Google Answers Logo
View Question
Q: hijacked Internet Explorer home page ( Answered 5 out of 5 stars,   3 Comments )
Subject: hijacked Internet Explorer home page
Category: Computers > Software
Asked by: harlequin3-ga
List Price: $5.00
Posted: 19 Jun 2004 14:09 PDT
Expires: 19 Jul 2004 14:09 PDT
Question ID: 363446
I?m running Windows XP professional and IE 6.0.28. I have a DSL
connection to the internet. My internal explorer has been hijacked! I
assume this occurred while I was surfing the net and Norton antivirus
detected a virus which I deleted as they recommended. Unfortunately
now my home page on Internet Explorer has been reset to; 
res://grrmr.dll/index.html#23999 . I normally use google as my home
page. Now I cannot get it back as my home page. I can access google
manually however.
      When accessing Internet Explorer the bad address mentioned above
automatically reappears even though I have deleted it from the ?you
can change what page you use as your home page? box and replaced it
with google. I have found the ?grrmr.dll? file listed as an
application extension in the System 32 folder. I tried deleting this
to the recycle bin but the problem persists. I have also run Norton
antivirus, Spybot, and Adaware without success. Attempting to reset
the home page under the ?general? tab of Internet Options doesn?t work
as I mentioned above. Neither does the ?reset web settings? under the
?programs? option under Internet Options. Clicking the ?restore
default? button in the Internet Options site merely again restores the
unwanted address as the default home page.  Please help me get rid of
the bad file and be able to reset my home page to what I wish.
Subject: Re: hijacked Internet Explorer home page
Answered By: aceresearcher-ga on 24 Jun 2004 13:30 PDT
Rated:5 out of 5 stars
reetings, harlequin!

Your computer has been taken over by "Homesearch Assistant" a new
variant of the CoolWebSearch adware / spyware.

Start up AdAware. In the bottom right-hand corner, it should say
"AdAware 6.0 Personal, Build 6.181". Up above, under "Initialization
Status", it should say "Reference file 01R324 22.06.2004 loaded". If
your settings for either of these do not match, click "Check for
updates now". Once the update has completed, if one or both of these
still doesn't match the settings I listed, you may need to uninstall
AdAware, and then download and install the latest version from
Once that's installed, be sure to click "Check for updates now" to get
the latest reference files.

Once you have the latest Build and Reference file, try running AdAware
again and remove the recommended items.

Then, start up Spybot Search & Destroy. Pull down the "Help" menu and
select "About". You should see
Spybot Search & Destroy 1.3
Latest detection update: 2004-06-23.
If your settings for either of these do not match, click the "Update"
icon menu on the left-hand side of the screen, and then click on
"Search for Updates" near the top of the page.  You'll need to exit
Spybot and restart it to check the "About" information page. If this
doesn't work, you may need to uninstall Spybot, and then download and
install the latest version from

Once you have the latest Version and Detection Update, try running
Spybot again and remove the recommended items.

Each time you run Spybot and/or AdAware, be sure to download the
latest updates first!

Then, open up your Norton Anti-Virus dialog box and select
"LiveUpdate" in the upper left-hand corner to download any needed
additions to the program and its virus definitions. If NAV wants you
to restart your system, let it do so. Then, from the NAV dialog box,
click "Full System Scan" and "Scan Now".

Then, download and run HijackThis!    

Once the Scan is completed, click "Save log", and copy and paste here
a copy of your HijackThis! scan log.

Something to keep in mind is that even if these programs give your
system a "clean bill of health", it does *not* mean that you can be
absolutely sure that your system is clean. It is only a *reasonable
assurance* that it is clean.

Please let me know whether these steps resolve your problem, or
whether you need more assistance.

Before Rating my Answer, if you have any Questions about the above
information, please post a Request for Clarification, and I will be
glad to see what I can do for you.


harlequin3-ga rated this answer:5 out of 5 stars

Subject: Re: hijacked Internet Explorer home page
From: justanaveragenewbie-ga on 23 Jun 2004 22:53 PDT
Two programs which I would recommend you try are

HijackThis (Most likely to solve your problem, difficult to use)


CWShredder.(Automated like Spybot, probably won't pick up your problem though)
Subject: Re: hijacked Internet Explorer home page
From: casey001-ga on 11 Jul 2004 08:13 PDT
i too am having this problem. Here is what hijackthis's scan log looks
like when I ran it:

Logfile of HijackThis v1.97.7
Scan saved at 10:08:06 AM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Documents and Settings\casey wilson\My Documents\Winamp\winampa.exe
C:\Program Files\\MPS\mscifapp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\casey wilson\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} -
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} -
c:\program files\\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} -
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
O3 - Toolbar: McAfee VirusScan -
{BA52B914-B692-46c4-B683-905236F6F655} -
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC}
- C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88}
- C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program
Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\\Agent\mcupdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON
Stylus Photo RX500" /O4 "usb1" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P
Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500 (Copy 1)]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P33 "EPSON
Stylus Photo RX500 (Copy 1)" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\casey
wilson\My Documents\Winamp\winampa.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu]  /L:ENG
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search &
Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
O8 - Extra context menu item: &Google Search - res://c:\program
O8 - Extra context menu item: Backward &Links - res://c:\program
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program
O8 - Extra context menu item: Translate into English -
res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (
Configuration Class) -
O16 - DPF: {11010101-1001-1111-1000-110112345678} -
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - 
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
Subject: Re: hijacked Internet Explorer home page
From: casey001-ga on 11 Jul 2004 08:55 PDT
i ran the spybot and adware and hijackthis program, and rebooted, but
am still getting the same webpage to pop up that I'm trying to get rid
of. very very frustrating. and I've got sites added to my favorites
everytime too

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy