?
Solved

Something hijacked Internet Explorer and forces it to remain in Yahoo.com instead of MSNBC.com as 'their home'

Posted on 2006-07-05
15
Medium Priority
?
379 Views
Last Modified: 2010-05-18
I have a client here with this problem.

I have ran Spybot, Spysweeper, eWido, Hijackthis (it keeps reappearing no matter what I do), and Adaware.

$BOSS suspsect this is a relation between the Yhoo32.expr virus and this problem - I disagree, $CLIENT doesn't run Yahoo Messenger.

Every time I try to modify the IE homepage to go to MSNBC.com, and then click on "Home" on IE, it changes back to Yahoo. Client is pissed off on that, so we're trying to find the problem. Regedit32 shows Yahoo only once, but once modified, it changes back to Yahoo.

I'm at a loss here.

Hopefully someone will come up with a solutoin that will work.

Hawkeye-X
0
Comment
Question by:hawkeyex
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +2
15 Comments
 
LVL 2

Expert Comment

by:abarneslouortho
ID: 17045367
if you are logged on as the user on the machine, make sure that they have the privilege of changing their home page...

also, try this script:

http://www.dynamicdrive.com/dynamicindex9/addhome.htm

copy the script into notepad.  change the url to http://www.msnbc.com and then save the file as whatever.html

click the link displayed and there you go!!
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17045432
Use hijackthis, It will tell you which spyware has bugged your IE.

http://www.merijn.org/files/hijackthis.zip

Run this and then paste the Log file.
0
 

Author Comment

by:hawkeyex
ID: 17045469
Nope. Does not work. Home page still changes back to Yahoo.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:abarneslouortho
ID: 17045472
did you check to make sure the user has rights?
0
 

Author Comment

by:hawkeyex
ID: 17045494
Ok. I will paste the hijackthis log file here.

Yes, I just upgraded IE to 7, hoping it'd fix the problem, but alas, no. And yes, I'm EVEN aware of R0, but it won't remove the problem, and it keeps coming back.

Logfile of HijackThis v1.99.1
Scan saved at 1:15:45 PM, on 7/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jkprager\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146505895\ee\AOLSoftware.exe
O4 - HKLM\..\RunOnce: [JetsonsDemise1] cmd /x /c erase \\Gapllc-server\_install\AIM\aolsetup.exe
O4 - HKLM\..\RunOnce: [JetsonsDemise2] cmd /x /c erase \\Gapllc-server\_install\AIM\Main.ini
O4 - HKLM\..\RunOnce: [Run IPH] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gapllc.local
O17 - HKLM\Software\..\Telephony: DomainName = gapllc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{28274B02-9D07-4871-A20A-C9B584DEA6F2}: NameServer = 192.168.0.250,192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gapllc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gapllc.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

0
 

Author Comment

by:hawkeyex
ID: 17045498
The usre has administrative rights.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17045553

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/Internet Start Page

This is where you go when you first open IE.
Delete this key.

0
 

Author Comment

by:hawkeyex
ID: 17045569
I did delete this key, that's the R0, which I said I was aware of. It keeps returning. Hence, my problem.

0
 
LVL 13

Expert Comment

by:prashsax
ID: 17045584
I saw your log file. You may also need to delete many registry entries.

Goto the link mentioned below and analyze your logfile.

http://hjt.networktechs.com/

Then, clean all the registry setting marked as unsafe.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17045608
Also, use msconfig.

Goto Services TAB and Startup TAB.

See, if you can find some application or service which this machine should not have, or is associated with yahoo.
Disable it as well.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1000 total points
ID: 17046865
Check the most obvious first, have they just installed of updated Zone Alarm?
If so then that's the culprit!
All they have to do is uninstall it if it's the free version.

Look my answer on this thread here:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21907643.html#17040600
0
 
LVL 2

Assisted Solution

by:0xnull
0xnull earned 1000 total points
ID: 17054527
it sounds like you have a BHO (browser helper object), a Toolbar, or even an entire app that has jacked your home page.  BHO's are a major PITA.  I'd recommend UPDATING spybot (older versions don't keep themselves up to date).  Then disable ALL toolbars and non CRUCIAL apps (which is damn near everything - look in the systray) (especially that AOL crap) and see if the issue persists.  If not, reinstate each one, one at a time, until the culprit is found.  Then you can reconfig it, or nuke it.

Good luck.



0
 

Author Comment

by:hawkeyex
ID: 17235474
no objections.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
A look at what happened in the Verizon cloud breach.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question