Sign in with
Sign up | Sign in
Your question

My Home page has been abducted.

Tags:
  • Internet Explorer
  • Windows XP
Last response: in Windows XP
Share
January 12, 2004 3:54:52 AM

I use Internet Explorer 6.0 and WIN XP Pro. Recently after a visit to a few web sites, I cannot any longer launch Internet Explorer and get my home page. Instead the home page defaults to an advertising search page that I do not want and do not choose. Obviously, some code has been added/modified on my PC to force the offending parties home page to come up. How do I rid this problem and return to the home page of MY choice. Also, this offending party has added bookmarks that I delete and then which return when the Internet Explorer is relaunched. How do I get rid of this crap?

More about : home page abducted

January 12, 2004 4:19:26 AM

Can't just go to tools -> internet option (or properties in right click menu from IE6), and set your home page to the page you want?
January 12, 2004 4:42:54 AM

No, the home page just then reverts back to they one someone put on and not mine.
Related resources
January 12, 2004 5:04:38 AM

Some stray programs must have been installed in your PC. Try to see if you got the internet optimizer and active alert installed in your add/remove programs. These 2 always come when I try to download cracks and program pathes... Or any other programs that looked alien to you.

If you know how to hack the registry editor (type regedit in run dialog box), you can also search for that website and replace with your homepage's. But don'tmess up with the registry editor if you don't know how...it will corrupt your windows.
January 12, 2004 12:29:09 PM

Your web pg has been highjacked by malware/spyware - some nasty stuff. The reason it reverts back to the ad pages on reboot is that the program has made some registry enteries that undo what you try to change back.

There are fixes! Two utilities that eliminate these programs and protect your system from future attacks are <A HREF="http://www.pcworld.com/downloads/file_description/0,fid..." target="_new">Spybot Search and Destroy</A> and <A HREF="http://download.com.com/3000-2144-10214379.html?tag=pop" target="_new">Ad-aware</A>.

I recommend downloading and installing both. Run Spybot in the advance mode - it can/will detect the improper registry enteries and eliminate them. Ad-aware is similar and sometimes catches spyware that Spybot misses. Most people here use both. Keep them updated and current - they block these "drive by" highjackings of your web pages.

And watch what pages you visit - some of adult stuff can have some pretty nasty code embedded.

/Edit: If I had to chose one - I'd use Spybot - it's more advanced in my opinion. Run update in advanced mode and run Immunize to block these spyware prgms.



<b> ...more people are driven insane through religious hysteria than by drinking alcohol - W.C. Fields </b><P ID="edit"><FONT SIZE=-1><EM>Edited by Jake_Barnes on 01/12/04 09:57 AM.</EM></FONT></P>
January 12, 2004 3:06:12 PM

Ive used AD-AWARE and Spybot Search and Destroy for the last year. I got both from grc.com-a terrific site. However, I ran both immediately after my home page was hijacked and nothiing changed-however I did not run Spybot on Advanced mode. maybe both programs have to be run 3 or 4 times to clean out the malicious code? Is there any way I can go into my XP registry and remove the bad code direclty?
Thank you again.
January 12, 2004 5:07:20 PM

Yes - run>regedit ... but I don't know where the enteries are, sorry.

Try to run Spybot in Advanced mode & read the FAQ/instructions - very helpful.



<b> ...more people are driven insane through religious hysteria than by drinking alcohol - W.C. Fields </b>
January 12, 2004 5:09:33 PM

Have you checked msconfig to see if there are any strange pgms loading at start-up. Try disabling what you don't recognize and see if that helps.


<b> ...more people are driven insane through religious hysteria than by drinking alcohol - W.C. Fields </b>
January 12, 2004 7:50:50 PM

Scan Regedit for the HTTP://xxx.xxx.x.x number from the new home page. I found three of them. I cleaned the registry and all was well until I did a cold boot, then the problem child was back.
I gave up and went to the bottom of the webpage for the undesireable search engine. Their cleaner.exe did get rid of the homepage default problem, but what else it did is anybody's guess.
ZoneAlarm has not loaded properly since even after uninstall and reinstall of ZA.
I'm very likely to do a format and reinstall after backing up the files I trust.

Every working computer must be improved .... or replaced ...

<A HREF="http://www.grid.org/services/teams/team.htm?id=510E6639..." target="_new">Join the THG Team.</A>
January 13, 2004 12:57:45 AM

Ok...it's a coincident that my friend's PC also got this problem yesterday. So, I searched through the registry for the website. Found it (in fact many keys) but I didn't delete it first but later. I check what's the content and saw a string key refering to bmeb.dll. I did a search in his PC and found it to be reside in system32 folder. Can't delete it coz it says windows is using the file. Not even in safe mode. Too bad that he's using NTFS and I can't read it in dos. So I create a batch file to delete that file. Put it in startup list. Reboot the PC and the file is deleted. Now, the problem goes away.

Not sure if your case can be fix the same way coz here are many types of these spyware and they "spy" differently... :smile:
January 13, 2004 1:02:55 AM

Forgot to mention that the batch file was created in notepad then rename it to .bat (FYI). the content is simple, just:

del c:\windows\system32\bmeb.dll

then save it as delete.bat.

Add the line in registry:

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run

Add the string value:

Anyname (whatever you choose)

and the data as

delete.bat
January 13, 2004 1:36:02 AM

Went into the registry and found (4) URLs of the violating home page...which I deleted after running advanced Spy Bot Search. Now, that page doesnt come up as my home page but another does-Also, this spyware crap automatically times itself to come up with another home page that is sexual in nature and automaticcaly launches Internet Explorer.
f--k! Who lets these losers out of their cage? BTW Internet Explorer cannot be removed as it is an integral part of WIN XP-this is per Microsoft. So, if I go back into my registry and cannot get rid of this friggin control I will just back up my data and reformat and reinstall my OS. Cant beleive I cant get rid of this crap given that I run 2 firewalls set to max security and run AD-AWARE and SPY-BOT advanced. Anyone else go any other ideas? BTW MY Mozilla browser is completley unaffected.
January 13, 2004 1:39:22 AM

Did a search and that file was not found on my computer root drive. Thanks anyway.
January 13, 2004 2:14:47 AM

You can be sure that I will not ever use MS Internet Explorer again--its got more security holes than rotten swiss cheese and I cannot accept uninstalling my ENTIRE OS because my browser has been hijacked--Ill use Mozilla and finish my Linux box. The invading search home page keeps returning even though Ive deleted all of references to it from my WIN XP registry--also, the browser launches itself spontaneously and adds bookmarks that when deleted reappear. I hope thse clowns never find themsleves in a dark alley else they will be carbon. Its clear that there is a program running somewhere in WI XP that regenerates the bookmarks and the home pages. Help--can anyone help? Maybe a black hacker is the only answer now or maybe not?
January 13, 2004 2:29:12 AM

I found nothing unusual in my win.ini, system.ini and have literally dozens of dll's and exe files in my system32 file. any idea what I should look for else risking deleting a reqd WIN dll or exe?
January 13, 2004 2:31:15 AM

What reg cleaner works well?? I'll try that as my data files are on a separate HD and I dint care if I lose win xp at this point. Thanks.
January 13, 2004 8:15:57 AM

that Common Name thing or dialer or some other [-peep-] might be giving you those problems.......... i don't even use IE anymore, i been using Opera 7, not only does it work mad good it's got an awesome interface plus its got cool ass skins

Asus A7N8X Deluxe
80gb Maxtor
200gb WD 8mb cache..
Lian-Li PC-60
Lite-On 52X
AMD XP2800+
LeadTek GeForce 4 Ti4200 w/vivo 128mb 8x
Hitachi CML174
1 GB Corsair XMS PC3200 Cas2
January 13, 2004 10:11:57 AM

Do you happen to remember what web pg you were surfing when you happened upon this malicious POS ... I'd like to avoid it at all costs!


<b> ...more people are driven insane through religious hysteria than by drinking alcohol - W.C. Fields </b>
January 13, 2004 12:35:54 PM

What program did you use to scan your registry.



<b> ...more people are driven insane through religious hysteria than by drinking alcohol - W.C. Fields </b>
January 13, 2004 2:08:54 PM

Sorry, I dont recall.The invader adds 5 bookmarks to MY FAVORITES and they cannnot be deleted, launches (2) offending home pages, and hijacks my home page with (2) search bots. I will never use MS Explorer again and like and have used Mozilla and Opera in fact. This MS integration sux rocks and is history here. Boys, its the wild wild west out there and outlaws and scofflaws know no rules so watch your back!
January 13, 2004 4:21:53 PM

It's not COMPLETELY IE's fault. :tongue:

Do a virus scan as well. Some virues love to overwrite the hosts file.

<font color=red> If you design software that is fool-proof, only a fool will want to use it. </font color=red>
January 13, 2004 7:59:50 PM

Done that three times...now the sysytem is purged from infection...NAV found several virii and deleted them...still, no progress is recovering my hijacked home page, bookmarks, etc etc. If IE were not integrated to WIN it would be a simple matter to uninstall and then reinstall IE..as it is that is not the case.
January 13, 2004 8:10:46 PM

Your problem is indeed interesting. I've never encountered a "drive-by" high-jack that Spybot S&D (Advanced) and Ad-aware couldn't correct - and that includes Xupiter (3 registry enteries, 25+ bookmarks and, of course, a changed home page). If you find a fix, please post it.



<b> ...more people are driven insane through religious hysteria than by drinking alcohol - W.C. Fields </b>
January 13, 2004 8:25:28 PM

Go here for a full explanation for what happened to my rig and how to fix it from the evil warez that were installed:

http://support.microsoft.com/default.aspx?scid=kb;en-us;320159&Product=ie600

SYMPTOMS
When you use Microsoft Internet Explorer, you may experience any of the following symptoms:
 Your Internet Explorer home page has been changed to a different Web site than the one that you selected.
 You cannot change your home page selection to the Web site that you want.

For example, when you try to change your home page in the Internet Options dialog box on the Tools menu, you may not be able to type an address in the Address box, and the following buttons may be unavailable:
 Use Current
 Use Default
 Use Blank
 You reset your home page to the Web site that you want in Internet Options, but after you restart your computer your home page selection has again been changed to a different Web site.


CAUSE
This issue may occur if one or more of the following conditions are true:
 Your computer has been infected with a virus that changed your Internet Explorer home page.

For example, the IRC.Becky.A worm and Trojan.JS.Clid.gen trojan horse viruses change the Internet Explorer home page.
 Code in the form of a malicious attack has been run on your computer.

For example, the JS.Exception.Exploit code may change the Internet Explorer home page.
 You installed third-party software that changed the Internet Explorer home page.

For example, the Xupiter toolbar from Xupiter.com, the SecondPower Multimedia Speedbar from SecondPower.com, and the GoHip! Web browser enhancement from GoHip.com change the Internet Explorer home page. You may be prompted to install one of these programs when you install other programs.




If the issue is resolved, you have installed third-party software that changed your Internet Explorer home page or code in the form of a malicious attack, such as an unknown virus has been run on your system. One of the startup items that were removed by using the clean boot method is causing the issue. Any startup items that run Regedit.exe or a .reg, .hta, .vbs, or .js file may be the cause of the issue. Leave any such startup items or suspected third-party software turned off, and then continue troubleshooting with the next step.
January 13, 2004 8:27:34 PM

SYMPTOMS
When you use Microsoft Internet Explorer, you may experience any of the following symptoms:
 Your Internet Explorer home page has been changed to a different Web site than the one that you selected.
 You cannot change your home page selection to the Web site that you want.

For example, when you try to change your home page in the Internet Options dialog box on the Tools menu, you may not be able to type an address in the Address box, and the following buttons may be unavailable:
 Use Current
 Use Default
 Use Blank
 You reset your home page to the Web site that you want in Internet Options, but after you restart your computer your home page selection has again been changed to a different Web site.


CAUSE
This issue may occur if one or more of the following conditions are true:
 Your computer has been infected with a virus that changed your Internet Explorer home page.

For example, the IRC.Becky.A worm and Trojan.JS.Clid.gen trojan horse viruses change the Internet Explorer home page.
 Code in the form of a malicious attack has been run on your computer.

For example, the JS.Exception.Exploit code may change the Internet Explorer home page.
 You installed third-party software that changed the Internet Explorer home page.

For example, the Xupiter toolbar from Xupiter.com, the SecondPower Multimedia Speedbar from SecondPower.com, and the GoHip! Web browser enhancement from GoHip.com change the Internet Explorer home page. You may be prompted to install one of these programs when you install other programs.




If the issue is resolved, you have installed third-party software that changed your Internet Explorer home page or code in the form of a malicious attack, such as an unknown virus has been run on your system. One of the startup items that were removed by using the clean boot method is causing the issue. Any startup items that run Regedit.exe or a .reg, .hta, .vbs, or .js file may be the cause of the issue. Leave any such startup items or suspected third-party software turned off, and then continue troubleshooting with the next step.
January 14, 2004 2:13:35 PM

The infection persists despite three runs of NAV with current definitions. Multiple runs of AD-AWARE and SPYBOT SEARCH no longer reveal the presence of any spy software. Mozilla has been designated as the default browser and now has been seized by the invader and shows (2) search bot home pages, multiple adult content bookmarks, and is spontaneously launched to adult content sites. This indicates that the default browser has been commandeered by the infection, which resides as code in the Windows registry and other system files. Unless a complete identification of the locations is effected, the invading virus/worm shall continue to control the browser and bookmarks.
January 14, 2004 2:39:57 PM

Gawd - that is one nasty POS! I'm sorry for all of your problems - wish I could be of more help. You might try PM'ing Toejam and see if he can help - he's a software/registry guru.

There's an interesting free anti-virus/anti-trojan program available from the McAfee people called Stinger. Quick and easy download to desktop - run it from there, might be of some help. Get it <A HREF="http://clk.about.com/?zi=1/XJ&sdn=antivirus&zu=http://v..." target="_new">here</A>.

Good luck. I think your looking at a format/reinstall. Sorry



<b> ...more people are driven insane through religious hysteria than by drinking alcohol - W.C. Fields </b>
January 14, 2004 2:43:33 PM

One other thing - if you reinstall winXP, use Spybot to lock your home page. Advance Mode>Immunize ... and at the bottom are 3 recommended options that lock out those changes. Well, next time.



<b> ...more people are driven insane through religious hysteria than by drinking alcohol - W.C. Fields </b>
January 14, 2004 7:07:17 PM

I saw your post yesterday and don't if you have identified the source of the problem, but if you go to http://www.symantec.com you will see that they have posted a (Trojan.Bookmarker.B) virus alert on 1/13/04 that causes just what happened to you. Unfortunatly their list of tools to delete viruses as of now doesn't contain a tool to fix it yet.
January 14, 2004 7:14:00 PM

Do an online virus scan at Panda's website or Symantec's website... whatever this is, it's obvious your currently installed NAV isn't going to take care of it.

<font color=red> If you design software that is fool-proof, only a fool will want to use it. </font color=red>
!