Tech Support banner

Status
Not open for further replies.
1 - 7 of 7 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter #1
Hi All,
My IE got an wield problem recently: everytime when I restarted my computer, my IE homepage was changed to www.searchtv.com no matter how I changed it back to another homepage everytime.
I scanned the computer and there's no virus found. I seached the RegEdit, and didn't find seachtv there.
Has my computer beed attacked....?
Thanks in advance!
 

·
Registered
Joined
·
139 Posts
Did you add some hardware to your PC recently? Did you visit a website that has to do with computer hardware or software? A lot of apps, hardware, or websites deposit controls to redirect your browser or homepage to a certain website.

Try something like Adware, Spybot, or PestControl to help get rid of whatever it is.
 

·
Registered
Joined
·
139 Posts
Did you add some hardware to your PC recently? Did you visit a website that has to do with computer hardware or software? A lot of apps, hardware, or websites deposit controls to redirect your browser or homepage to a certain website.

Try emptying out your temporary Internet files first. If that doesn't work, tsomething like Adware, Spybot, or PestControl to help get rid of whatever it is.
 

·
Registered
Joined
·
5,955 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter #5
here's the logfile from hijack-this
what lines should I remove...




Logfile of HijackThis v1.97.3
Scan saved at 11:19:00 AM, on 10/16/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\AVerTV2K\QuickTV.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\mgabg.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MSupdater.exe
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV2K\QuickTV.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.5818171296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20B15EC5-8346-44AD-BFCB-2C946987CA64}: NameServer = 128.101.101.101,134.84.84.84
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = umn.edu,tc.umn.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{20B15EC5-8346-44AD-BFCB-2C946987CA64}: NameServer = 128.101.101.101,134.84.84.84
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = umn.edu,tc.umn.edu
O17 - HKLM\System\CS3\Services\Tcpip\..\{20B15EC5-8346-44AD-BFCB-2C946987CA64}: NameServer = 128.101.101.101,134.84.84.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = umn.edu,tc.umn.edu
 

·
Registered
Joined
·
5,955 Posts
O4 - Global Startup: MSupdater.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{20B15EC5-8346-44AD-BFCB-2C946987CA64}: NameServer = 128.101.101.101,134.84.84.84
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = umn.edu,tc.umn.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{20B15EC5-8346-44AD-BFCB-2C946987CA64}: NameServer = 128.101.101.101,134.84.84.84
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = umn.edu,tc.umn.edu
O17 - HKLM\System\CS3\Services\Tcpip\..\{20B15EC5-8346-44AD-BFCB-2C946987CA64}: NameServer = 128.101.101.101,134.84.84.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = umn.edu,tc.umn.edu

I take it that you are using the U of Minnisota system as your ISP. The reason that I ask is because several univeristy sytems have been compromised in the past, and if you are not using the U of M system, all of the 017 entries would have to go.

Otherwise, the 04 entry is the Searchbot Trojan.

Open a HJT log, check that to be fixed, then, with all browser and explorer windows closed, tell HJT to fix it. Reboot

Post one more log so we can make sure its gone, and you'll be good to go.
 

·
Registered
Joined
·
3 Posts
Discussion Starter #7
thanks for the reply!

The problem was fixed by scanning with Symantec AntiVirus (1 virus was found), Ad-aware 6.0 and Spybot.


Here's the new log

Logfile of HijackThis v1.97.3
Scan saved at 2:38:32 PM, on 10/27/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\AVerTV2K\QuickTV.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\mgabg.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV2K\QuickTV.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.5818171296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20B15EC5-8346-44AD-BFCB-2C946987CA64}: NameServer = 128.101.101.101,134.84.84.84
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = umn.edu,tc.umn.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{20B15EC5-8346-44AD-BFCB-2C946987CA64}: NameServer = 128.101.101.101,134.84.84.84
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = umn.edu,tc.umn.edu
O17 - HKLM\System\CS3\Services\Tcpip\..\{20B15EC5-8346-44AD-BFCB-2C946987CA64}: NameServer = 128.101.101.101,134.84.84.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = umn.edu,tc.umn.edu
 
1 - 7 of 7 Posts
Status
Not open for further replies.
Top