Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
This topic is locked
edit Jan 30 2008:
(NOTE: This can be marked as RESOLVED [yippee!]. See Edits at end of this post for the updates and details but the end result answer was that I had ZoneAlarm 6.5.x installed and that version is reported to have a lock on the start page which can only be changed when 6.5.x is not running (which is more than turning it off) or when in safe mode (which has ZA not running). I've uninstalled that old version of ZA and now run with the latest ZA which does not have the 'locked' start page problem!!!) You can read the orginal post below and then at the bottom are the edits that I posted as I continued trying to figure this out while waiting for help here. I hope this is useful to someone else. Thanks.
end edit Jan 30 2008
This computer has something that keeps resetting the IE start page to MSN. Even right after I set it to www.google.com it almost immediately get's set back to the MSN webpage that I don't want it to be. I did have a number of other problems which I found and had cleaned up using Ad-Aware 2007, Spybot Search & Destroy 1.5, and SuperAntiSpyware (all updated with latest definitions before scanning and cleaning.) I have checked both Spybot and SuperAntiSpyware to make sure both are not trying to "protect" my home/start page. Both are turned off in that area of protection. I have tried using REGEDIT and going straight to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main and tried setting "Start Page" from the undesired url to "http://www.google.com/" however I get an error from REGEDIT saying "Error Editing Value - Cannot edit Start Page: Error writing the value's new contents."
Repeating scans from Ad-Aware 2007, Spybot Search & Destroy 1.5 and SuperAntiSpyware now come back clean (I've rebooted between cleanings). I've also run Avg Anti-Spyware in safe mode (after first updating it) and it comes back clean.
I'm stuck and don't know what else to look at or do. Any help would be very much appreciated!
Help please. Thank you!
- David I
Here's my HJT log. Note I am running pcAnywhere to access this computer on my LAN and you will see those entries in the HJT log. But I have the problem independent of pcAnywhere. The HJT log:
-----------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 2:19:42 AM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB002" /M "Stylus C66"
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160751020859
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160751079546
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
edit (additional information Jan 27 2008, 12:41 PM):
I should have also mentioned that occasionally IE will not open at all. IE hangs unopened but with iexplorer.exe in the process list. Clicking to try and open IE again when in this state just adds another iexplorer.exe to the process list. I do not know if this is related or not. It is intermittent between different restarts. Usually IE does open ok. But I did want to share that this does happen on occasion as it might be useful to know.
Also when I have tried to use IE > Tools > Internet Options ... > General to set the homepage and then click 'OK' to make that change ... I can see almost immediately down in the IE status bar at the bottom of the IE window some web action by the hijacker that's taking place to change it right back to the site I don't want it to be. Thank you. End of edit.
edit (additional information Jan 29 2008, 10:55 AM):
I have found that when I boot to safe mode (with or without networking) that I can successfully change the start page and it sticks. And when I restart into full windows mode that change is still there (whatever I changed it to from safe mode). But when in full windows mode changing the start page fails (can try and fail from the IE > Tools > Internet Options or going to the same place via Control Panel > Internet Options.) Trying to set it to something different than what it is results in it not 'taking' the setting. When I reopen the Internet Options I can see the change didn't take place.
So I have tested turning off all Startup items (current user, default user and all users) and all Run, RunOnce, RunOnceEx, RunServices, RunServicesOnce (for current user, default user and all users) items using codestuff starter. There were a couple (like ZoneAlarm and GoogleNotifier) that were persistent but for any I could I disabled them and restarted in full Window's mode. Unfortuanately problem remained.
I then temporarily uninstalled GoogleToolbar, GoogleUpdater (got rid of the GoogleNotifier startup) and uninstalled SpyBot S&D (I wanted to make sure that it wasn't trying to protect my start page - which is said it wasn't but I wanted to be sure) and uninstalled SUPERAntiSpyware (which also can protect the start page but wasn't set to do so but just to see if this would help) restarted full windows and temporarily turned of ZoneAlarm (I am behind a hardware firewall that I test often so I'm pretty protected against incoming threats). Unfortunately the problem remained. So that leaves me thinking that it may be associated with some service that's starting up in full windows but not in safe mode. So I'm going through a process of comparing services that are in the 'started' mode in safe mode vs. those and more services that are in 'started' mode in full windows to see if I might identify a service or set of services that is associated with this. I *sounds* like a reasonable thing to explore but I don't know if it will yield any answers or not.
One more thing. I used Process Monitor from Microsoft/Sysinternals (got a fresh new version of it) and while I can see iexplorer trying to read and change the start page registry key value. Haven't really noticed or been able to tease out some other process 'undoing' that or accessing the same registry key. Which leads me all the way back to the idea in the top of my post that perhaps there's something to the REGEDIT error saying "Error Editing Value - Cannot edit Start Page: Error writing the value's new contents" when I tried to manually change that setting. That there is some permission that is OK when in safe mode but when in full windows mode there is not adequate permission to set that value. That perhaps some malware at some point did among other things something to change the permission on that key or value so it would be difficult to change the value. Unfortunately I am not as familiar with the permissions on registry keys (I have fixed something once related to that on another computer but that was only once and a while ago.) My thoughts are that I might compare the permissions on a working system for that registry key with the problem system and see if anything looks obvious as a problem.
That's it for now. I welcome ideas, thoughts or help. I apologize if my efforts have reduced anyone's ability to end up helping. I understand. End of Jan 29, 2008 10:55 am edit.
edit (additional information Jan 29 2008, 11:55 AM):
I tried a few things as I said I would above and no answers. I checked the permissions and ownership of the key with a good XP machine and also with what the machine shows in safe mode. Nothing strange or different here. I set the owner to the owner for that one key and items below it but that didn't do anything either so I set it back the way it was. Next I noted what services were off during safe mode vs. full windows mode. I then proceeded to stop and disable all those that were different between the two modes. I then restarted windows full mode (with the services greatly reduced as found when starting in safe mode) but unfortunately the problem remained. So while I have been able to narrow the problem existing vs. not being a problem between running in safe mode vs. full mode I don't know what it is that's in control here.
I'm getting to the point where I'm thinking things may be fine as they are. I don't change the start page often and so if I ever want to I do it in safe mode. IE hasn't been freezing or crashing hardly at all (perhaps no longer.) I have uninstalled/reinstalled SpyBot S&D a couple of time along with SUPERAntiSpyware to see if there were any interactions with this or each other. I think that may have been helpful for the intermittant crashing IE problem (just guessing here) as at one point I saw SpyBot S&D had two BHO's but now it's only showing one. Scans by SpyBot, SUPER come back clean. So maybe it's time to stop worrying about this start page problem and get on with using the computer. SpyBot, SUPER, Ad-Aware and SpywareBlaster are all in place and part of regular routine. AVG is in place. ZoneAlarm is in place along with a hardware firewall.
The only thing I don't know about is the R1 setting for ProxyOverride. So any info here might be nice. Otherwise - unless you see something I should take notice of then I suppose this system is fine and we can close this.
As a final note: I have signed up to take the classes here to hopefully be a helper someday. In the few days since signing up and reading what to do and don't do I realize that I probably did a lot of 'don'ts' with this machine before coming here. Things that removed a lot of evidence and help determining what the root causes might have been and perhaps doing things out of order that would be risky or again remove help in determining what was there before. This was all done before coming here. Wish I had been here sooner! But I'll hopefully be wiser for the future. Thanks. I'll check back to see if there is any *news* about this that I have failed to catch but I would be OK if this get's marked 'resolved' if that is deemed to be the best thing to do. Thanks - Davidi
edit Jan 30, 2008 10 AM:
I couldn't let this go with out a few other leads and searching on the internet. Good news! I found the problem I was having with pointer to an answer on the spybot forum. Here's a link to the problem and answer for Zone Alarm 6.5.xxx free version locking the users IE Start Page and how to get around it.
http://forums.spybot...amp;postcount=5
(Or now ... upgrade to the latest free version which is now OK.)
I now have ZA 6.5.xxx uninstalled and their latest version installed and running and I can freely change my start page (or have other programs such as Spybot S&D or SUPERAntiSpyware enabled to do Start Page protection successfully which before they could not do because of this problem.)
I hope this information proves useful for someone. Thanks!
end of edit
Edited by davidi, 30 January 2008 - 08:42 AM.
