Something changed IE homepage

[cycleman77]

I only use IE for a few websites, ones that don't display properly with Mozilla.
So this isn't too big of a deal, but it is getting on my nerves.

Earlier this week, I notcied that my IE homepage is not the default (I never changed it). It comes up with some stupid advertisement about my computer needing Anti-spyware and crap like that.

I ran anti-virus, anti-spyware, CWshredder and all came up clean. I tryed a System Restore, and I have even gone as far as doing a Windows Repair.

I have gone thru the regestry and manually edited the homepage keys. I have even deleted the homepage keys. It seems to work for a little while, but that other page comes back.

I have ZoneAlarm 3. IE does not have access to the web unless I say it can (the way it should be :-D ).

Is there anything else I can do? Is there some other software out there that can help?

I'm using: Grisoft AVG 6, LavaSoft AdAware 6, CWShredder 1.59. All are up-to-date.

Thanks

 

[effee]

Have you tried reinstalling IE. Or maybe try using mozilla

 

[cycleman77]

Yes, I have uninstalled and reinstalled IE.

I do use Mozilla. It is my primary/default browser.

 

[Mem]

Run Hijack This.,the culprit should show up in the registry entry.

 

[Schadenfroh]

LavaSoft AdAware 6

not uptodate, use adaware SE

post HJT log for review

 

[cycleman77]

Here is the Hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 4:00:07 PM, on 11/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
D:\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
D:\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\Zone Labs\ZoneAlarm\zapro.exe
D:\mozilla.org\Mozilla\mozilla.exe
D:\Microsoft Office\Office\WINWORD.EXE
D:\WinRAR\WinRAR.exe
C:\DOCUME~1\Peter\LOCALS~1\Temp\Rar$EX00.422\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = D:\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{81EF07FA-7106-40C3-B702-EA215EBAA862}: NameServer = 209.150.235.246 209.150.236.146

 

[cycleman77]

start page isnt yahoo anymore.
I just reran it and here it is:

Logfile of HijackThis v1.98.2
Scan saved at 4:02:56 PM, on 11/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
D:\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
D:\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\Zone Labs\ZoneAlarm\zapro.exe
D:\mozilla.org\Mozilla\mozilla.exe
D:\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\WinRAR\WinRAR.exe
C:\DOCUME~1\Peter\LOCALS~1\Temp\Rar$EX00.343\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotpics-tgp.com/cgi-bin/secure.cgi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = D:\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{81EF07FA-7106-40C3-B702-EA215EBAA862}: NameServer = 209.150.235.246 209.150.236.146

 

[Schadenfroh]

fix this

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotpics-tgp.com/cgi-bin/secure.cgi


i assume you put the following setting in, or your network people at your place of work, or your campus IT people, but if you are at home, and your ISP did not put the following there and neither did you, fix it.

O17 - HKLM\System\CCS\Services\Tcpip\..\{81EF07FA-7106-40C3-B702-EA215EBAA862}: NameServer = 209.150.235.246 209.150.236.146

 

[cycleman77]

Didn't work. That homepage is still there.

 

[cycleman77]

I just downloaded and installed Ad-Aware SE. I updated it and then ran a complete test. It came back clean.
My AVG was already up-to-date, but I re-ran it anyways, and it too came back clean.

I take it, that whatever it is, is inside a "clean" file? Is there anyway to "lock" a registry entry? Is there a way to determine what modifies a registry entry?

 

[cycleman77]

I installed Spybot and locked IE. I can block the change, but I still can't find what is trying to change the homepage.

I still want to try to get this resolved. I don't want to leave 'whatever it is' on my computer; constently trying to change the reg key.

If anyone has any idea on what it is, please let me know. Untill then, I guess I'll just leave it alone.

 

[cycleman77]

Dammit!!

I guess I spoke too soon. That webpage is back. Weird thing is, Spybot doesn't stop it. Spybot doesn't even see it. I look at the registry entry and it is http://www.hotpics-tgp.com/cgi-bin/secure.cgi. But when I go to change it back to www.yahoo.com, Spybot pops up and says :
'Do you want to allow this change:
Original: http://www.yahoo.com
Change: www.yahoo.com'

Spybot doesn't notice that the registry key is http://www.hotpics-tgp.com/cgi-bin/secure.cgi.

How can it change and Spybot not notice?
Help, please.

 

[Mem]

Did you try HiJack This in safe mode?...I would also run Panda online Scan to confirm you are free of trojans and viruses, link. .


Btw type "MSCONFIG" in run box( which`s below "search" on XP ) without speechmarks and see if it`s listed in there under "services and startup" .

 

[dev1ance]

Have you tried Webroot's SpySweeper? You can download the trial version which has all the features that the shareware does. SpySweeper specializes in killing IE bugs like the one you're describing and also is great for killing other malicious spyware.

http://www.webroot.com/shoppin...c=64000&vcode=DT02

 

[cycleman77]

Mem,
I have already gone to MSCONFIG. There is nothing out of the ordinary in startup. I recognized all of them.
I ran Panda Online, it did find a couple infected files, but none of them solved my problem.

dev1ance,
I installed Webroot, and it does prevent my homepage from being altered. However, the problem is still there. Every 30 secs or so, it trys to change back to that other page. Thanks

I still would like to find the problem, but I'm all out of ideas.

 

[DetroitSportsFan]

First off, the innitial HJT log should be performed in "normal mode" as booting in safe mode can hide things that are there. So, if this log is from safe - mode, please repost it. I'm looking at it right now and will report back on it in a bit.

EDIT: Can you place HJT in its own directory? It can't create back ups properly if its left in your temp folder. Secondly .... let me have another HJT log that shows the fixes alread suggested.


2nd EDIT: What you're experiencing sounds more like a js exception exploit. Some AV's pick it up as a virus, but its really not a virus at all.... its an exploit. Its an attempt by certain sites .... usually porn related .... to "reset" your IE home page. If thats the case, the fix is rather easy. Simply empty your browser cache and delete the contents of your temporary folder. Empty your recycle bin .... reboot and check to see if things are straightened out.

One question: Is there a reason why you haven't yet gone to sp2? Sp2 will go along ways to plugging these holes .... SP1 is still extremely "worm and exploit vulnerable." Let us know where we're at please.

 

[cycleman77]

Emptying the browser's cache and temp files was the first thing I did.

HJT is in its own directory. And I did not run it in Safe mode.

I haven't heard anything good about SP2. So I have been very hesitant in installing it.

 

[ChunkiMunki]

I had one of these so bad nothing could get rid of it. I backed up my data and reinstalled the OS, got a drive image app, and can reinstall my OS in 10 minutes. It just wasn't worth the time to me to try and find the exploit or virus anymore...

 

[cycleman77]

I got one of those. But I never imaged my machine. :frown:

I just built this one back in August. Went back to school, and never got to it.
I'm regretting it now.

 

[DetroitSportsFan]

Originally posted by: cycleman77
Emptying the browser's cache and temp files was the first thing I did.

HJT is in its own directory. And I did not run it in Safe mode.

I haven't heard anything good about SP2. So I have been very hesitant in installing it.

Oh really? This says otherwise:
C:\DOCUME~1\Peter\LOCALS~1\Temp\Rar$EX00.343\HijackThis.exe

I took that from your HJT log .... so, if its in its own directory ..... why doesn't it say so?

Other than the suggestions that Schadenfroh made, your log is clean.

 

[cycleman77]

Yes really.

When I said "Emptying the browser's cache and temp files was the first thing I did. " I thought it was understood that it was the browser's cache AND the browser's temp files (Temporary Internet Files).

I did empty out the Temp directory, but obviously that was after I ran HijackThis.

 

[DetroitSportsFan]

Ok, I see where we had the misunderstanding. I meant browser cache, temporary internet files, and your temp directory .... the one where HijackThis was previously residing. Also, empty your recycle bin afterwards.

So, lets try again. Put HijackThis in its own directory like C:\HijackThis This way it can store backups that we can resort to if needed. Next, give me a new HJT log and I'll go through it line by line and make sure there is nothing I missed.

 

[cycleman77]

I never put anything in the recycle bin. If i delete it, i delete it. I do have norton system works, so i do empty the norton protected recycle bin every few days.

Heres a new HiJackThis log file. I dont see anything thats appears out of the ordinary. I can look at the entire log and point out almost everything there.

Thanks for lookin though.

Logfile of HijackThis v1.98.2
Scan saved at 10:14:44 PM, on 11/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
D:\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
D:\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Zone Labs\ZoneAlarm\zapro.exe
D:\Trillian\trillian.exe
D:\mozilla.org\Mozilla\mozilla.exe
H:\Computer\Protection\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = D:\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{81EF07FA-7106-40C3-B702-EA215EBAA862}: NameServer = 209.150.235.246 209.150.236.146

 

[Schadenfroh]

cycleman77

your log is now clean