Solved

Something hijacked Internet Explorer and forces it to remain in Yahoo.com instead of MSNBC.com as 'their home'

Posted on 2006-07-05
15
370 Views
Last Modified: 2010-05-18
I have a client here with this problem.

I have ran Spybot, Spysweeper, eWido, Hijackthis (it keeps reappearing no matter what I do), and Adaware.

$BOSS suspsect this is a relation between the Yhoo32.expr virus and this problem - I disagree, $CLIENT doesn't run Yahoo Messenger.

Every time I try to modify the IE homepage to go to MSNBC.com, and then click on "Home" on IE, it changes back to Yahoo. Client is pissed off on that, so we're trying to find the problem. Regedit32 shows Yahoo only once, but once modified, it changes back to Yahoo.

I'm at a loss here.

Hopefully someone will come up with a solutoin that will work.

Hawkeye-X
0
Comment
Question by:hawkeyex
  • 5
  • 4
  • 2
  • +2
15 Comments
 
LVL 2

Expert Comment

by:abarneslouortho
ID: 17045367
if you are logged on as the user on the machine, make sure that they have the privilege of changing their home page...

also, try this script:

http://www.dynamicdrive.com/dynamicindex9/addhome.htm

copy the script into notepad.  change the url to http://www.msnbc.com and then save the file as whatever.html

click the link displayed and there you go!!
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17045432
Use hijackthis, It will tell you which spyware has bugged your IE.

http://www.merijn.org/files/hijackthis.zip

Run this and then paste the Log file.
0
 

Author Comment

by:hawkeyex
ID: 17045469
Nope. Does not work. Home page still changes back to Yahoo.
0
 
LVL 2

Expert Comment

by:abarneslouortho
ID: 17045472
did you check to make sure the user has rights?
0
 

Author Comment

by:hawkeyex
ID: 17045494
Ok. I will paste the hijackthis log file here.

Yes, I just upgraded IE to 7, hoping it'd fix the problem, but alas, no. And yes, I'm EVEN aware of R0, but it won't remove the problem, and it keeps coming back.

Logfile of HijackThis v1.99.1
Scan saved at 1:15:45 PM, on 7/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jkprager\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146505895\ee\AOLSoftware.exe
O4 - HKLM\..\RunOnce: [JetsonsDemise1] cmd /x /c erase \\Gapllc-server\_install\AIM\aolsetup.exe
O4 - HKLM\..\RunOnce: [JetsonsDemise2] cmd /x /c erase \\Gapllc-server\_install\AIM\Main.ini
O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gapllc.local
O17 - HKLM\Software\..\Telephony: DomainName = gapllc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{28274B02-9D07-4871-A20A-C9B584DEA6F2}: NameServer = 192.168.0.250,192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gapllc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gapllc.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

0
 

Author Comment

by:hawkeyex
ID: 17045498
The usre has administrative rights.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 13

Expert Comment

by:prashsax
ID: 17045553

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/Internet Start Page

This is where you go when you first open IE.
Delete this key.

0
 

Author Comment

by:hawkeyex
ID: 17045569
I did delete this key, that's the R0, which I said I was aware of. It keeps returning. Hence, my problem.

0
 
LVL 13

Expert Comment

by:prashsax
ID: 17045584
I saw your log file. You may also need to delete many registry entries.

Goto the link mentioned below and analyze your logfile.

http://hjt.networktechs.com/

Then, clean all the registry setting marked as unsafe.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17045608
Also, use msconfig.

Goto Services TAB and Startup TAB.

See, if you can find some application or service which this machine should not have, or is associated with yahoo.
Disable it as well.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 250 total points
ID: 17046865
Check the most obvious first, have they just installed of updated Zone Alarm?
If so then that's the culprit!
All they have to do is uninstall it if it's the free version.

Look my answer on this thread here:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21907643.html#17040600
0
 
LVL 2

Assisted Solution

by:0xnull
0xnull earned 250 total points
ID: 17054527
it sounds like you have a BHO (browser helper object), a Toolbar, or even an entire app that has jacked your home page.  BHO's are a major PITA.  I'd recommend UPDATING spybot (older versions don't keep themselves up to date).  Then disable ALL toolbars and non CRUCIAL apps (which is damn near everything - look in the systray) (especially that AOL crap) and see if the issue persists.  If not, reinstate each one, one at a time, until the culprit is found.  Then you can reconfig it, or nuke it.

Good luck.



0
 

Author Comment

by:hawkeyex
ID: 17235474
no objections.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now