[24hoursupport] Re: Startpage
- From: John Galvin <john_galvin@xxxxxxxxxx>
- To: Majzan <24hoursupport@xxxxxxxxxxxxx>
- Date: Tue, 11 Feb 2003 12:59:20 -0600
Hello Majzan,
Tuesday, February 11, 2003, 6:56:10 AM, you wrote:
M> Sometime ago I clicked on this link to a site which first of all
M> overflowed me with pop-ups (witch made me finally reinstall the
M> pop-up killer) anyway what this site also did was changing my
M> start-page on my IE. I have several times changed it in the
M> settings. But it keeps on coming back when i reboot. How do find
M> where to change it so the start-page wont change back every time I
M> reboot.
Hijacking is a common problem particularly employed by some Trojans,
search engines, pyramid sales sites and adult sites. The site puts
something in your registry so that, at boot, it always executes and
changes your homepage, your search engine or your settings. To get rid
of the problem you probably need to edit the registry.
First clean out your Internet Explorer cache, remove the cookies,
history and Temporary Internet Files (using Tools > Internet Options)
Next go to http://www.lavasoftusa.com and download Adaware which will
remove traces of any Spyware etc that may be on your machine.
Alternatively visit www.spywareinfo.com and download Spybot S&D from
the downloads page.
I would then suggest that you backup your registry before using
Regedit to edit your registry.
Click Start > Run. (A Run dialog box will now appear)
Type Regedit, click OK. (Registry Editor will open)
Click the Registry > click Export Registry File
In the Export Registry File dialog box put these values:
Save in: Desktop
File name: Registry Backup
Save as type: Registration Files
Export range: All
Click Save then close the Registry Editor.
You should now have an icon labelled "Registry Backup.reg" on the
desktop. If things go wrong then you can restore your registry by
double clicking on this icon. If everything goes OK then you can
delete it.
If you find that you cannot use Regedit then you should download the
following file
http://www.spywareinfo.com/downloads/regedit.reg
Save the file onto your hard drive then double-click it. The registry
information will be added to the registry and should allow you to
access Regedit again.
If you have found that you cannot access the Internet then you can
create this file yourself. Open Notepad or Wordpad and type the
following into a new document
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
Save the file with the filename Registry.reg, double-click it and add
the info to the registry.
You can copy and paste this text from the lines above into the new
document if you wish.
Having been locked out of Regedit would suggest the presence on your
machine of a program called Openme.exe. Use Start > Find > Files &
Folders to locate this file and delete it.
To make the change click Start > Run > type Regedit click OK.
Open the following keys in the left hand side window by clicking the
little + sign next to the keys (you will have to scroll down in each
section as it opens)
Find the registry key
HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows
+CurrentVersion
+RunServicesOnce
look for anything that looks like the unwanted web pages called up.
Also try
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
or in Regedit click Edit > Find to search for the page you are looking
for (search for the site name but don't use the www. or the .com part
as this will limit the search) You can use F3 to search again after a
find. If you find a value listed you should click on the value in the
right hand window and press Del. If you cannot locate the name you
should also look at the IP address that the site is at so that you can
search for that too.
If you have fallen prey to your homepage being hijacked more than once
(so, you play with fire but who cares?) then you can prevent this from
happening again with another registry edit. Open Regedit as above and
navigate to
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\ControlPanel
If you cannot find this value then you will need to create it as
follows. Navigate to the following
HKEY_CURRENT_USER\Software\Microsoft\
Right click on Microsoft and select New > Key > call the key
InternetExplorer (please note there is no space between the words).
Right click on InternetExplorer then select New > Dword > call the
dword HomePage. Give the dword the value of 1 to restrict access to
the homepage but you can later change this to 0 to allow changes to
apply. You will see your change in Internet Explorer when you click
Tools > Internet Options and find you cannot change the homepage
again.
If your default search engine has been hijacked you can solve the
problem using the following registry edit. Run Regedit as described
above and look for the following key
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\SearchUrl
In the right hand pane you should change the value from the current
(unwanted) search engine to something like http://www.google.com or
http://www.msn.com or your favourite search engine address.
If you cannot access the Internet Options Control Panel then use Start
> Find > Files & Folders to locate a file called Control.ini on your
hard drive. Right-click on this file and select "Open With." Select
Notepad or Wordpad from the list and look for the following line
[don't load] inetcpl.cpl=yes.
Delete the line then save the file. Close down Windows and restart
your computer.
At the following site you will find a program called HTA Stop which
can disable some programs which hijack your browser.
http://nsclean.com/htastop.html
If you use Windows 98 or above you can use MSCONFIG to read your
Win.ini file for unwanted programs but for Windows 95 users you can
download a startup manager. There are many to choose from and you can
download them from from here
http://download.com.com/3120-20-0.html?qt=startup+manager&tg=dl-2001
Under the Startup programs (programs that start when Windows starts)
look for suspicious entries and any entry that includes "Regedit /s"
Under the System.ini you should look for the section labelled [boot].
The only entry commencing with the shell= should say
shell=explorer.exe, you should delete any other entries.
If you are an AOL user you should look for sites which have secretly
joined your trusted sites list
Tools > Internet Options > Security > Trusted Sites Click the sites
Tools > button and remove anything there without your permission.
Specific problem programs and sites
==========================
Gohip.com see http://accs-net.com/smallfish/gohip.htm
Ezcybersearch see http://www.ezcybersearch.com/uninstall.html
Lop.com see http://www.lop.com/uninstall.exe
Newdotnet - Go to Control Panel > Add/Remove Programs to remove this.
Start Internet Explorer and go to Tools > Internet Options > Temporary
Internet Files > Settings > View Objects If there is an entry called
"tldctl2" then delete this.
If you are getting a Newdot~2.dll error message then use Regedit to
locate
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Look for an entry in the right hand pane which contains NEWDOT~2.DLL
(look for NEWDOT~1 as well!) Click on that entry in the right hand
pane so that it becomes highlighted in blue and then press your Delete
key. Close Regedit then start your computer, the error message should
not appear.
Programs which will help you
=====================
Trojan & Spyware fix pack
http://home.earthlink.net/~rmbox/Reticulated/Toys.html
Spyblocker http://spyblocker-software.com/spyblocker/
http://clients.net2000.com.au./#johnf/spyware
http://virgolamobile.50megs.com/spyware/spyware.htm
IE-Spyad (IE6 users only)
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD
Registry Prot http://www.diamondcs.com.au
For future piece of mind there is an on-line Trojan check
http://www.anti-Trojan.net/at.asp?l=en&t=onlinecheck&cl=1
These are downloadable Trojan killers
http://members.aol.com/simplysup/tremover/download.html
http://www.webattack.com/get/pcdoors.shtmlijacking is a common problem
particularly employed by some Trojans, search engines, pyramid sales
sites and adult sites. The site puts something in your registry so
that, at boot, it always executes and changes your homepage, your
search engine or your settings. To get rid of the problem you probably
need to edit the registry.
First clean out your Internet Explorer cache, remove the cookies,
history and Temporary Internet Files (using Tools > Internet Options)
Next go to http://www.lavasoftusa.com and download Adaware which will
remove traces of any Spyware etc that may be on your machine.
Alternatively visit www.spywareinfo.com and download Spybot S&D from
the downloads page.
I would then suggest that you backup your registry before using
Regedit to edit your registry.
Click Start > Run. (A Run dialog box will now appear)
Type Regedit, click OK. (Registry Editor will open)
Click the Registry > click Export Registry File
In the Export Registry File dialog box put these values:
Save in: Desktop
File name: Registry Backup
Save as type: Registration Files
Export range: All
Click Save then close the Registry Editor.
You should now have an icon labelled "Registry Backup.reg" on the
desktop. If things go wrong then you can restore your registry by
double clicking on this icon. If everything goes OK then you can
delete it.
If you find that you cannot use Regedit then you should download the
following file
http://www.spywareinfo.com/downloads/regedit.reg
Save the file onto your hard drive then double-click it. The registry
information will be added to the registry and should allow you to
access Regedit again.
If you have found that you cannot access the Internet then you can
create this file yourself. Open Notepad or Wordpad and type the
following into a new document
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
Save the file with the filename Registry.reg, double-click it and add
the info to the registry.
You can copy and paste this text from the lines above into the new
document if you wish.
Having been locked out of Regedit would suggest the presence on your
machine of a program called Openme.exe. Use Start > Find > Files &
Folders to locate this file and delete it.
To make the change click Start > Run > type Regedit click OK.
Open the following keys in the left hand side window by clicking the
little + sign next to the keys (you will have to scroll down in each
section as it opens)
Find the registry key
HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows
+CurrentVersion
+RunServicesOnce
look for anything that looks like the unwanted web pages called up.
Also try
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
or in Regedit click Edit > Find to search for the page you are looking
for (search for the site name but don't use the www. or the .com part
as this will limit the search) You can use F3 to search again after a
find. If you find a value listed you should click on the value in the
right hand window and press Del. If you cannot locate the name you
should also look at the IP address that the site is at so that you can
search for that too.
If you have fallen prey to your homepage being hijacked more than once
(so, you play with fire but who cares?) then you can prevent this from
happening again with another registry edit. Open Regedit as above and
navigate to
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\ControlPanel
If you cannot find this value then you will need to create it as
follows. Navigate to the following
HKEY_CURRENT_USER\Software\Microsoft\
Right click on Microsoft and select New > Key > call the key
InternetExplorer (please note there is no space between the words).
Right click on InternetExplorer then select New > Dword > call the
dword HomePage. Give the dword the value of 1 to restrict access to
the homepage but you can later change this to 0 to allow changes to
apply. You will see your change in Internet Explorer when you click
Tools > Internet Options and find you cannot change the homepage
again.
If your default search engine has been hijacked you can solve the
problem using the following registry edit. Run Regedit as described
above and look for the following key
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\SearchUrl
In the right hand pane you should change the value from the current
(unwanted) search engine to something like http://www.google.com or
http://www.msn.com or your favourite search engine address.
If you cannot access the Internet Options Control Panel then use Start
> Find > Files & Folders to locate a file called Control.ini on your
hard drive. Right-click on this file and select "Open With." Select
Notepad or Wordpad from the list and look for the following line
[don't load] inetcpl.cpl=yes.
Delete the line then save the file. Close down Windows and restart
your computer.
At the following site you will find a program called HTA Stop which
can disable some programs which hijack your browser.
http://nsclean.com/htastop.html
If you use Windows 98 or above you can use MSCONFIG to read your
Win.ini file for unwanted programs but for Windows 95 users you can
download a startup manager. There are many to choose from and you can
download them from from here
http://download.com.com/3120-20-0.html?qt=startup+manager&tg=dl-2001
Under the Startup programs (programs that start when Windows starts)
look for suspicious entries and any entry that includes "Regedit /s"
Under the System.ini you should look for the section labelled [boot].
The only entry commencing with the shell= should say
shell=explorer.exe, you should delete any other entries.
If you are an AOL user you should look for sites which have secretly
joined your trusted sites list
Tools > Internet Options > Security > Trusted Sites Click the sites
Tools > button and remove anything there without your permission.
Specific problem programs and sites
==========================
Gohip.com see http://accs-net.com/smallfish/gohip.htm
Ezcybersearch see http://www.ezcybersearch.com/uninstall.html
Lop.com see http://www.lop.com/uninstall.exe
Newdotnet - Go to Control Panel > Add/Remove Programs to remove this.
Start Internet Explorer and go to Tools > Internet Options > Temporary
Internet Files > Settings > View Objects If there is an entry called
"tldctl2" then delete this.
If you are getting a Newdot~2.dll error message then use Regedit to
locate
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Look for an entry in the right hand pane which contains NEWDOT~2.DLL
(look for NEWDOT~1 as well!) Click on that entry in the right hand
pane so that it becomes highlighted in blue and then press your Delete
key. Close Regedit then start your computer, the error message should
not appear.
Programs which will help you
=====================
Trojan & Spyware fix pack http://home.earthlink.net/~rmbox/Reticulated/Toys.html
Spyblocker http://spyblocker-software.com/spyblocker/
http://clients.net2000.com.au./#johnf/spyware
http://virgolamobile.50megs.com/spyware/spyware.htm
IE-Spyad (IE6 users only) http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD
Registry Prot http://www.diamondcs.com.au
For future piece of mind there is an on-line Trojan check
http://www.anti-Trojan.net/at.asp?l=en&t=onlinecheck&cl=1
These are downloadable Trojan killers
http://members.aol.com/simplysup/tremover/download.html
http://www.webattack.com/get/pcdoors.shtml
--
Best regards,
John mailto:john_galvin@xxxxxxxxxx
Subscribe to my newsletter by sending an email to
johnsnewsletter-request@xxxxxxxxxxxxx with 'Subscribe' in the subject
field
Computer tips/tutorials, security, programming etc etc
- Users can unsubscribe from this list by sending email to
24hoursupport-request@xxxxxxxxxxxxx with 'unsubscribe' in the
Subject field OR by logging into the Web interface at
http://webpages.charter.net/chizotz/
Other related posts:
