Internet Explorer hijacking

I believe I have been hijacked.

IE 6.0 SP1
Windows 2000 Server SP4
MS04-011
MS04-012
MS04-014

I cannot change the Home page URL. The field automatically populates itself with URL.

I get continuous Security Warnings: "Do you want to install and run 'ms-its:mhtml:file://c:\nosuch.mhtml.'"

New IEXPLORE.EXE processes continue to launch my themselves, each consuming 700KB-2MB of memory until I begin to receive warnings about low virtual memory.

Using the TCPView utility:
Path: c:\program files\internet explorer\iexplore.exe
Command Line: "c:\program files\internet explorer\iexplore.exe" URL

How do I correct the home page problem?
How do I correct the IE startup command?

Many thanks,

/CF

the best thing would probably be to install hijackthis found here
and/or run spybot and adaware and see/delete what they find.


i hope that helps

RF

Free online Spyware detector
Click on > Scan without registering
http://www.pestscan.com/
Or ,
http://www.spywareinfo.com/xscan.php
Screen for Adware, Spyware, Scumware, Diallers, ’Jackers and other unsolicited commercial software .

Remove Spyfiles by using these 6 programs .
Make sure you use the SpyBot/SpywareBlaster/Ad-aware/Bazooka/Swat It > Online > Update button regularly .

SpyBot
http://beam.to/spybotsd
http://www.spybot.us/spybotsd13.exe
http://majorgeeks.com/download2471.html
Editor's Note: The Resident shield in version 1.3 has an issue allowing certain cookies (Specifically Double Click)when set to notify. If page loading becomes a problem, right click the icon in the Systray, select “Resident IE” and either uncheck “Use Resident in IE sessions” or check "Block all bad pages silently".
Once you have the program installed , open SpyBot and select the "Immunize" icon on the left & Click on Immunize , in the new page .
Permanently running bad download blocker for Internet Explorer .
Select > Block all bad pages silently & click Install .
Then check the box "lock hosts file read-only as protection against hijackers".
Select your download site .
Open Spybot Search and Destroy. After clicking the button that says "Search for Updates" & the check is finished , you will see 5 items near the top of the window, "Search for Updates", "Download Updates", UniDo(Europe), "Show Log" and "Help". Next to UniDo(Europe) you will see a "down" arrow. Click the "down" arrow and you will see download site choices (3 in Europe, 1 in USA and 1 in Australia). Right click on your selection to make it default .
A Beginner's Guide to Spybot
http://www.trincoll.edu/depts/cc/do...pybot_guide.htm

SpyBot lock host files greyed out
If it doesn't have a hosts file you cant lock it, so that tweak will be grayed out.
Have SpyBot install its hosts file.
http://www.zerosrealm.com/immunizing.php
Note: For those running in "Basic" mode ( version 1.2 ) you will NOT see this. You must be running in Advanced mode! To get in advanced mode, a really easy way is to go to Start >> All Programs >> Spybot Search and Destroy >> Spybot Search and Destroy (advanced). Click it. You are now in advanced mode.
Select your download site .
Open Spybot Search and Destroy. After clicking the button that says "Search for Updates" & the check is finished , you will see 5 items near the top of the window, "Search for Updates", "Download Updates", UniDo(Europe), "Show Log" and "Help". Next to UniDo(Europe) you will see a "down" arrow. Click the "down" arrow and you will see download site choices (3 in Europe, 1 in USA and 1 in Australia). Right click on your selection to make it default .

SpywareBlaster
http://www.wilderssecurity.net/spywareblaster.html
SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
Freeware

SpywareGuard
http://www.javacoolsoftware.com/spywareguard.html
SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard.

Ad-aware
http://www.lavasoft.de/
http://www.lavasoftusa.com/
All software offered on this page is free* to download and use and compatible with Windows 98/ME/NT40, Windows 2000 and Windows XP Home and Professional.
Download sites .
http://download.com.com/3000-2144-1...page&tag=button
http://majorgeeks.com/download.php?det=506

Bazooka
http://www.webgrid.co.uk/security_2.html
http://www.winsite.com/bin/Info?17000000037943
http://www.kephyr.com/
Bazooka is freeware and Windows 95/98/ME/NT/2000/XP compatible
Click on the files found & you will be taken to a site that will show you how to remove , either with a program or manually .
It reports on all drives & partitions , so remember to check all these , when doing manual remove .
After the Download - It is important to remember that once the installation of Bazooka is completed , that you should update the File Signatures by clicking on the Update tab and check for an update .
Make sure you Update after installing & then regularly .

Swat It
http://swatit.org/
Swat It is a Completely FREE program that scans your files for Trojans, Worms, Bots and other Hacker programs. Swat It can detect and remove over 4000 different Trojan programs plus variants. Swat It was recently independently tested against popular commercial scanning software and we were absolutely delighted by the results.
After the Download - It is important to remember that once the installation of Swat It is completed, that you should update the File Signatures by clicking on the Update tab and check for an update. All Product and File Signature Updates are Totally FREE, this means that you will never have to pay a single penny to get the very latest version of Swat It or to update the File Signatures.

Beware of SpyHunter
http://www.post-gazette.com/pg/03289/231446.stm

=====================================

Use hijackthis .
Print out your logfile .
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
http://tomcoyote.com/hjt/
http://www.spywareinfo.com/download.../HijackThis.exe
http://www.zerosrealm.com/downloads/hjt.zip

Here is how to read the hijackthis logfile .
Compare it with yours .
http://homepage.ntlworld.com/dvk01uk/tutorial.htm
http://www.spywareinfo.com/~merijn/htlogtutorial.html
http://www.help2go.com/article153.html
http://hjt.wizardsofwebsites.com/
http://www.spywareinfo.com/bhos/
http://www.spychecker.com/program/bholist.html
http://www.spywareinfo.com/~merijn/htlogtutorial.html#r
http://www.computercops.biz/postt6393.html
http://www.google.com/search?q=spyware+list
Beginners Guides: Browser Hijacking & How to Stop It
http://www.pcstats.com/articleview.cfm?articleID=1579

===================================

You can identify bho's on your comp , with this .
http://www.spywareinfo.com/downloads/bhod/
BHODemon scans your Registry for BHOs, and presents any it finds in a list. By highlighting a
BHO in this list, and clicking the "Details" button, you can see information about this BHO,
and even disable it if you wish. BHOs are disabled by simply renaming the DLL that houses
them. By renaming the DLL, instead of deleting it, you have the option of enabling it later
if you wish. Why would you want to do that? Because the program that installed the BHO will
not run if it can't find the DLL: Go!Zilla, for example, won't run if you remove its BHOs.
Works on XP .