Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IE Start Page Problem 2

Status
Not open for further replies.

Brode

IS-IT--Management
Nov 22, 2002
45
US
For no reason that I can think of IE 6 has been "compromised" so that no matter what Start Page I set, as soon as I reboot the Start Page becomes a site I've never knowingly been to. It seems to be connected somehow to the "about:blank" option. That is, that upon rebooting the Start Page gets set to "about:blank" and "about:blank" has been made to refer to luckysearch.net.

Anyone know what I have to do to get rid of this thing? Thanks,

Brode
 
Shut down all browser windows - run hijackthis and tick to fix :-

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
O1 - Hosts: 65.77.82.162 easypic.com
O1 - Hosts: 65.77.82.162 pichunter.com
O1 - Hosts: 65.77.82.162 pussyslot.com
O1 - Hosts: 65.77.82.162 sexocean.com
O1 - Hosts: 65.77.82.162 worldsex.com
O1 - Hosts: 65.77.82.162 O1 - Hosts: 65.77.82.162 O1 - Hosts: 65.77.82.162 O1 - Hosts: 65.77.82.162 O1 - Hosts: 65.77.82.162 pinkworld.com

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

------
Do you know what this is ?

O4 - HKLM\..\Run: [Key2] C:\WINDOWS\system\serve.exe

or this ?

O4 - HKCU\..\Run: [removed] C:\windows\removed.exe

I believe this to be spyware - but there is very little information on it.

I would at least stop these 2 from loading at startup

possibly rename (removed.exe) to removed.old and consider deleting it if no ill effects are found.
-----
C:\WINDOWS\System32\svcinit.exe

This is a keylogger


Definately delete svcinit.exe

reboot and do a search for it, also for svcinit.bak

steam
 
Delete it - that could be where it's loading from.

Then if you want - reboot run hijackthis again and post another log

There were a lot of new entries in your second log, that weren't there in the first.

steam

 
Steam,

I got rid of both the removed.exe and the svcinit.exe. I have done a full scan on for any file/prgm with svcinit, nothing was detected.

The remove.exe program was created on the day this machine got hit with virus

It looks like I am finally clear as nothing is reloading and my home page is steady. I am posting my hijack this file for the last time (knock wood, let me know if there is anything else that you find strange.

Thanks again for your help, I would not have gotten through this one without you.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jay Picklyk\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Key2] C:\WINDOWS\system\serve.exe
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\System32\tapicfg.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
Have yourself a great evening.
 
Hi

Only one thing to mention - you still have this loading at startup :-

O4 - HKCU\..\Run: [removed] C:\windows\removed.exe

It's nothing too serious - as I said in an earlier post it's an adware downloader

If you remove this key with hijackthis - then reboot - you should be able to delete the removed.exe file.

Apart from that your log is clean

steam



 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top