Google Answers: IE highjacked by res://aemrz.dll/index.html#96676

View Question

Q: IE highjacked by res://aemrz.dll/index.html#96676 ( No Answer, 3 Comments )

Question

Subject: IE highjacked by res://aemrz.dll/index.html#96676
Category: Computers > Internet
Asked by: gabrielsailing-ga
List Price: $5.00

Posted: 27 Jul 2004 14:09 PDT
Expires: 17 Aug 2004 06:13 PDT
Question ID: 379892

IE highjacked by res://aemrz.dll/index.html#96676 I am running XP and IE 6, and my IE has been highjacked by res://aemrz.dll/index.html#96676 . Everytine I load IE, it has this address as the home page ? it is a search page. When I do a search on google, I often get redirected to a search results page with porno related results at http://search-to-find.com/sec.php?qq=res%3A%2F%2F&pin=96676 . I have read a number of answered questions on google, and have tried cleaning my system, with no success, using Adaware 6.0 and Spybot, as well as HijackThis. I have attached the log. I need help in knowing which lines to remove using HijackThis. A good repy in this regard has been provided at http://answers.google.com/answers/threadview?id=363412 , but I need a little more explaining on what I am supposed to remove. hummer-ga Logfile of HijackThis v1.97.7 Scan saved at 09:50:04 p.m., on 27/07/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe C:\Archivos de programa\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\scagent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\sdkkz.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\carpserv.exe C:\Archivos de programa\Dell\AccessDirect\dadapp.exe C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\System32\DSentry.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Archivos de programa\Dell\AccessDirect\DadTray.exe C:\Archivos de programa\QuickTime\qttask.exe C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe C:\WINDOWS\System32\rmbtbh.exe C:\WINDOWS\crsa.exe C:\Archivos de programa\Messenger\msmsgs.exe C:\WINDOWS\DvzCommon\DvzMsgr.exe C:\Archivos de programa\Olympus\DeviceDetector\DevDtct2.exe C:\Archivos de programa\Digital Line Detect\DLG.exe C:\Archivos de programa\FotoStation Easy\FotoStation Easy AutoLaunch.exe C:\Archivos de programa\Nikon\NkView4\NkVwMon.exe C:\Archivos de programa\WinZip\WZQKPICK.EXE C:\Archivos de programa\Palm\HOTSYNC.EXE C:\WINDOWS\System32\wuauclt.exe C:\Archivos de programa\Microsoft Office\Office\WINWORD.EXE C:\Archivos de programa\Internet Explorer\iexplore.exe C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Gabriel Anguiano\Configuración local\Archivos temporales de Internet\Content.IE5\92GMV9DS\HijackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aemrz.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aemrz.dll/index.html#96676 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aemrz.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aemrz.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aemrz.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aemrz.dll/sp.html#96676 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {47AEE64C-5AEA-4ED8-103A-64D56785E44D} - C:\WINDOWS\system32\apitr32.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [DadApp] C:\Archivos de programa\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinInit] Win86.exe O4 - HKLM\..\Run: [WinLogin] win32x.exe O4 - HKLM\..\Run: [xxbhyjpjghq] C:\WINDOWS\System32\rmbtbh.exe O4 - HKLM\..\Run: [crsa.exe] C:\WINDOWS\crsa.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\GABRIE~1\DATOSD~1\IESERV~1\IEService.exe O4 - HKLM\..\RunOnce: [sdkkz.exe] C:\WINDOWS\system32\sdkkz.exe O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe O4 - Global Startup: Device Detector 2.lnk = C:\Archivos de programa\Olympus\DeviceDetector\DevDtct2.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NkVwMon.exe.lnk = C:\Archivos de programa\Nikon\NkView4\NkVwMon.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E19723C8-B4AD-4F18-A713-766E0CC0D3F4}: NameServer = 195.92.195.95 195.92.195.94
Request for Question Clarification by mother911-ga on 27 Jul 2004 17:43 PDT Copy and paste this URL into your browser, it will take you to a free online virus scan page from Panda Software. http://www.pandasoftware.com/activescan/com/activescan_principal.htm On the left side of the page toward the bottom click the button which says,"Scan your PC" You will have to say yes to a window which will popup asking for permission to install software on your computer. I can assure you Panda Software is very reputable, and I have used their services for many years. Panda Software Anti Virus will remove this virus and any others you are currently hosting on your system. It will also let you know if there are any they can't remove. If you are unable to copy and paste the URL into the browser, you can open Notedpad, copy and paste the exact following text: <html> <body> <a href = "http://www.pandasoftware.com/activescan/com/activescan_principal.htm">Panda Software</A> </body> </html> Click on file/save as Choose a location that you can easily remember, I suggest your desktop. Change the file type from .txt to any files. Choose a file name (any name is fine, call it virus.html if you want as long as it ends in .html) Then click save. Goto your desktop and double click the file that you just created. It will open in a web browser if you made it correctly. It will be a white page with blue text which says,"Panda Software". Click on the words Panda Software and it will take you to the anti virus page we discussed earlier. If you have any questions please feel free to ask them here. Mother911-ga
Request for Question Clarification by mother911-ga on 27 Jul 2004 17:45 PDT Second note, Adaware should also remove this, Make sure you are updating the virus definitions before running any scan. Mother911-ga
Clarification of Question by gabrielsailing-ga on 29 Jul 2004 06:15 PDT I will try the Panda software tonight, and let you know of the results. I am not optimistic, however, since I already have Adaware and Spybot, followed by hijackthis. I run them in that sequence, and each time they do detect stuff and remove it from my disk. Next time I launch IE, I am back to sqaure one. I think the answer will lie more on knowing what to remove using hijackthis - as I am reluctant to remove everything that shows up on the log file.
Request for Question Clarification by hummer-ga on 29 Jul 2004 07:08 PDT Hi gabrielsailing, 1) First, run HouseCall, a very thorough online virus scan - have it fix or delete everything it finds. HouseCall: http://housecall.trendmicro.com/ 2) Next, download and run About:Buster 1.5: Spyware Tools \| About:Buster 1.5: "Important steps to getting this tool to work properly: Start About:Buster, on the first prompt hit Ok, then Start, And Ok once more to start the scan. About:Buster will start removing objects and run once more to finish its cleanup. Restart your computer. If this does not work boot into safe mode and run through the directions once more" http://www.majorgeeks.com/download4289.html After you restart and boot into Safe Mode, run the scan two more times (not just once as the directions say above). 3) Launch Ad-Aware again, Check for Updates, and then make sure it is configured for a full scan. Click on the Gear icon (second from the left - preferences/settings): General - Select: Automatically save log-file Automatically quarantine objects prior to removal Safe Mode (always request confirmation) Click on the Scanning button (left) - Select: Scan Within Archives Scan Active Processes Scan Registry Deep Scan Registry Scan my IE favorites for banned URL?s Scan my Hosts file Under Click here to select drives + folders, choose: + All of your hard drives Click on the Advanced button (left) - Select: Include additional process information Include additional file information Include environment information Include additional object details Click the Tweak button: Scanning Engine - Select: Unload recognized processes during scanning Include basic Ad-aware settings in logfile Include additional Ad-aware settings in logfile Under the Cleaning Engine - Select: Let Windows remove files in use at next reboot Click on Proceed to save the settings. Click Start / "Activate in-depth Scan" / "Use Custom Scanning Options" / Next / Save the log file / Finish When finished, right-click the window, choose "Select All" / Next / Reboot. Good luck - please let us know how that goes, hummer
Clarification of Question by gabrielsailing-ga on 29 Jul 2004 10:58 PDT I´ve tried steps 1 through 3, with no success. Initially it gets rid of items, but when I reload IE, the problem persists. I am again pasting a copy of the log generated by Hijackthis. The trick, I think, will be to know what items to fix. There are lot´s of exe files, and I just don´t know which ones to remove without destroying my systems. Logfile of HijackThis v1.97.7 Scan saved at 06:53:57 p.m., on 29/07/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe C:\Archivos de programa\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\scagent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\sdkkz.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\carpserv.exe C:\Archivos de programa\Dell\AccessDirect\dadapp.exe C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\System32\DSentry.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe C:\Archivos de programa\Dell\AccessDirect\DadTray.exe C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Archivos de programa\QuickTime\qttask.exe C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe C:\WINDOWS\System32\rmbtbh.exe C:\WINDOWS\crsa.exe C:\Archivos de programa\Messenger\msmsgs.exe C:\WINDOWS\DvzCommon\DvzMsgr.exe C:\Archivos de programa\Olympus\DeviceDetector\DevDtct2.exe C:\Archivos de programa\Digital Line Detect\DLG.exe C:\Archivos de programa\FotoStation Easy\FotoStation Easy AutoLaunch.exe C:\Archivos de programa\Nikon\NkView4\NkVwMon.exe C:\Archivos de programa\WinZip\WZQKPICK.EXE C:\Archivos de programa\Palm\HOTSYNC.EXE C:\WINDOWS\System32\wuauclt.exe C:\Archivos de programa\Internet Explorer\iexplore.exe C:\Documents and Settings\Gabriel Anguiano\Configuración local\Archivos temporales de Internet\Content.IE5\92GMV9DS\HijackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aemrz.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aemrz.dll/index.html#96676 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aemrz.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aemrz.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aemrz.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aemrz.dll/sp.html#96676 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/ O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {47AEE64C-5AEA-4ED8-103A-64D56785E44D} - C:\WINDOWS\system32\apitr32.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [DadApp] C:\Archivos de programa\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinInit] Win86.exe O4 - HKLM\..\Run: [WinLogin] win32x.exe O4 - HKLM\..\Run: [xxbhyjpjghq] C:\WINDOWS\System32\rmbtbh.exe O4 - HKLM\..\Run: [crsa.exe] C:\WINDOWS\crsa.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\GABRIE~1\DATOSD~1\IESERV~1\IEService.exe O4 - HKLM\..\RunOnce: [sdkkz.exe] C:\WINDOWS\system32\sdkkz.exe O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe O4 - Global Startup: Device Detector 2.lnk = C:\Archivos de programa\Olympus\DeviceDetector\DevDtct2.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NkVwMon.exe.lnk = C:\Archivos de programa\Nikon\NkView4\NkVwMon.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E19723C8-B4AD-4F18-A713-766E0CC0D3F4}: NameServer = 195.92.195.94 195.92.195.95
Request for Question Clarification by hummer-ga on 29 Jul 2004 12:38 PDT Hi gabrielsailing - I'm sorry you are having so much trouble. Please do not "remove everything that shows up on the log file", that's not the way HijackThis works - most of the stuff you will keep. Could you please post your log on the Tech Support Guy Forum - I'm sure he will be able to help you - have a look at the following exchange: http://forums.techguy.org/archive/index.php/t-249117.html Tech Support Guy Forum: http://forums.techguy.org/index.php Good luck! hummer
Clarification of Question by gabrielsailing-ga on 02 Aug 2004 03:17 PDT Resetting the home page on IE from the tools menu option is one of the first things I tried, and it does not work as it reverts back to the problem url. In fact, a friend tried doing this manually, I believe with Regedit, and the default url keeps pointing to the problem url, not matter how much you try to edit it. This is part of the virus, and one of the features that makes it so nasty and hard to remove.

Answer

There is no answer at this time.

Comments

Subject: Re: IE highjacked by res://aemrz.dll/index.html#96676
From: athena4-ga on 27 Jul 2004 17:10 PDT

gabrielsailing-ga:

C:\WINDOWS\system32\scagent.exe appears to be the culprit in your case.

See

http://www.webuser.co.uk/cgi-bin/forums/showflat.pl?Cat=&Board=security&Number=78262&page=10&view=collapsed&sb=5&o=93&part=

for help (all of the URL on one like, without spaces or %20 in the middle)

Some useful additional information is at
http://forums.spywareinfo.com/index.php?showtopic=10469&st=15
(Posting at Jul 4 2004, 11:54 PM by aktee67)

and at
http://forums.techguy.org/archive/index.php/t-248975.html

Let us know if the first site solved your problem.

Subject: Re: IE highjacked by res://aemrz.dll/index.html#96676
From: athena4-ga on 27 Jul 2004 17:14 PDT

Additional advice:

Since IE has several unfixed vulnerabilities, consider using an
alternate browser like Firefox  ( http://www.mozilla.org/ ) at least
for untrusted sites.  [If any sites wants to install any extensions
you didn't request, cancel (may require cancelling 2-3-4 times in case
of some sites)].

Subject: Re: IE highjacked by res://aemrz.dll/index.html#96676
From: wsanders-ga on 29 Jul 2004 12:05 PDT

You don't mention if you have tried resetting your home page via the
Tools -> Internet Options menu. If you are not currently infested,
it's possible the virus checkers simply do not reset the home page for
you are part of the removal process.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy