MSN is hijacking my startup page!!!!!

[Jack Sprat]

Don't know what happened, but it appears that MSN is hijacking my browser
startup page. Even though I go to Internet Options and set it to BLANK, it
automatically changes it back to MSN
(http://www.microsoft.com/isapi/redir.dll?prd=ie&clcid=0x0409&pver=6.0&ar=ho
me). I don't even need to close the browser.. just select BLANK, apply the
change, and close the internet options dialog - then even without shutting
down IE, I look at the Internet Options page again, and the startup page is
pointing back to the MSN page again!

Anyone have any ideas what the heck is going on? And how I can fix to be
open blank again?

Paul

 

[Tory]

Same thing happened to me a month ago... you have some
kind of spyware worm that is embedded in the registry and
it re-creates itself with a different filename every
time... I tried every major spyware software (SpyBot,
SpySweeper, AdAware) to get rid of it, it would find it,
get rid of it for a second, then the worm would re-create
itself...

The only 2 options I came up with was:
1. Use a different browser (Netscape/Mozilla/Avant) or
2. Format and start over.

Hopefully they've come up with some more recent spyware
software that guts it better. I'd also recommend doing a
full anti-virus scan of the system.

 

[Jack Sprat]

Thanks for the reply.

May I ask about AdAware? Had you just installed it prior to your problem?
In my case, I was using the free version, and had just updated to the SE Pro
version. It may be just a coincidence, but I started having problems right
after installing it and running a complete pass.

Paul

 

[Guest]

Go here and follow the instructions:
http://aumha.org/a/quickfix.htm
Download all recommended programs in No.1,
Follow the instruction in No. 2 & 3 for using the programs.

 

[Jack Sprat]

Thank you for the reply.

I downloaded CWShredder and it runs clean.

I already have Adaware SE Pro, and it runs clean.

I downloaded Spybot and ran it.. it detects 6 problems; however, they
reappear again on subsequent runs after I delete them with the program. I
cant seem to get rid of them. Any ideas??

The problems detected are listed below.. whether they are the cause of my
browser hijack, I am not sure:
DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-21-2444999536-1604501901-2203099609-1005\Software\Microsoft
\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

FunWebProducts: IE toolbar (Registry value, nothing done)

HKEY_USERS\S-1-5-21-2444999536-1604501901-2203099609-1005\Software\Microsoft
\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6B

B-170DE4475CCA}

.........Paul

 

[Jack Sprat]

Well, I think I finally got rid of this problem.. after MANY hours of trial
and error, rerunning the programs below and manually editing my registry to
delete the Start page for IE... AND removing Adaware SE Pro!

I believe the problem was caused by Adaware SE Pro, since it immediately
occured after I had installed it. It has plugins and hooks into IE and I
suspect it may have been the cause. I will do some more research and testing
with this, as I reinstall it again, but this time I will activate the
componets one at a time, just to see if they are the cause.

Surprisingly, CWShredder never found any problems, no matter how many times
I ran it!

Re: The problems that Spybot reported:

The 5 DSO exploits appear to be known problems.. at least that's what the
Spybot site says, and they anticipate a fix in the next update.

The FunWebProducts has finally disappeared.. Spybot only seemed to clear it
after I uninstalled Adaware SE Pro. Again, not sure if this was coincidence
or not.. will do more testing.

Paul