Hello Majzan, Tuesday, February 11, 2003, 6:56:10 AM, you wrote: M> Sometime ago I clicked on this link to a site which first of all M> overflowed me with pop-ups (witch made me finally reinstall the M> pop-up killer) anyway what this site also did was changing my M> start-page on my IE. I have several times changed it in the M> settings. But it keeps on coming back when i reboot. How do find M> where to change it so the start-page wont change back every time I M> reboot. Hijacking is a common problem particularly employed by some Trojans, search engines, pyramid sales sites and adult sites. The site puts something in your registry so that, at boot, it always executes and changes your homepage, your search engine or your settings. To get rid of the problem you probably need to edit the registry. First clean out your Internet Explorer cache, remove the cookies, history and Temporary Internet Files (using Tools > Internet Options) Next go to http://www.lavasoftusa.com and download Adaware which will remove traces of any Spyware etc that may be on your machine. Alternatively visit www.spywareinfo.com and download Spybot S&D from the downloads page. I would then suggest that you backup your registry before using Regedit to edit your registry. Click Start > Run. (A Run dialog box will now appear) Type Regedit, click OK. (Registry Editor will open) Click the Registry > click Export Registry File In the Export Registry File dialog box put these values: Save in: Desktop File name: Registry Backup Save as type: Registration Files Export range: All Click Save then close the Registry Editor. You should now have an icon labelled "Registry Backup.reg" on the desktop. If things go wrong then you can restore your registry by double clicking on this icon. If everything goes OK then you can delete it. If you find that you cannot use Regedit then you should download the following file http://www.spywareinfo.com/downloads/regedit.reg Save the file onto your hard drive then double-click it. The registry information will be added to the registry and should allow you to access Regedit again. If you have found that you cannot access the Internet then you can create this file yourself. Open Notepad or Wordpad and type the following into a new document [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000000 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000000 Save the file with the filename Registry.reg, double-click it and add the info to the registry. You can copy and paste this text from the lines above into the new document if you wish. Having been locked out of Regedit would suggest the presence on your machine of a program called Openme.exe. Use Start > Find > Files & Folders to locate this file and delete it. To make the change click Start > Run > type Regedit click OK. Open the following keys in the left hand side window by clicking the little + sign next to the keys (you will have to scroll down in each section as it opens) Find the registry key HKEY_LOCAL_MACHINE +Software +Microsoft +Windows +CurrentVersion +RunServicesOnce look for anything that looks like the unwanted web pages called up. Also try HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce or in Regedit click Edit > Find to search for the page you are looking for (search for the site name but don't use the www. or the .com part as this will limit the search) You can use F3 to search again after a find. If you find a value listed you should click on the value in the right hand window and press Del. If you cannot locate the name you should also look at the IP address that the site is at so that you can search for that too. If you have fallen prey to your homepage being hijacked more than once (so, you play with fire but who cares?) then you can prevent this from happening again with another registry edit. Open Regedit as above and navigate to HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\ControlPanel If you cannot find this value then you will need to create it as follows. Navigate to the following HKEY_CURRENT_USER\Software\Microsoft\ Right click on Microsoft and select New > Key > call the key InternetExplorer (please note there is no space between the words). Right click on InternetExplorer then select New > Dword > call the dword HomePage. Give the dword the value of 1 to restrict access to the homepage but you can later change this to 0 to allow changes to apply. You will see your change in Internet Explorer when you click Tools > Internet Options and find you cannot change the homepage again. If your default search engine has been hijacked you can solve the problem using the following registry edit. Run Regedit as described above and look for the following key HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\SearchUrl In the right hand pane you should change the value from the current (unwanted) search engine to something like http://www.google.com or http://www.msn.com or your favourite search engine address. If you cannot access the Internet Options Control Panel then use Start > Find > Files & Folders to locate a file called Control.ini on your hard drive. Right-click on this file and select "Open With." Select Notepad or Wordpad from the list and look for the following line [don't load] inetcpl.cpl=yes. Delete the line then save the file. Close down Windows and restart your computer. At the following site you will find a program called HTA Stop which can disable some programs which hijack your browser. http://nsclean.com/htastop.html If you use Windows 98 or above you can use MSCONFIG to read your Win.ini file for unwanted programs but for Windows 95 users you can download a startup manager. There are many to choose from and you can download them from from here http://download.com.com/3120-20-0.html?qt=startup+manager&tg=dl-2001 Under the Startup programs (programs that start when Windows starts) look for suspicious entries and any entry that includes "Regedit /s" Under the System.ini you should look for the section labelled [boot]. The only entry commencing with the shell= should say shell=explorer.exe, you should delete any other entries. If you are an AOL user you should look for sites which have secretly joined your trusted sites list Tools > Internet Options > Security > Trusted Sites Click the sites Tools > button and remove anything there without your permission. Specific problem programs and sites ========================== Gohip.com see http://accs-net.com/smallfish/gohip.htm Ezcybersearch see http://www.ezcybersearch.com/uninstall.html Lop.com see http://www.lop.com/uninstall.exe Newdotnet - Go to Control Panel > Add/Remove Programs to remove this. Start Internet Explorer and go to Tools > Internet Options > Temporary Internet Files > Settings > View Objects If there is an entry called "tldctl2" then delete this. If you are getting a Newdot~2.dll error message then use Regedit to locate HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Look for an entry in the right hand pane which contains NEWDOT~2.DLL (look for NEWDOT~1 as well!) Click on that entry in the right hand pane so that it becomes highlighted in blue and then press your Delete key. Close Regedit then start your computer, the error message should not appear. Programs which will help you ===================== Trojan & Spyware fix pack http://home.earthlink.net/~rmbox/Reticulated/Toys.html Spyblocker http://spyblocker-software.com/spyblocker/ http://clients.net2000.com.au./#johnf/spyware http://virgolamobile.50megs.com/spyware/spyware.htm IE-Spyad (IE6 users only) http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD Registry Prot http://www.diamondcs.com.au For future piece of mind there is an on-line Trojan check http://www.anti-Trojan.net/at.asp?l=en&t=onlinecheck&cl=1 These are downloadable Trojan killers http://members.aol.com/simplysup/tremover/download.html http://www.webattack.com/get/pcdoors.shtmlijacking is a common problem particularly employed by some Trojans, search engines, pyramid sales sites and adult sites. The site puts something in your registry so that, at boot, it always executes and changes your homepage, your search engine or your settings. To get rid of the problem you probably need to edit the registry. First clean out your Internet Explorer cache, remove the cookies, history and Temporary Internet Files (using Tools > Internet Options) Next go to http://www.lavasoftusa.com and download Adaware which will remove traces of any Spyware etc that may be on your machine. Alternatively visit www.spywareinfo.com and download Spybot S&D from the downloads page. I would then suggest that you backup your registry before using Regedit to edit your registry. Click Start > Run. (A Run dialog box will now appear) Type Regedit, click OK. (Registry Editor will open) Click the Registry > click Export Registry File In the Export Registry File dialog box put these values: Save in: Desktop File name: Registry Backup Save as type: Registration Files Export range: All Click Save then close the Registry Editor. You should now have an icon labelled "Registry Backup.reg" on the desktop. If things go wrong then you can restore your registry by double clicking on this icon. If everything goes OK then you can delete it. If you find that you cannot use Regedit then you should download the following file http://www.spywareinfo.com/downloads/regedit.reg Save the file onto your hard drive then double-click it. The registry information will be added to the registry and should allow you to access Regedit again. If you have found that you cannot access the Internet then you can create this file yourself. Open Notepad or Wordpad and type the following into a new document [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000000 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000000 Save the file with the filename Registry.reg, double-click it and add the info to the registry. You can copy and paste this text from the lines above into the new document if you wish. Having been locked out of Regedit would suggest the presence on your machine of a program called Openme.exe. Use Start > Find > Files & Folders to locate this file and delete it. To make the change click Start > Run > type Regedit click OK. Open the following keys in the left hand side window by clicking the little + sign next to the keys (you will have to scroll down in each section as it opens) Find the registry key HKEY_LOCAL_MACHINE +Software +Microsoft +Windows +CurrentVersion +RunServicesOnce look for anything that looks like the unwanted web pages called up. Also try HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce or in Regedit click Edit > Find to search for the page you are looking for (search for the site name but don't use the www. or the .com part as this will limit the search) You can use F3 to search again after a find. If you find a value listed you should click on the value in the right hand window and press Del. If you cannot locate the name you should also look at the IP address that the site is at so that you can search for that too. If you have fallen prey to your homepage being hijacked more than once (so, you play with fire but who cares?) then you can prevent this from happening again with another registry edit. Open Regedit as above and navigate to HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\ControlPanel If you cannot find this value then you will need to create it as follows. Navigate to the following HKEY_CURRENT_USER\Software\Microsoft\ Right click on Microsoft and select New > Key > call the key InternetExplorer (please note there is no space between the words). Right click on InternetExplorer then select New > Dword > call the dword HomePage. Give the dword the value of 1 to restrict access to the homepage but you can later change this to 0 to allow changes to apply. You will see your change in Internet Explorer when you click Tools > Internet Options and find you cannot change the homepage again. If your default search engine has been hijacked you can solve the problem using the following registry edit. Run Regedit as described above and look for the following key HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\SearchUrl In the right hand pane you should change the value from the current (unwanted) search engine to something like http://www.google.com or http://www.msn.com or your favourite search engine address. If you cannot access the Internet Options Control Panel then use Start > Find > Files & Folders to locate a file called Control.ini on your hard drive. Right-click on this file and select "Open With." Select Notepad or Wordpad from the list and look for the following line [don't load] inetcpl.cpl=yes. Delete the line then save the file. Close down Windows and restart your computer. At the following site you will find a program called HTA Stop which can disable some programs which hijack your browser. http://nsclean.com/htastop.html If you use Windows 98 or above you can use MSCONFIG to read your Win.ini file for unwanted programs but for Windows 95 users you can download a startup manager. There are many to choose from and you can download them from from here http://download.com.com/3120-20-0.html?qt=startup+manager&tg=dl-2001 Under the Startup programs (programs that start when Windows starts) look for suspicious entries and any entry that includes "Regedit /s" Under the System.ini you should look for the section labelled [boot]. The only entry commencing with the shell= should say shell=explorer.exe, you should delete any other entries. If you are an AOL user you should look for sites which have secretly joined your trusted sites list Tools > Internet Options > Security > Trusted Sites Click the sites Tools > button and remove anything there without your permission. Specific problem programs and sites ========================== Gohip.com see http://accs-net.com/smallfish/gohip.htm Ezcybersearch see http://www.ezcybersearch.com/uninstall.html Lop.com see http://www.lop.com/uninstall.exe Newdotnet - Go to Control Panel > Add/Remove Programs to remove this. Start Internet Explorer and go to Tools > Internet Options > Temporary Internet Files > Settings > View Objects If there is an entry called "tldctl2" then delete this. If you are getting a Newdot~2.dll error message then use Regedit to locate HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Look for an entry in the right hand pane which contains NEWDOT~2.DLL (look for NEWDOT~1 as well!) Click on that entry in the right hand pane so that it becomes highlighted in blue and then press your Delete key. Close Regedit then start your computer, the error message should not appear. Programs which will help you ===================== Trojan & Spyware fix pack http://home.earthlink.net/~rmbox/Reticulated/Toys.html Spyblocker http://spyblocker-software.com/spyblocker/ http://clients.net2000.com.au./#johnf/spyware http://virgolamobile.50megs.com/spyware/spyware.htm IE-Spyad (IE6 users only) http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD Registry Prot http://www.diamondcs.com.au For future piece of mind there is an on-line Trojan check http://www.anti-Trojan.net/at.asp?l=en&t=onlinecheck&cl=1 These are downloadable Trojan killers http://members.aol.com/simplysup/tremover/download.html http://www.webattack.com/get/pcdoors.shtml -- Best regards, John mailto:john_galvin@xxxxxxxxxx Subscribe to my newsletter by sending an email to johnsnewsletter-request@xxxxxxxxxxxxx with 'Subscribe' in the subject field Computer tips/tutorials, security, programming etc etc - Users can unsubscribe from this list by sending email to 24hoursupport-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the Web interface at http://webpages.charter.net/chizotz/