|
Home > Archive > alt.certification.a-plus > April 2005 > Hijacked Home Page
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Hijacked Home Page
|
|
| sbmike 2005-04-06, 2:26 pm |
| A neighbor lady asked me to check out her internet home page because it wasn't
the one she had been using. I went to 'Internet Properties' and under the
general tab found the 'Home page' section was grayed out and
'http://www.searchmircale.com/' was in the address box.
I ended up doing a search in regedit for searchmircale and replaced it with
her original home page. Now when opening IE her page is displayed but when
returning to the 'Home page' section of 'Internet Properties', it's stilled
grayed out.
I'm assuming that I need to remove one of the items I changed in the
registry but not sure which one.
Need help.
IE is v. 6.0 and O/S is XP.
Mike
| |
| J Figueredo 2005-04-06, 2:26 pm |
| Try SpyBot Search and Destroy or any of the anti spyware programs at
www.download.com also run an antivirus program just in case, and look at
www.getfirefox.com great Web browser without the IE security flaws.
Good luck,
Jose
MCSA, Network+,
A+
"sbmike" <sbmike@bigdog.net> wrote in message
news:5sWdnSOEc_Ay8FrcRVn-gA@adelphia.com...
>A neighbor lady asked me to check out her internet home page because it
>wasn't the one she had been using. I went to 'Internet Properties' and
>under the general tab found the 'Home page' section was grayed out and
>'http://www.searchmircale.com/' was in the address box.
>
> I ended up doing a search in regedit for searchmircale and replaced it
> with her original home page. Now when opening IE her page is displayed but
> when returning to the 'Home page' section of 'Internet Properties', it's
> stilled grayed out.
>
> I'm assuming that I need to remove one of the items I changed in the
> registry but not sure which one.
>
> Need help.
>
> IE is v. 6.0 and O/S is XP.
>
> Mike
>
>
| |
| Patrick Michael 2005-04-06, 2:26 pm |
| HijackThis! should work for this situation. It knows where to look in the
registry for browser-hijacking garbage, and lets you remove it easily.
Hopefully, the combination of this, spybot, and ad-aware can solve the
problem. In my experience, it usually does the trick.
"sbmike" <sbmike@bigdog.net> wrote in message
news:5sWdnSOEc_Ay8FrcRVn-gA@adelphia.com...
>A neighbor lady asked me to check out her internet home page because it
>wasn't the one she had been using. I went to 'Internet Properties' and
>under the general tab found the 'Home page' section was grayed out and
>'http://www.searchmircale.com/' was in the address box.
>
> I ended up doing a search in regedit for searchmircale and replaced it
> with her original home page. Now when opening IE her page is displayed but
> when returning to the 'Home page' section of 'Internet Properties', it's
> stilled grayed out.
>
> I'm assuming that I need to remove one of the items I changed in the
> registry but not sure which one.
>
> Need help.
>
> IE is v. 6.0 and O/S is XP.
>
> Mike
>
>
| |
| ImhoTech 2005-04-06, 2:26 pm |
|
"J Figueredo" <jfigueredoNOSPAM@excite.com> wrote in message
news:GRKxd.12094$e33.10176@bignews6.bellsouth.net...
> Try SpyBot Search and Destroy or any of the anti spyware programs at
> www.download.com also run an antivirus program just in case, and look at
> www.getfirefox.com great Web browser without the IE security flaws.
>
> Good luck,
>
> Jose
> MCSA, Network+,
>
Hmm..vague reply that hardly even addresses the problem...how original.
| |
| ImhoTech 2005-04-06, 2:26 pm |
|
"sbmike" <sbmike@bigdog.net> wrote in message
news:5sWdnSOEc_Ay8FrcRVn-gA@adelphia.com...
>A neighbor lady asked me to check out her internet home page because it
>wasn't the one she had been using. I went to 'Internet Properties' and
>under the general tab found the 'Home page' section was grayed out and
>'http://www.searchmircale.com/' was in the address box.
>
> I ended up doing a search in regedit for searchmircale and replaced it
> with her original home page. Now when opening IE her page is displayed but
> when returning to the 'Home page' section of 'Internet Properties', it's
> stilled grayed out.
>
> I'm assuming that I need to remove one of the items I changed in the
> registry but not sure which one.
>
> Need help.
>
> IE is v. 6.0 and O/S is XP.
>
> Mike
>
>
Its likely that fixing the homepage problem is the least of the issues.
You'll need to first use at least AdAware and Spybot S&D to clean up the
nasties in that computer.
Concerning the homepage being greyed out, check your registry for an entry
like this :
HKEY_CURRENT_USER\Software\Pol
icies\Microsoft\Internet Explorer\
Control Panel
Or:
HKEY_LOCAL_MACHINE\Software\Po
licies\Microsoft\Internet Explorer\
Control Panel
With a key called "homepage" Set to "1" prevents changes, set to "0" allows
it. BUT, you don'e need this registry key at all, unless you want to add
restrictions, just delete the whole Control Panel entry.
| |
|
| >
> Its likely that fixing the homepage problem is the least of the issues.
> You'll need to first use at least AdAware and Spybot S&D to clean up the
> nasties in that computer.
>
> Concerning the homepage being greyed out, check your registry for an entry
> like this :
>
> HKEY_CURRENT_USER\Software\Pol
icies\Microsoft\Internet Explorer\
> Control Panel
>
> Or:
>
> HKEY_LOCAL_MACHINE\Software\Po
licies\Microsoft\Internet Explorer\
> Control Panel
>
> With a key called "homepage" Set to "1" prevents changes, set to "0"
> allows it. BUT, you don'e need this registry key at all, unless you want
> to add restrictions, just delete the whole Control Panel entry.
>
Another program that might help in this situation is BHO Deamon. The
install file is here:
http://www.pcworld.com/downloads/fi...23611&fileidx=1
Also a very interesting program for those that insist on using IE is
IESPYAD. It puts a bunch of the word offending spyware sites in the IE
restricted list so that all of the insecure activeX type programs just won't
run from those sites.
It can be downloaded from this page:
http://www.pcworld.com/downloads/fi...id,23332,00.asp
AG
| |
| ImhoTech 2005-04-06, 2:26 pm |
| In fact HijackThis can work for that problem. You'll see an entry like this
:
O6 - HKLM\Software\Policies\Microso
ft\Internet Explorer\Control Panel
present
If the hijacking software used the standard MS provided feature to control
the change of the homepage.
Chossing to fix it will remove the Control Panel entry entirely. I usually
don't reccomend HijackThis to any but more experienced tech sthan the op
appeared to be though.
"Patrick Michael" <heismanpat@yahoo.com> wrote in message
news:hUMxd.64$4h.52@okepread03...
> HijackThis! should work for this situation. It knows where to look in the
> registry for browser-hijacking garbage, and lets you remove it easily.
> Hopefully, the combination of this, spybot, and ad-aware can solve the
> problem. In my experience, it usually does the trick.
>
> "sbmike" <sbmike@bigdog.net> wrote in message
> news:5sWdnSOEc_Ay8FrcRVn-gA@adelphia.com...
>
>
| |
| «bonehead;\) 2005-04-06, 2:26 pm |
|
"ImhoTech" <bobo@yoodelers.net> wrote in message
news:10sgggqd2bpuv6b@corp.supernews.com...
>
> "J Figueredo" <jfigueredoNOSPAM@excite.com> wrote in message
> news:GRKxd.12094$e33.10176@bignews6.bellsouth.net...
>
>
> Hmm..vague reply that hardly even addresses the problem...how original.
>
Hmmm... flame reply that doesn't even address the problem... how profound...
| |
| ImhoTech 2005-04-06, 2:26 pm |
|
"«bonehead " <noone@spam.not> wrote in message
news:h5Yxd.3537$_X7.195@newssvr33.news.prodigy.com...
>
> "ImhoTech" <bobo@yoodelers.net> wrote in message
> news:10sgggqd2bpuv6b@corp.supernews.com...
> Hmmm... flame reply that doesn't even address the problem... how
> profound...
>
>
>
You call that a flame? How n00b. And btw, Reading is Fundamental
| |
| Max M.Wachtel III 2005-04-06, 2:26 pm |
| sbmike wrote:
> A neighbor lady asked me to check out her internet home page because it wasn't
> the one she had been using. I went to 'Internet Properties' and under the
> general tab found the 'Home page' section was grayed out and
> 'http://www.searchmircale.com/' was in the address box.
>
> I ended up doing a search in regedit for searchmircale and replaced it with
> her original home page. Now when opening IE her page is displayed but when
> returning to the 'Home page' section of 'Internet Properties', it's stilled
> grayed out.
>
> I'm assuming that I need to remove one of the items I changed in the
> registry but not sure which one.
>
> Need help.
>
> IE is v. 6.0 and O/S is XP.
>
> Mike
>
>
Beginning of standard canned reply.
Update Windows. Use a firewall.
Use an Anti-Virus of your choice and keep it updated.
In Windows Explorer, set Folder Options to “show all files”.
Clean out all temp, cache, ect. files.
Download BeClean here:
http://boozet.xepher.net/beclean/
Download Sysclean from here:
http://www.trendmicro.com/ftp/products/tsc/sysclean.com
Read this(it tells you how to use it!):
http://www.trendmicro.com/ftp/products/tsc/readme.txt
Reboot into safe mode and run Sysclean, write down results, then reboot
normally.
If offending file is in “restore” read this:
http://service1.symantec.com/SUPPOR...src=sec_doc_nam
Download AdAware from here:
http://www.majorgeeks.com/download506.html
Read the help files,download the winsock fix, and then Update and run
AdAware.
If you lose your Internet connection after running AdAware run the fix.
Winsock Fix here:
http://www.tacktech.com/display.cfm?ttid=257
Download Spybot Search+Destroy here:
http://www.safer-networking.org/en/download/index.html
Read this:
http://www.safer-networking.org/en/tutorial/index.html
Update and run Spybot (enable all protection).
Download Spyware Blaster here: (enable all protection)
http://www.javacoolsoftware.com/spywareblaster.html
Run a couple of online scanners (pick a different one than your main AV):
BitDefender:
http://www.bitdefender.com/scan/licence.php
Norton:
http://security.symantec.com/sscv6/...GYYTZXPE&bhcp=1
Panda:
http://www.pandasoftware.com/active...n_principal.htm
eTrust:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
House Call:
http://housecall.trendmicro.com/hou.../start_corp.asp
If the previous do not solve your problems:
Download Bazooka here:
http://www.kephyr.com/spywarescanner/
Download SwatIt here:
http://swatit.org/
Download KL-Detector here
http://dewasoft.com/privacy/kldetector.htm
Download CWShredder here
http://www.intermute.com/spysubtrac...r_download.html
Download HijackThis here:
http://www.majorgeeks.com/download3155.html
Install, run and save the log that is created. Don’t let it fix anything
yet!
You can find forums to post the log to have it analyzed here:
http://tomcoyote.org/hjt/
Download eScan here:
http://www.mwti.net/antivirus/free_utilities.asp
Rename the downloaded file escan.zip and extract (with a zip program) to
C:\Downloads, which you will have to create. Run the updater
(kavupd.exe) and then run eScan (mwavscan.exe).
End of standard canned reply.
--
Keeping Windows Clean: http://www.geocities.com/maxpro4u/madmax.html
Virus Cleaning+Fixes: http://www.geocities.com/maxpro4u/TechPros
Change nomail.afraid.org to neo.rr.com so you can reply by e-mail
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)
| |
| J Figueredo 2005-04-06, 2:26 pm |
| No comment......
J
"ImhoTech" <bobo@yoodelers.net> wrote in message
news:10sgggqd2bpuv6b@corp.supernews.com...
>
> "J Figueredo" <jfigueredoNOSPAM@excite.com> wrote in message
> news:GRKxd.12094$e33.10176@bignews6.bellsouth.net...
>
>
> Hmm..vague reply that hardly even addresses the problem...how original.
>
| |
| Rightard Whitey 2005-04-06, 2:26 pm |
| sbmike wrote:
> A neighbor lady asked me to check out her internet home page because it wasn't
> the one she had been using. I went to 'Internet Properties' and under the
> general tab found the 'Home page' section was grayed out and
> 'http://www.searchmircale.com/' was in the address box.
>
> I ended up doing a search in regedit for searchmircale and replaced it with
> her original home page. Now when opening IE her page is displayed but when
> returning to the 'Home page' section of 'Internet Properties', it's stilled
> grayed out.
>
> I'm assuming that I need to remove one of the items I changed in the
> registry but not sure which one.
>
> Need help.
>
> IE is v. 6.0 and O/S is XP.
>
> Mike
>
>
>
Try Ad-aware or Spybot first. If this doesn't work, try demo versions of
Webroot Spysweeper or Pest Patrol. Then register one of the commercial
versions.
| |
| Thumper 2005-04-06, 2:26 pm |
| On Mon, 20 Dec 2004 16:26:28 -0800, "sbmike" <sbmike@bigdog.net>
wrote:
>A neighbor lady asked me to check out her internet home page because it wasn't
>the one she had been using. I went to 'Internet Properties' and under the
>general tab found the 'Home page' section was grayed out and
>'http://www.searchmircale.com/' was in the address box.
>
>I ended up doing a search in regedit for searchmircale and replaced it with
>her original home page. Now when opening IE her page is displayed but when
>returning to the 'Home page' section of 'Internet Properties', it's stilled
>grayed out.
>
>I'm assuming that I need to remove one of the items I changed in the
>registry but not sure which one.
>
>Need help.
>
>IE is v. 6.0 and O/S is XP.
>
>Mike
>
I have not been on this site but in similar circumstances I went to
the contact section on the help page of the site and sent an email
telling them how pissed off I was and wanted to remove it. A bot sent
an email back directing me to click on a link that will remove the
software. I'll bet if you contact them they will respond within
minutes via a bot. They probably get thousands of pissed off people a
day writing them.
Incidentally I have 4 spyware and bot checkers plus an anti virus
programs. None of them removed the hijacker from my system.
Thumper
To reply drop XYZ in address
| |
|
| In my experience, adaware and spybot will not remove hijackers. they will
find one or two of the pieces and remove them, then the hijacker will
promptly restore them. problem is that hijackers dump dll's all over the
place, including users docs and settings folder. puts registry entries all
over the place to call the dlls. which then promptly restore everything
adaware and spybot have deleted.
the best automated solution is HjackThis! but it's output is esoteric, so
you have to read the instructions. You _may_ also have to spend a several
hours deleting stuff manually. First, search google and google groups for
your malware -that word shd be replaced with scumware. You will find tons
of references. go read them. some of them will include lists of all the
crap the scumware dumps into your system, and all the registry entries it
makes. keep reading till you feel you have a comprehensive list. then boot
into safe mode. search your hard drive for the dlls and exes and delete
them. search the registry for the for the entries and delete them.
anything you feel nervous about deleting, simply rename. then boot
normally. if behavior is back to normal, you've succeeded. if not, do it
again. if you are like me, by the time you are done, you will have
developed a monumental hatred for the purveyors of these things.
then try running some sort of protection. i'm running bho demon - but i
haven't been to any sleazebag sites in a while, so i don't know how well it
works. and BTW, you can get hijackers by relatively innocent activity, like
following a google link to a site that provides - or says it provides -
discographies.
good luck
Mike
"sbmike" <sbmike@bigdog.net> wrote in message
news:5sWdnSOEc_Ay8FrcRVn-gA@adelphia.com...
> A neighbor lady asked me to check out her internet home page because it
wasn't
> the one she had been using. I went to 'Internet Properties' and under the
> general tab found the 'Home page' section was grayed out and
> 'http://www.searchmircale.com/' was in the address box.
>
> I ended up doing a search in regedit for searchmircale and replaced it
with
> her original home page. Now when opening IE her page is displayed but when
> returning to the 'Home page' section of 'Internet Properties', it's
stilled
> grayed out.
>
> I'm assuming that I need to remove one of the items I changed in the
> registry but not sure which one.
>
> Need help.
>
> IE is v. 6.0 and O/S is XP.
>
> Mike
>
>
| |
|
| "MF" <ctatraining@spammersgotojail.net> wrote in
news:JvmdnWkaT78JAEzcRVn-2Q@comcast.com:
> In my experience, adaware and spybot will not remove hijackers. they
> will find one or two of the pieces and remove them, then the hijacker
> will promptly restore them. problem is that hijackers dump dll's all
> over the place, including users docs and settings folder. puts
> registry entries all over the place to call the dlls. which then
> promptly restore everything adaware and spybot have deleted.
In Windows XP to correctly remove the spyware / adware and the other
pollution on the system it is advisable to take the following steps to
resolve the problem you point out:
1) Create a restore Point
2) Turn off the Automated System Restore for all partitions
3) Run Spybot and AdAware
4) Reboot
5) Repeat step 3 and 4 until the System is clean
6) Turn Automated System Restore back on for all partitions
Without turning the Automated System Restore off, XP will attempt to
restore those files and registry entries removed by the cleaning tools.
| |
| Patrick Michael 2005-04-06, 2:27 pm |
|
"Bum" <Bum@bummer.org> wrote in message
news:Xns95CD8A64B4443Bumbummer
org@24.24.2.166...
> "MF" <ctatraining@spammersgotojail.net> wrote in
> news:JvmdnWkaT78JAEzcRVn-2Q@comcast.com:
>
>
> In Windows XP to correctly remove the spyware / adware and the other
> pollution on the system it is advisable to take the following steps to
> resolve the problem you point out:
>
> 1) Create a restore Point
>
> 2) Turn off the Automated System Restore for all partitions
>
> 3) Run Spybot and AdAware
>
> 4) Reboot
>
> 5) Repeat step 3 and 4 until the System is clean
>
> 6) Turn Automated System Restore back on for all partitions
>
> Without turning the Automated System Restore off, XP will attempt to
> restore those files and registry entries removed by the cleaning tools.
Sometimes, I like to run spybot and ad-aware in "safe mode", or "safe mode
with networking" (the latter so I can update and scan all at once). This
ensures that none of the crap is loading in the background.
| |
|
| "Patrick Michael" <heismanpat@yahoo.com> wrote in
news:NtjAd.3638$4h.2089@okepread03:
> Sometimes, I like to run spybot and ad-aware in "safe mode", or "safe
> mode with networking" (the latter so I can update and scan all at
> once). This ensures that none of the crap is loading in the
> background.
>
>
Never thought of that ... would eliminate several reboots ... thanks for
pointing the brain to a new way of thinking .... hmmmm wish I would have
thunk of that ...
| |
| Patrick Michael 2005-04-06, 2:27 pm |
|
"Bum" <Bum@bummer.org> wrote in message
news:Xns95CDBCDB4F3D3Bumbummer
org@24.24.2.166...
>
>
> Never thought of that ... would eliminate several reboots ... thanks for
> pointing the brain to a new way of thinking .... hmmmm wish I would have
> thunk of that ...
Yours wasn't a bad idea either...never hurts to create "restore points"
whenever you're running programs that do a lot of registry-editing to remove
spyware/crap.
| |
| «bonehead;\) 2005-04-06, 2:27 pm |
|
"Patrick Michael" <heismanpat@yahoo.com> wrote in message
news:PNmAd.3647$4h.1228@okepread03...
>
> "Bum" <Bum@bummer.org> wrote in message
> news:Xns95CDBCDB4F3D3Bumbummer
org@24.24.2.166...
>
> Yours wasn't a bad idea either...never hurts to create "restore points"
> whenever you're running programs that do a lot of registry-editing to
remove
> spyware/crap.
>
Or you could try Firefox and find out that the vulnerabilities of Microsuck
don't have to be your vulneraability also....
http://www.mozilla.org/products/firefox/
Firefox can be set up so that websites can't automatically download
crap on your machine....
--
<B0N3H3@D>
"I have no special talent. I am only passionately curious." Albert Einstein
| |
|
| "«bonehead;\)" <noone@spam.not> wrote in
news:mKzAd.8294$by5.4166@newssvr19.news.prodigy.com:
>
> "Patrick Michael" <heismanpat@yahoo.com> wrote in message
> news:PNmAd.3647$4h.1228@okepread03...
> remove
>
> Or you could try Firefox and find out that the vulnerabilities of
> Microsuck don't have to be your vulneraability also....
> http://www.mozilla.org/products/firefox/
>
> Firefox can be set up so that websites can't automatically download
> crap on your machine....
>
>
Yes one can install and configure FireFox. Yet the fact remains the path
from IE to Firfox requires one to clean the machine first. Hence, it is
not a solution to the problem posed but rather a preventive measure.
Yes a safe boot and running spybot and adaware is a good way to solve the
problem. You may still need to reboot a few times to verify a clean
system. Once the system is clean a safe boot with network support to
download, install and configure firefox and will prevent most of these
problems in the future ...
| |
| «BONEHEAD>> 2005-04-06, 2:27 pm |
|
"Bum" <Bum@bummer.org> wrote in message
news:Xns95CE877691FC1Bumbummer
org@24.24.2.166...
> "«bonehead;\)" <noone@spam.not> wrote in
> news:mKzAd.8294$by5.4166@newssvr19.news.prodigy.com:
>
>
> Yes one can install and configure FireFox. Yet the fact remains the path
> from IE to Firfox requires one to clean the machine first. Hence, it is
> not a solution to the problem posed but rather a preventive measure.
>
> Yes a safe boot and running spybot and adaware is a good way to solve the
> problem. You may still need to reboot a few times to verify a clean
> system. Once the system is clean a safe boot with network support to
> download, install and configure firefox and will prevent most of these
> problems in the future ...
Easy tiger... I was not posting a remedy to his current situation...
As any tech in here knows, trojans and spyware are probably the single
most problematic issues we are presented. Not only are they a pain to
remove, but the machines that get infected are also usually not backed up
in any useful way...
In the past month I have encountered a number of machines with the
WEB REBATES trojan... it took a machine with 25 running processes
to 53 running processes... time wise a clean install is the easiest route to
fix this...
You can manually try to delete entries til the cows come home, but this
trojan respawns
continuously...
Running adaware, spybot, spyblaster, locks the machine up... HijackThis &
CWS shredder were useless also... These are my usual tools to fix this kind
of
thing... I also removed the HD and scanned it on a different machine, it
found alot of
stuff and rebooted cleanly, but within a week the same crap was back...
(like a timebomb)
And the fact still stands that no matter how much protection you put on a
machine, if the user is not diligent with updates and scans, not to mention
not downloading every piece of free crap offered on the internet, the
problem will
recur... ad nauseum...
And yes you could set up auto updates and autoscan, but the same people
that won't be educated in safe surfing are also the ones who can't be
bothered
with an extra few minutes to boot up while the scans are performed...
(tell them to get a cup of coffee, " UH, I don't drink coffee " ),
I am conducting an experiment with someone as we speak...
This person is one of my main culprits (and a charity case to boot)
I have set the person up with a Linux (Redhat 9.1) box, installed
shockwave and flash, using Firefox & Thunderbird.
All he does is surf, read email, and play POGO games.
Showed him how to access all of the above, and haven't had a call in 3
weeks...
The relatively funny part is the install took no time at all, the internet
connection was automatic,
the firewall is automatic, the hardware detection was automatic, and the
machine runs
faster than it used to under windows 98 ( AMD 600 w/256meg RAM, onboard
everything).
I had to show him a few things that are located differently, but other than
that
he's happy as a clam, and prefers the user interface of GNOME.
The plus for me is he can't install anything w/o being a root user.
OH yeah and it was free.
Thats How I'm gonna solve the Trojan problem...........
--
<B0N3H3@D>
"I have no special talent. I am only passionately curious." Albert Einstein
|
|
|
|
|