Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Something hijacked Internet Explorer and forces it to remain in Yahoo.com instead of MSNBC.com as 'their home'

Posted on 2006-07-05
15
Medium Priority
?
380 Views
Last Modified: 2010-05-18
I have a client here with this problem.

I have ran Spybot, Spysweeper, eWido, Hijackthis (it keeps reappearing no matter what I do), and Adaware.

$BOSS suspsect this is a relation between the Yhoo32.expr virus and this problem - I disagree, $CLIENT doesn't run Yahoo Messenger.

Every time I try to modify the IE homepage to go to MSNBC.com, and then click on "Home" on IE, it changes back to Yahoo. Client is pissed off on that, so we're trying to find the problem. Regedit32 shows Yahoo only once, but once modified, it changes back to Yahoo.

I'm at a loss here.

Hopefully someone will come up with a solutoin that will work.

Hawkeye-X
0
Comment
Question by:hawkeyex
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +2
15 Comments
 
LVL 2

Expert Comment

by:abarneslouortho
ID: 17045367
if you are logged on as the user on the machine, make sure that they have the privilege of changing their home page...

also, try this script:

http://www.dynamicdrive.com/dynamicindex9/addhome.htm

copy the script into notepad.  change the url to http://www.msnbc.com and then save the file as whatever.html

click the link displayed and there you go!!
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17045432
Use hijackthis, It will tell you which spyware has bugged your IE.

http://www.merijn.org/files/hijackthis.zip

Run this and then paste the Log file.
0
 

Author Comment

by:hawkeyex
ID: 17045469
Nope. Does not work. Home page still changes back to Yahoo.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 2

Expert Comment

by:abarneslouortho
ID: 17045472
did you check to make sure the user has rights?
0
 

Author Comment

by:hawkeyex
ID: 17045494
Ok. I will paste the hijackthis log file here.

Yes, I just upgraded IE to 7, hoping it'd fix the problem, but alas, no. And yes, I'm EVEN aware of R0, but it won't remove the problem, and it keeps coming back.

Logfile of HijackThis v1.99.1
Scan saved at 1:15:45 PM, on 7/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jkprager\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146505895\ee\AOLSoftware.exe
O4 - HKLM\..\RunOnce: [JetsonsDemise1] cmd /x /c erase \\Gapllc-server\_install\AIM\aolsetup.exe
O4 - HKLM\..\RunOnce: [JetsonsDemise2] cmd /x /c erase \\Gapllc-server\_install\AIM\Main.ini
O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gapllc.local
O17 - HKLM\Software\..\Telephony: DomainName = gapllc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{28274B02-9D07-4871-A20A-C9B584DEA6F2}: NameServer = 192.168.0.250,192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gapllc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gapllc.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

0
 

Author Comment

by:hawkeyex
ID: 17045498
The usre has administrative rights.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17045553

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/Internet Start Page

This is where you go when you first open IE.
Delete this key.

0
 

Author Comment

by:hawkeyex
ID: 17045569
I did delete this key, that's the R0, which I said I was aware of. It keeps returning. Hence, my problem.

0
 
LVL 13

Expert Comment

by:prashsax
ID: 17045584
I saw your log file. You may also need to delete many registry entries.

Goto the link mentioned below and analyze your logfile.

http://hjt.networktechs.com/

Then, clean all the registry setting marked as unsafe.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17045608
Also, use msconfig.

Goto Services TAB and Startup TAB.

See, if you can find some application or service which this machine should not have, or is associated with yahoo.
Disable it as well.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1000 total points
ID: 17046865
Check the most obvious first, have they just installed of updated Zone Alarm?
If so then that's the culprit!
All they have to do is uninstall it if it's the free version.

Look my answer on this thread here:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21907643.html#17040600
0
 
LVL 2

Assisted Solution

by:0xnull
0xnull earned 1000 total points
ID: 17054527
it sounds like you have a BHO (browser helper object), a Toolbar, or even an entire app that has jacked your home page.  BHO's are a major PITA.  I'd recommend UPDATING spybot (older versions don't keep themselves up to date).  Then disable ALL toolbars and non CRUCIAL apps (which is damn near everything - look in the systray) (especially that AOL crap) and see if the issue persists.  If not, reinstate each one, one at a time, until the culprit is found.  Then you can reconfig it, or nuke it.

Good luck.



0
 

Author Comment

by:hawkeyex
ID: 17235474
no objections.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question