Please help resetting search settings in IE

[Joe]

I was wondering if anyone could help me. Somewhere along the line I went to
a site that made itself the default location for my searches in IE. I've
reset any number of times to the default and it's fine for awhile then comes
back. The site it keeps going to is http://jethomepage.com/ie when it
should be http://ie.search.msn.com/en-us/srchasst/srchasst.htm I've
searched the registry for the jet one and reset it to the default but like I
said it keeps coming back. Anyone have any ideas on where else to look?

I've done a through scan using NAV on all files, ran easy cleaner and
adaware and still no luck. Any help would be greatly appreciated!

[hugh.logue]

Hi Joe
Wot about trying Start/Control Panel/Internet Options /Homepage
Cheers
JoeLog

[TB]

Joe <bump...@hotmail.com> wrote in message
news:ywDy7.5619$Mj4.4...@nnrp1.ptd.net...

> I was wondering if anyone could help me. Somewhere along the line I went
to
> a site that made itself the default location for my searches in IE. I've
> reset any number of times to the default and it's fine for awhile then
comes

Probably the same as this:

Copied from some newsgroup:
This took some homework, but I figured it out. Amazing the security
holes that Microsoft put into their software, isn't it? Turns out,
this malicious bit of JavaScript also alters your hosts file -- this
is a special file in windows that can redirect web sites to IP
addresses. To fix it, do a file search for a filed called 'Hosts'.
It's location may vary depending on which version of windows you are
running. There's also a file called lmhosts, but I don't think it
gets affected. Open 'hosts' with notepad and erase this line:

66.40.16.218 auto.search.msn.com

Reboot your computer, and it will be back to normal.

----
How to Restore the Default AutoSearch Search Page
http://support.microsoft.com/support/kb/articles/q179/4/02.asp
----

Then in Win9x you can go into IE: Tools/Internet Options - Security Tab -
Customise and enter the site to block as the afforementioned IP address.

HTH

TB

[FelixC]

"Joe" <bump...@hotmail.com> wrote in message news:<ywDy7.5619$Mj4.4...@nnrp1.ptd.net>...

This is a new virus, apparently being distributed unwittingly through
pop-up ads on a number of sites which subscribe to pop-up advertising
services. Yet another reason why sites using pop-up ads should quit
it!

It's apparently a malicious javascript which installs a file called
sp.dll in your Windows directory, and puts "regedit -s
c:\windows\sp.dll" in the startup Run command lines in your registry
to restore the settings if you delete them.

To fix it you must:

1. Move and rename the file sp.dll from your Windows directory (if you
look at it with a text editor, you will see that it is actually a
registry .reg file containing the entries for jethomepage)

2. Run regedit, search for the regedit command line above in the "Run"
section of your registry, and delete the entry containing it.

3. Also in regedit, search for every occurance of "jethomepage.com" in
your IE search entries (there are *lots* of them - thanks again
Microsoft), and change it back to the default search page you want.

There is another suspicious file called ce.exe (ostensibly a pop-up ad
program) which may be associated with installing sp.dll, so make sure
that you get rid of that and all references to it as well. Do NOT run
the purported "uninstaller" for ce.exe. There programs have been
compressed and encrypted so that their content cannot be read.

[Joe]

"FelixC" <Feli...@yahoo.com> wrote in message
news:e991edcb.01102...@posting.google.com...
<snip>

> This is a new virus, apparently being distributed unwittingly through
> pop-up ads on a number of sites which subscribe to pop-up advertising
> services. Yet another reason why sites using pop-up ads should quit
> it!
>
> It's apparently a malicious javascript which installs a file called
> sp.dll in your Windows directory, and puts "regedit -s
> c:\windows\sp.dll" in the startup Run command lines in your registry
> to restore the settings if you delete them.
>
> To fix it you must:
>
> 1. Move and rename the file sp.dll from your Windows directory (if you
> look at it with a text editor, you will see that it is actually a
> registry .reg file containing the entries for jethomepage)
>
> 2. Run regedit, search for the regedit command line above in the "Run"
> section of your registry, and delete the entry containing it.
>
> 3. Also in regedit, search for every occurance of "jethomepage.com" in
> your IE search entries (there are *lots* of them - thanks again
> Microsoft), and change it back to the default search page you want.
>
> There is another suspicious file called ce.exe (ostensibly a pop-up ad
> program) which may be associated with installing sp.dll, so make sure
> that you get rid of that and all references to it as well. Do NOT run
> the purported "uninstaller" for ce.exe. There programs have been
> compressed and encrypted so that their content cannot be read.

Felix,
Thank you VERY much!!! I appreciate your help!! You where right on, that
was definitely my problem. I knew it was a Trojan but I couldn't find any
info on it. Would you mind telling me where you found out about it? In any
case thank you again I really appreciate it!

[FelixC]

"Joe" wrote:
> Would you mind telling me where you found out about it?

I had to remove it from a system on which it had just showed up, so I
was able to search for all files created or modified "today" on the
system as a starting point. sp.dll was one of the candidates that
showed up.

Seeing the entries for "jethomepage.com", I also searched the registry
and the C: drive for any text containing "jethomepage.com". That would
have found it too, since the file wasn't encrypted.