IE Home Page hijacked...
04 July 2006, 09:02 AM
#1
Scooby Regular
Thread Starter
Join Date: Jun 1999
Posts: 1,496
Likes: 0
Received 0 Likes
on
0 Posts
IE Home Page hijacked...
My IE home page is stuck at :
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
...which resolves to :
http://uk.msn.com/
when I open IE.
I can edit the Home Page to about:blank (or anything else) in Tools|Internet Options, but it doesn't stick - If I "Apply" or "OK", then re-open Tools|Options then its back to the stuck value
I've used:
- Ad-Aware
- CWShredder
- Spybot S&D (and it's not configured to stop IE changes - when it is, then either Tools|Options is not available at all, or the Home Page settings are all greyed out - but I have neither)
- a good root around the processes using Task Manager, msconfig and APM
... but nothing seems amiss
The stuck URL appears in the registry in two places:
HKEY_LOCAL_MACHINE\SOFTWARE\\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE
and
HKEY_USERS\S-1-5-21-776561741-725345543-839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE
I'm not sure about the second one, but in either case, regedit won't allow me to change them to anything ("about:blank" or an empty string) or even delete them (I was desperate!)
IE works fine, I just want it to have a Home Page of "about:blank" rather than some Micro$oft web page
Any clues?
PS I use Firefox 99.5% of the time and that works fine
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
...which resolves to :
http://uk.msn.com/
when I open IE.
I can edit the Home Page to about:blank (or anything else) in Tools|Internet Options, but it doesn't stick - If I "Apply" or "OK", then re-open Tools|Options then its back to the stuck value
I've used:
- Ad-Aware
- CWShredder
- Spybot S&D (and it's not configured to stop IE changes - when it is, then either Tools|Options is not available at all, or the Home Page settings are all greyed out - but I have neither)
- a good root around the processes using Task Manager, msconfig and APM
... but nothing seems amiss
The stuck URL appears in the registry in two places:
HKEY_LOCAL_MACHINE\SOFTWARE\\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE
and
HKEY_USERS\S-1-5-21-776561741-725345543-839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE
I'm not sure about the second one, but in either case, regedit won't allow me to change them to anything ("about:blank" or an empty string) or even delete them (I was desperate!)
IE works fine, I just want it to have a Home Page of "about:blank" rather than some Micro$oft web page
Any clues?
PS I use Firefox 99.5% of the time and that works fine
04 July 2006, 10:44 AM
#2
Scooby Regular
Join Date: Jun 2006
Location: Coruscant, Imperial City, block 1138, Apt 12
Posts: 61
Likes: 0
Received 0 Likes
on
0 Posts
Have you tried HijackThis? It's a great little tool for helping display rogue apps and browser hijackers amongst otehr things: http://tomcoyote.com/hjt/
Download the hijackthis app, run it and generate a log file. You can then c & p the entire log and paste it into a window on the hijackthis website which analyzes it for you and and gives you a display of all teh running services it found listing which are known to be safe and which are known to be malicious, unknown, etc. Very handy - i use it quite often when I'm stuck on trying to see what is messing with my machine when Spybot/Adaware dont work.
Download the hijackthis app, run it and generate a log file. You can then c & p the entire log and paste it into a window on the hijackthis website which analyzes it for you and and gives you a display of all teh running services it found listing which are known to be safe and which are known to be malicious, unknown, etc. Very handy - i use it quite often when I'm stuck on trying to see what is messing with my machine when Spybot/Adaware dont work.
04 July 2006, 10:49 AM
#3
Scooby Regular
Join Date: Jun 2006
Location: Coruscant, Imperial City, block 1138, Apt 12
Posts: 61
Likes: 0
Received 0 Likes
on
0 Posts
oops - sorry - forgot to post the link to the online log analyzer: http://www.hijackthis.de/
After you run the tool and generate a log file, open it in your fav word tool and copy the entire thing and then paste it into the big textfield on the link i listed just above and then click the analyze button. Or you can browse to the file on your machine, etc.
Not 100% perfect but certainly another useful free tool..
After you run the tool and generate a log file, open it in your fav word tool and copy the entire thing and then paste it into the big textfield on the link i listed just above and then click the analyze button. Or you can browse to the file on your machine, etc.
Not 100% perfect but certainly another useful free tool..
04 July 2006, 11:11 AM
#4
Scooby Regular
Thread Starter
Join Date: Jun 1999
Posts: 1,496
Likes: 0
Received 0 Likes
on
0 Posts
Forgot to say that I'd used HJT as well, but I didn't know about the analysis site - nice one 
Trouble is, nothing is really amiss
<have deleted an O16 Egg Money manager line - but I've been using that for years>
Logfile of HijackThis v1.99.1
Scan saved at 11:05:23, on 04/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Hotmail Popper\hotpop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Millener\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Trouble is, nothing is really amiss
<have deleted an O16 Egg Money manager line - but I've been using that for years>
Logfile of HijackThis v1.99.1
Scan saved at 11:05:23, on 04/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Hotmail Popper\hotpop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Millener\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
04 July 2006, 11:18 AM
#5
Scooby Regular
Thread Starter
Join Date: Jun 1999
Posts: 1,496
Likes: 0
Received 0 Likes
on
0 Posts
...by the way...
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
...has got NoBrowserOptions set to 0 - i.e allows Tools|Internet Options to be accessed (I changed it to 1 and it didn't allow access to Tools|Internet Options at all)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
...has got NoBrowserOptions set to 0 - i.e allows Tools|Internet Options to be accessed (I changed it to 1 and it didn't allow access to Tools|Internet Options at all)
04 July 2006, 04:54 PM
#6
Scooby Regular
Join Date: Jun 2006
Location: Coruscant, Imperial City, block 1138, Apt 12
Posts: 61
Likes: 0
Received 0 Likes
on
0 Posts
Ahh - cool - at least it's another tool used. 
I'll have a look at my machine when I get home as our work ones are so b@astardized with security, preventative and monitoring software I'm surprised they can even boot up half the time without throwing a wobbly.
I'm still quite puzzled as to what is doing that to your browser. As much as we all like to hate M$, that sort of behaviour isn't their "usual" sort of practice, at least from experience.
If I can find anything useful I'll post it up. But at the moment - I'm stuck - sorry mate.
I'll have a look at my machine when I get home as our work ones are so b@astardized with security, preventative and monitoring software I'm surprised they can even boot up half the time without throwing a wobbly.
I'm still quite puzzled as to what is doing that to your browser. As much as we all like to hate M$, that sort of behaviour isn't their "usual" sort of practice, at least from experience.
If I can find anything useful I'll post it up. But at the moment - I'm stuck - sorry mate.
04 July 2006, 05:06 PM
#7
Scooby Regular
Thread Starter
Join Date: Jun 1999
Posts: 1,496
Likes: 0
Received 0 Likes
on
0 Posts
Thanks mate - anything you can do is appreciated.
I think the key (!) must be in this bit...
...if I can't edit these by hand in regedit, then maybe that's why IE can't edit them. I thought you could do anything to the registry via regedit - might there be something 'looking after' the registry ?
Also, I'd expect the first key, but isn't the second key is a bit unusual (ie containing a GUID) for standard stuff like IE config details??
I think the key (!) must be in this bit...
Originally Posted by MartinM
The stuck URL appears in the registry in two places:
HKEY_LOCAL_MACHINE\SOFTWARE\\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE
and
HKEY_USERS\S-1-5-21-776561741-725345543-839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE
I'm not sure about the second one, but in either case, regedit won't allow me to change them to anything ("about:blank" or an empty string) or even delete them (I was desperate!)
HKEY_LOCAL_MACHINE\SOFTWARE\\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE
and
HKEY_USERS\S-1-5-21-776561741-725345543-839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE
I'm not sure about the second one, but in either case, regedit won't allow me to change them to anything ("about:blank" or an empty string) or even delete them (I was desperate!)
Also, I'd expect the first key, but isn't the second key is a bit unusual (ie containing a GUID) for standard stuff like IE config details??
Trending Topics
06 July 2006, 07:51 AM
#8
Scooby Regular
Martin, have a look on this site, they are really helpful
http://forums.majorgeeks.com/forumdisplay.php?f=35
http://forums.majorgeeks.com/forumdisplay.php?f=35
Thread
Thread Starter
Forum
Replies
Last Post