Cannot Change Homepage in IE

[KL]

I am unable to change my homepage in Internet Explorer. I
have tried the Internet Options procedure and run a virus
scan and "spybot", made all corrections, but the current
"adult" oriented search engine homepage of "about:blank"
continues to re-appear as the homepage everytime. Any
indeas of how to remove this unwanted search engine from
my IE homepage?

 

[MAP]

-----Original Message-----
I am unable to change my homepage in Internet Explorer. I
have tried the Internet Options procedure and run a virus
scan and "spybot", made all corrections, but the current
"adult" oriented search engine homepage of "about:blank"
continues to re-appear as the homepage everytime. Any
indeas of how to remove this unwanted search engine from
my IE homepage?
.
Dowload "Hijack this" and post in their forums.

www.spywareinfo.com

 

[siljaline]

I am unable to change my homepage in Internet Explorer. I
have tried the Internet Options procedure and run a virus
scan and "spybot", made all corrections, but the current
"adult" oriented search engine homepage of "about:blank"
continues to re-appear as the homepage everytime. Any
indeas of how to remove this unwanted search engine from
my IE homepage?

http://www.spywareinfo.com/~merijn/cwschronicles.html#aboutblank
Download and run CWShredder - "Cool Web Shredder".
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
Unzip, close all Windows and running applications, click on the executable
and follow the prompts.

HTH

~Silj

--
siljaline

MS - MVP Windows IE/OE
______________________

(Reply to group, as return address
is invalid - that we may all benefit)

 

[Juan]

Greetings:

This will set the home page using Group Editor
Start\Run\Gpedit.msc\User Settings\Windows
Settings\Internet Maintenance\Connection\Proxy Settings\tick on Enable Proxy
Setting\type home page... Type port 80...

Download tweak "Home Page Lock for Internet Explorer"...
this reg file allows you to lock your Home Page choice for/within Internet
Explorer..
http://www.kellys-korner-xp.com/xp_tweaks2.htm#sec


Hope this helps.

---------------------Original Message-------------------------

 

[Guest]

In addition to what these people have said, to prevent repeats of this ( or at least try to ) you should download a program to scan for Ad/Spy-ware ALL the time. On top of that, you should really consider what you are downloading, who you are downloading from, and what you are agreeing to when you click on anything in the future.

 

[John]

Hi,

I came across your discussion on "about:blank" homepage problem on
Deja's Usenet Archive. I was hoping maybe you can help me to
eliminate it. I would personally appreciate and thank you for taking
time going over the email.

Like other people, I also faced the same problem that everytime I
started my IE browser, it was redirected to the "about:blank"
homepage.

I have tried VirusScan On-Demand Scan, which did not detect anything
wrong, with the "about:blank" homepage still there.

I also have tried StartPage Guard... it worked well before until the
"about:blank" homepage started to appear in my computer.

I aslo have tried Ad-Adware 6.0. It detects the following three:
1) Vendor: CoolWEbSearch
Type: RegValue
Category: Malware
Object: HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Internet Explorer Main\
Comment: "HOMEOldSP"
2) Vendor: CoolWebSearch
Type: RegKey
Category: Malware
Object: HKEY_CLASSES_ROOTROTOCOLS\Filter\text/html\
3) Vendor: CoolWebSearch
Type: RegKey
Category: Malware
Object: HKEY_CLASSES_ROOTROTOCOLS\Filter\text/plain\

So I removed the above three items. But when I started my IE browser
again, the "about:blank" homepage appeared again. The same three
items were detected by Ad-Aware 6.0 again.

Spybot-S&D (advanced mode) did not detect anything wrong, with the
"about:blank" homepage still there.

CWShredder v 1.56.0 reported the followings after scan:
Windows XP (5.01.2600 )
Windows dir: E:\WINDOWS
Windows system dir: E:\WINDOWS\system32
AppData folder: E:\Documents and Settings\John\Application Data
Username: John

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Found Hosts file: E:\WINDOWS\system32\drivers\etc\hosts (734 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit]
E:\WINDOWS\system32\userinit.exe,
CWS.Oslogo (if value is 2) Registry value: Domains:
*.coolwebsearch.com [*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains:
*.coolwwwsearch.com [*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains:
*.xxxtoolbar.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains:
*.teensguru.com [*] dword:4
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: E:\WINDOWS\win.ini (615 bytes, A)
Found System.ini file: E:\WINDOWS\system.ini (227 bytes, A)

When I ran the software CWShredder v 1.56.0 to remove them, the
following 6 infected IE registry values were removed:
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

But when I started IE browser again, the "about:blank" homepage still
appeared and same items were re-detected by CWShredder v 1.56.0.

HijactThis v1.97.7 reported the followings after scan:
Logfile of HijackThis v1.97.7
Scan saved at 12:28:41 PM, on 4/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
E:\Program Files\Network Associates\VirusScan\mcshield.exe
E:\Program Files\Network Associates\VirusScan\vstskmgr.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
E:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\System32\P2P Networking\P2P Networking.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {833B2A57-605F-4F8E-8BDF-88657B3EB17E} -
E:\WINDOWS\System32\ehmh.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "E:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zSPGuard] e:\program files\pjw\spguard\spguard.exe
/s /r
O4 - HKLM\..\Run: [P2P Networking] E:\WINDOWS\System32\P2P
Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program
Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft
Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: &Google Search - res://e:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://e:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://e:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O13 - DefaultPrefix:
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer)
-
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38083.4370601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I did not try to fix anything there because the scan may contain
false-positives.

That's so far I have tried to do with no avail. Any suggestions?

Thank you again taking time to go over everything.

Thank you,
-John

 

[Guest]

I tried to manually clean the reg values but they kept coming back so I did a system restore and a restart and the reg values were restored to their original value..hope this helps