it for indexing my hard drive - do you think that piece of software has any relation to the problem I am currently experiencing?

   I decided to go into the registry again, but in safe mode, and had successfully removed the the start page from hkey_current_user, software, microsoft, internet explorer, main, as advised in one of your previous postings elsewhere in the Browser section.    This worked, it deleted so I rebooted and checked to see if explorer defaults to MSN.COM, and guess what, it still does!

   So, went back into regedit and navigated but this time to hkey_local_machine, software, microsoft, internet explorer, main, and I see the start page line, defaulting to http://www.microsoft.com/isapi/redir.dll?prd={SUB_PR...

   Any thoughts?

   Rgs

   G.

One more thing, I've temporarily removed windows defender just so as to eliminate any possibilities that it might be the cause....  I will leave it off, as will all spyware products, until as such I get a resolution.

Also, I went to Yahoo's UK home page and selected make yahoo my home page to see what would happen (hoping the web script would be aggresive enough to over-ride the msn defaults) and all I got was a relentlessly spinning hour glass, but in task manager is still shows as running so something is obviously blocking the change request.....

Keep Avast active, it does nothing to your homepage.  Defender will prevent you from changing it.  Did you remove it from startup or uninstall it.  Uninstall should be the correct answer for now.

http://www.hijackthis.de/logfiles/b59cb1a991f5b6f62b6b25871fb816ea.html is the analysis of the Hijack this log.

What is that epMon.exe?  Looks like it should be uninstalled.

As War1 suggests, uninstall MSN Toolbar also.

StatBar is also questionable to me.  

Ok, epmon is a cpu utilisation program I have been using for over a year with no issues - installed on over a 100 computers, as with Statbar which is a similar product which sits above the taskbar giving cpu utilisation readout, memory usage, and network traffic, etc.

I have uninstalled windows defender using add/remove, not just removed it from startup.

Like I said at the beginning of my posting the MSN.COM default happened before installing the above software so I feel they are unrelated but will remove out of curiosity and report back.

Would re-installing service pack2 wipe all existing settings and perhaps cure the problem, or would that just make things worse, or make no difference.

Rgs

G.

Thanks for the info.

Shouldn't need to reinstall SP2 at this point in time unless you have uninstalled it.  Have you run a Win Update lately?
Have you tried uninstalling the MSN Toolbar? And rebooting?

Hello Mtz1of4,

   I havent as of yet uninstalled msn seach tool bar yet (presently at work and pc is at home) but will do shortly.

   And yes, I had patched everything up prior to realising the msn  default problem, and then yesterday there were 7 or 8 updates and I allowed those to download and install too.

   Can I ask your thoughts on re-applying sp2 - what are the ramifications should i re-install sp2 - would it make any difference, and if I were to reinstall sp2 would i need to remove the current sp2 first....

   Rgs

  G.

I don't believe you can uninstall SP2 if it was part of the original install.  I have never found a reason to uninstall SP2 and have never actually done that so I can't say how it will affect your machine.  I guess you could try to re-apply it or you could try running the system file checker.
http://support.microsoft.com/?kbid=310747
http://ask-leo.com/what_is_the_system_file_checker_and_how_do_i_run_it.html

Although the more I look around on this, the more I'm thinking the msn search bar is the culprit.

Spysweeper will lock your home page, Spybot can lock your home page, Defender can lock your home page.

Looking through your Hikack This log again, why do I not see any R0 headings?  http://www.spywareinfo.com/~merijn/htlogtutorial.html#r

You may need to restart the machine and run another HijackThis and post your Log to this page and then select Save Analysis and then paste the link in your reply.
http://www.hijackthis.de/index.php


Also, do a search for your IERESET.INF and see what it says.

Hello Mtz,

   I have removed msn search desktop, rebooted and it still does it.

   I ran hijack, posted the results and everything is graded safe with the exception of epmon and statbar which I have explained before as being unrelated and harmless.

   With reference to the RO headings and their absence I cannot offer a response to that as I am not technical enough.  If they're missing then would that be the reason for my issues, and if so, is there a remedy?

   I did the IREREST.INF search amd found two files - 1 is called layout, stored in c:\windows\inf\ and the other is called setup, stored in c:\windows\repair\

   I also did sfc /scannow, rebooted and still no joy.

    Arrrghh...!

MY IERESET.INF is located in the C:\WINDOWS\inf folder and contains this when I open it in Notepad.

[Version]
Signature="$CHICAGO$"
AdvancedINF=2.5,"You need a new version of advpack.dll"

[RestoreHomePage]
AddReg=RestoreHomePage.reg

[RestoreBrowserSettings]
AddReg=RestoreBrowserSettings.reg
DelReg=DeleteTemplates.reg, DeleteAutosearch.reg

[RestoreHomePage.reg]
HKCU,"Software\Microsoft\Internet Explorer\Main","Start Page",0,%START_PAGE_URL%

[RestoreBrowserSettings.reg]
HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Page_URL",0,%START_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Search_URL",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","1",0,"www.%s.com"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","2",0,"www.%s.org"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","3",0,"www.%s.net"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","4",0,"www.%s.edu"
HKCU,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%

; NOTE (andrewgu) ie5.5 b#108259 - autosearch settings are not properly reset
HKCU,"Software\Microsoft\Internet Explorer\SearchUrl","Provider",0,""

HKLM,"Software\Microsoft\Internet Explorer\Search","SearchAssistant",0,"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
HKLM,"Software\Microsoft\Internet Explorer\Search","CustomizeSearch",0,"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\SafeSites",%SAFESITE_VALUE%,0,"http://ie.search.msn.com/*"

[DeleteTemplates.reg]
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","5"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","6"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","7"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","8"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","9"

[DeleteAutosearch.reg]
; NOTE (andrewgu) ie5.5 b#108259 - autosearch settings are not properly reset
HKCU,"Software\Microsoft\Internet Explorer\Main","AutoSearch"

[Strings]
START_PAGE_URL=http://www.emachines.com
SEARCH_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
SAFESITE_VALUE="ie.search.msn.com"

; IMPORTANT NOTE:
; IE branding dll (iedkcs32.dll) uses the following entries to restore the default MS values.
; In the vanilla version of IE, the values must be the same as their corresponding non MS_* values.
; For example, START_PAGE_URL and MS_START_PAGE_URL must have the same URL in the IE version released by MS.
MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"


Does yours reference MSN.com?  How does yours compare to mine?

Hi Mtz,

  There were other symptoms with explorer that concerned me too, that typing a new url into the explorer window and clicking to launch would sometimes take ages, like half a minute before jumping to experts exchange for example, and yet, if I clicked explorer to launch a new window, or go into firefox and fire up google, the pages launch instantly so something is definately not right and wasnt prepared to live with such an anomaly despite the great advice/fixes given.

   So, with that said, I decided to flatten the pc and rebuild it and it wasnt a decision taken lightly as it does take some 8 hours to reformat the drives under raid 0 stripe configuration and then some more hours configuring to my requirements.

   I am going to use my original xp pro sp2 than my back-up copy to ensure the installation is sound.

   When back up and running, probably in the next 7/8 hours, I will report back with an update and award points for helping out.

   Rgs

   Gord.

Hello Mtz and War,

  Well, I have rebuilt my pc and everything is fabalousy perfect.

  There must have been a dirty file somewhere in the MFT as I did harbour a suspicion to windows defender and/or msn search desktop hijacking explorer but couldnt totally agree with your thought processes as I've never experienced such an anomaly before, and that I do test new product releases aggresively for a few months on work computers before applying to my own homel computer.

  So,its got to be a dirty file, akin to the infamous semi colon bug found on the stealth bomber so it no longer belly flops the tarmac just after take off...  :)

  Awards time - I would like to split between you to chaps as you've have both been helpful...  How do I do it??

Ah, just figured it out...

Thanks Gordon,

Glad it's all working fine for you now.