default homepage problem....HELP.......

[fragged8]

hi
my default homepage has been changed by a site, and i cant change it back. If i got to options and change it, everything is ok until i reboot then it goes back to the undesirable page........... oh yeh its in ie5.5..
please help
thank you
frag

[Bovon]

You didn't specify what you have tried, so try this:

Go to start-->control panel-->internet options, general tab and remove what is in that window and type in the homepage url you want to go to when you connect to the net, click apply.

I have also had this happen, and would love to strangle the dude that setup the script at the site that did it.

If this dosn't fix the problem, then the registry has been altered to replace that site in internet options. You have saved registry entries on your machine...everytime you shut down normally, Windows saves that session of the registry...about 5 I think is the default. You can get a copy of the registry from a couple days back to replace yours if you don't go beyond 5 shutdowns.

Ok, now I see where you did the same thing from IE tools, internet options. Sounds like you may need to replace the current registry with a backup.

[This message has been edited by Bovon (edited 08-14-2001).]

[dontknow]

Hi,

Pls let me know whether the problem is resolved. Else, do let know the website that is annoying you. Also, specify the OS you
are using. This might help me to provide you a precise solution. Thats it for now.

C Ya. :-)

Cheers!
Krish.

[muchmark]

Hi,
To prevent homepage hijacking set your secutity setting in IE to a higher level: tools>internet options>security>costom level.

Regards...

[fragged8]

hi
thanks guys i will try your fix as soon as i log off and post the answer.

Thanks again u chaps rock

[Fingers]

I believe ActiveX and JavaScript are both capable of changing your default homepage, infact, they can even install software on your computer without your permission, if your security settings are too low.

Delete any ActiveX controls you don't want (or don't even know are installed) on your machine, then change your security settings to "prompt" for all of the options about downloading ActiveX controls.

Ditto for JavaScript. Javascript offers some great enhancements to your web browsing experience, unfortunately some websites insist on using those features to make changes to visitor's machines that they don't always appreciate....

[fragged8]

hi guys

i didnt actually restore the reg as i figured that i have booted quite a few times since this happened.
I found the keys in the registry and changed them back to my normal homepage.
presto all was fine till i rebooted, then it went back to the hijacked page again , so i guess it must be a java or active x bomb.

what do they end in ?? eg bomb.exe ?

thanks

[fragged8]

hi again

i decided to search for files containing the web address that i am being hijacked to and found the entry in USER.DAT so searched further and found a .tmp file also contained the address ( radEC539.tmp ), after that i checked the registry and found a key OPQFile C:\WINDOWS\regedit.exe /s C:\WINDOWS\SYSTEM\radEC539.tmp.

because the reg cant find this file i get an error on boot up. Can i delete these keys without messing up the registry ??

this is what the tmp file contained

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"="65.165.233.xxx/top/index.html"


[This message has been edited by Fingers (edited 08-17-2001).]

[DaHazeMan]

If you've deleted that temp file then you should be able to change either the registry key or your homepage in Internet Options back to normal.

That temp file you posted the contents for is a registry entry that gets imported when called. It sounds more like a virus than simply an annoyance.

User.dat is part of your registry - the HKEY_CURRENT_USER and HKEY_USERS part I believe.

You might want to search Norton's site for that homepage and/or filename. I hate their software, but their virus explanations are good. If it is a virus it may have altered/added more in your registry than just the IE homepage.

A good example of this is the SirCam virus. It adds an entry to the Run key - or RunServices key - (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run or RunServices) to call itself out of the recycle bin. It also adds a new key - HKEY_LOCAL_MACHINE\Software\SirCam - with more info in it. There are other things it does - all of which can replace any or all of the missing parts if you happen to delete/change only some of them.

[Piccolo22]

Hi

I suspect this may be a variation on Adware or Spyware. This "rubbish" can get installed innocently with other legimate software CoffeeCup HTML editor to name but one. I discovered this because I run ZoneAlarm and it detected "something" trying to access the web - cut off cold!!

Your ref to rad something reminded of one of these adwares Radiant, there are others BEWARE.

Hope my 2 pence worth has helped rather than hindered.

[jad1097]

I went to that IP and it is a "top list" child porn site! It is an ActiveX script which changes the start page.

The tmp file contains what you posted above.


The reg key it adds in w2k is : (you also need to delete this)
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run E:\WINNT\regedit.exe /s E:\WINNT\system32\radD5ABB.tmp

You really should remove the IP address considering the content.




[This message has been edited by jad1097 (edited 08-17-2001).]

[Mntsnow]

Yes delete the KEY listed


HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run E:\WINNT\regedit.exe /s E:\WINNT\system32\radD5ABB.tmp

Also make sure you have deleted the

radD5ABB.tmp file

Also look for that under HKEY_LOCAL_MACHINE

and then lastly I would highly suggest staying away from child porn sites !

[Fingers]

jad1097 is correct, posting a address that links to that type of site isn't appropriate.

If after following jad1097 and Mntsnow's advice, the problem still isn't resolved, you better recheck for a Trojan on your machine. As I mentioned previously, also delete any ActiveX controls that you aren't sure about by going to; Tools>Internet Options>Temporary Internet Files Settings>View Objects.

[This message has been edited by Fingers (edited 08-17-2001).]

[fragged8]

hi guys

This one has sure generated some good chat, and thank you all for your help.

I would like you all to know that the site in question wasn't visited deliberately, you know what its like when these type of sites get hold of you just in the course of normal surfing.
It really anoys me when im searching for stuff about my car or diving or anything and all you get is bloody porn. You can now see why i am so desparate to remove it.

Anyway, it looks like i need to check for trojans. god what an awful place the internet can be for the novice.

Thanks guys you all kick *** :-)

[BUMTY]

Well Guys fragged8 is not the only one. I have got the same problem, he just beat me to the posting.

The site i believe caused the problem for me is the WAREZ site that was recommended on one of the Sysopt pages it worked OK, to start with, I downloaded some useful stuff from it, but then the site went down for a while, whilst being updated or some such thing. When it came back on line, I tried it again and that is when the trouble started.

I think where I went wrong was to follow some of their links, where they promised all sorts of down loads, but gave none, only porn sites, although thankfully I did not see any child porn. I got to a stage where every time I clicked off a site, 4 more pages kicked in, I had to crash my computer to get out of it all

Another problem I have now is that when I try to reset the security level to high it does not hold the setting, it just goes back to the medium setting.

And yet another problem that has started is that after the computer has been in use for a while Word 97 will not load, I have to reboot my computer, and then it is OK for a while.

WAREZ more like Blo-dy BEWARE-Z

I will follow your advice to the other person
and hope i can rid this machine of this **** WAREZ curse.