Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hope page defaults to www.securityfeature.com


  • Please log in to reply

#1
vn_vish

vn_vish

    New Member

  • Member
  • Pip
  • 1 posts
Internet explorer home page defaults to www.securityfeature.com

IT person has tried everything.. different anti-spyware software to remove this.. No go....

I am posting the HIjackThis log below:

Logfile of HijackThis v1.99.1
Scan saved at 3:40:12 PM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
D:\oracle\ora92\bin\omtsreco.exe
d:\oracle\ora92\bin\ORACLE.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\TEMP\QWF979.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Microsoft Office\Visio11\VISIO.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\as0014100\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mybeat.techmahindra.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mybeat.techmahindra.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mybeat.techmahindra.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxybt.sharda.mahindrabt.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mahindrabt.com;*techmahindra.com;*.kotakstreet.com;*.kotaksecurities.com;<local>
O1 - Hosts: 147.149.140.28 livelink.intra.bt.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hp5ADF.tmp
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mybeat.techmahindra.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://10.5.4.161:4...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://10.5.4.161:4...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://10.5.4.161:4...stall/setup.cab
O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} (IWSystemchecks Control) - http://vclass.mahind...ystemchecks.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://10.5.4.161:4...html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://10.5.4.161:4.../RemoveCtrl.cab
O16 - DPF: {6F6572DC-2061-4DD4-B1E9-03A0004A6A1F} (Siebel High Interactivity Framework) - http://172.24.250.86...x_HI_Client.cab
O16 - DPF: {75B3ED2C-0D4F-40E5-A313-63015A3E3C81} (Siebel Option Pack for IE 7.5.3) - http://147.149.177.3...lOptionPack.cab
O16 - DPF: {DBFF771D-3F92-4C70-9978-508738536F38} (CSConn Class) - http://147.149.177.3...ets/csagent.cab
O16 - DPF: {F72E1AA9-B8A7-420E-8AC8-FEC8798641B7} (Siebel Callcenter Communications Toolbar) - http://172.24.250.86...CTI_Toolbar.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mahindrabt.com
O17 - HKLM\Software\..\Telephony: DomainName = mahindrabt.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEB6D2F9-9B72-4E2A-AD3D-4B8A4F0DF919}: NameServer = 172.24.6.59,10.5.0.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mahindrabt.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - D:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - D:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - D:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - D:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - D:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceNIKHIL - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe



Any help will be much appreciated !

Thanks,
Vish
  • 0

Advertisements


#2
BMThor

BMThor

    Visiting Staff

  • Member
  • PipPip
  • 54 posts
Hello Vish,

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Warning : running option #2 on a non infected computer in Normal Mode will remove your Desktop background.

Greetings,
BMThor
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP