Internet Explorer 7 Strange Behaviour

[TmC]

Hi everybody and welcome back from holidays

Today i have a problem with Internet Explorer 7(please don't tell me to drop it and go Firefox).
A best friend of mine installed it(actually a slightly modded version done by his ISP with IEAK) and everytime he starts it, he keeps getting this page (http://go.microsoft.com/fwlink/?LinkId=74005) that leads to the internet explorer first time configuration (Search Provider/Clear Type/Language/Anonymous Statistics).

He then saves them and when he closes the browser and starts it back again, he keeps always getting that page, no matter what the home page is.

No javascript errors at all, everything seems ok, but seems like IE is not able to save the settings and just keeps asking user input everytime.

I did a rapid google search but no lunk, the search seems to point nowhere, noone else had this problem (strange?).

Before attaching a debugger and trying to figure out what the problem is, I wanted to share this problem with you, maybe we can come up with a solution.

Thanks to everybody

[JMI]

Has he updated IE7? The current version on WindowsXP is 7.0.5703.11.

My version is not modded and I've had absolutely no problem with it.

I saw someone reported the identical problem here, but no reply with a solution:

http://www.ureader.com/message/4056493.aspx

and here:

http://help.lockergnome.com/windows2/Issues-IEAK-ftopict483369.html

But see this page:

http://www.chcs.com/knowledgebase/article.cfm?aId=143

Here's something showing where M$ keeps the links for this process:

http://boards.cexx.org/index.php?topic=16501.msg67883

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

This particular report was about a Firewall problem and fixed with Hijack This.

CHECK THIS ONE FIRST!

Here's an apparent solution from the Systernals Forum:

http://forum.sysinternals.com/forum_posts.asp?TID=8576&PN=1

The search criteria I used was: fwlink/?LinkId=74005

Regards,

First time configuration should be done completely then everything will be OK.

[ahmadmansoor]

dear freind :
First step for this time is to download this program Hijackv1.99.1 form this site :
http://www.thespykiller.co.uk/files/HJTsetup.exe
Now :
-Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
-copy the entire contents of the log.
then replay the log in your next reply.

the second is
i will send the solution to u and i think i have the solution but i must be sure from somethings...

[ahmadmansoor]

Please read this post completely
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop
ths link is : http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Boot into Safe Mode ........Open the SmitfraudFix folder on your desktop and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please save the content of this report on your desktop.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Please download ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
_____________________________________
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
_______________________________________
Download the trial version of Ewido Security Suite Here.
http://www.ewido.net/en/download/
Install ewido.
During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.
Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.
Boot into Safe Mode:
Scan with Ewido as follows:

1. Click on "Scanner" and choose "Settings".
2. Under the bottom section "What to Scan?" make sure "Scan every file" is selected.
3. Select "OK" and you will return to scanning options.
4. On the main screen click on "Complete System Scan" to start the scan.
5. While the scan is in progress, you will be prompted to clean the first infected file if finds. Put a check next to "Perform action on all infections" in the lower left corner.
6. Then choose "Clean" and click "OK".
7. When the scan has completed, Ewido will create a report.txt file.
8. Click the "Save Report" button on the bottom of the screen and save the log to your desktop in case you need it later.
9. Exit Ewido when done.

Note: DO NOT USE the computer while Ewido is scanning. If Explorer or the Control Panel are opened some malware types will reinfect your system or will not be cleaned properly.

Note: If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:
1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.

Restart back into Windows normally now.
______________________________________
Please go HERE to run Panda's ActiveScan
http://www.pandasecurity.com/homeusers/solutions/activescan/?
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post a fresh Hijackthis log along with the Ewido and ActiveScan reports. Also the C:\rapport.txt