1 Copper

IE homepage hijacked by http://www.geocities.com/PEROCAIRO/

My work PC is running IE 6 on Windows XP 2002 (SP3).

Yesterday my IE homepage was hijacked by a Geocities URL. Whenever I try to reset it to default it just goes back to the Geocities page.

I've run malware/spyware scans through updated versions of Windows Defender, McAfee VirusScan Enterprise Workstation 8.5 and HiJackThis. None of these programs have been able to detect what is causing the homepage to be locked.

Furthermore, my MS Outlook and server access has been compromised. I'm unable to access work emails.

Any ideas?

0 Kudos
1 Reply
1 Copper

Re: IE homepage hijacked by http://www.geocities.com/PEROCAIRO/


IE homepage hijacked by http://www.geocities.com/PEROCAIRO

Default home page was changed to "www.geocities.com/perocairo". 

If the user switches back to its own startpage the virus changed back again.



Follow the method for manual removal:

1- Terminate the process "WScript.exe" into Windows Task Manager

2- into the registry editor, search the "VirusRemoval_Pero.vbs"

   Remove all seek out the most important, in addition att

   HKEY_Local_Michine \ Software \ winnt \ CurrentVersion \ Winlogon \ userinit

3- Change HKEY_Local_Michine \ Software \ winnt \ CurrentVersion \ Winlogon \ userinit

   Key, remove C: \ WINNT \ System32 \ WScript.exe C: \ WINNT \ System32 \ VirusRemoval_PERO.vbs.

   Keep just the normalaC: \ WINNT \ System32 \ Userinit.exe.

4- Change the code HKEY_Current_User \ Software \ Microsoft \ Internet Explorer \ Main Next

   Home back to your startpage e.i. http://www.microsoft.com 

5- Restart the computer


Additional information

WScript.exe is based on the Windows Scripting Host, let the script directly in Windows to run.

WSH (Windows Script Host) support the use of Microsoft Visual Basic Scripting Edition (VBScript) or JavaScript written scripts. 

When you start a script, the script host reads and sends the specified file content scripts to the registered script engine.

But it also offers activities to the script platform virus, run virus can not utanWSH.

Reference documents:http://support.microsoft.com/kb/232211/zh-cn

0 Kudos