Homepage changing to http://296f8.ilxt.info/index.php?aid=20009

E

Erzeon

My homepage keeps changing to
http://296f8.ilxt.info/index.php?aid=20009 for some
reason.
I have searched some websites and they say its a trojan I
think. One of the websites told me to download a program
called hijack and get the log and then post it to find
out how to fix the problem. So i thought you guys might
know. Heres the log:




Logfile of HijackThis v1.97.7
Scan saved at 9:17:34 PM, on 7/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SMC\SMC2802W 54 Mbps WLAN
Utility\SMCUTIL.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\LifeView TVR\TVR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Ahead\Nero\nero.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Homework\HijackThis.exe
C:\Program Files\Registrar Lite\rl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://super-spider.com/sp.htm?
id=9
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://super-
spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://super-
spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) =
http://red.clientapps.yahoo.com/customize/ycomp_wave/defau
lts/su/*http://www.yahoo.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-
2A4752CA7F4E} - C:\WINDOWS\System32\c5a7sbc8u44l8o.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32
\\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI
Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program
Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32
\matrixhere.exe
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -
silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32
\matrixhere.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: HP Digital Imaging Monitor.lnk =
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMC2802W 54 Mbps WLAN Utility.lnk =
C:\Program Files\SMC\SMC2802W 54 Mbps WLAN
Utility\SMCUTIL.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Download with GetRight -
C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser -
C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX
ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://fpdownload.macromedia.com/get/shockwave/cabs/direct
or/sw.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}
(Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.c
ab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/16459f9b626798061505/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?38167.0321527778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
 
H

H Leboeuf

Try this: Tools > Internet Options > Advanced > Browsing
Uncheck the Enable 3rd party browser extensions

If this clears your problem then find out who the culprit(s) is/are with
these tools.

Let AD-Aware Scan your system for advertising Spyware
http://www.lavasoftusa.com

If you use a HOSTS file, beware of this new issue.
Ad-Aware has decided to include a new detection when scanning the HOSTS
file. This now creates a "Bad hosts file entry" in the log file generated at
the end of a scan. The best thing to do is to place a check in each entry,
right-click and select: "Add selection to ignorelist". Otherwise if you let
AWW "fix" these items it will trash the HOSTS file! Even if you have it
"locked" by [example] SpywareBlaster or Winpatrol. It does not return the
attributes and renames the HOSTS file incorrectly to hosts.

and:

SpyBot-S&D
http://security.kolla.de/

p.s Reset the 3rd party browser setting.

More: This may be caused by a third-party program (adware, spyware,
parasite).
Get AdAware and SpyBot and run them both. Keep them up to date.
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

Additional link:
http://aumha.org/a/quickfix.htm

You may need this removal tool.
More: Complete list by variant with up-to-date information.
http://www.spywareinfo.com/~merijn/cwschronicles.html
More: Removal tool: http://www.spywareinfo.com/~merijn/files/CWShredder.exe

CWShredder - Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

IMPORTANT:
Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware may kill your internet connection when it is
removed, this program will enable you to regain your connection.
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP)

Important: "So how did I get infected in the first place?"
http://forums.net-integration.net/index.php?showtopic=3051
--

As for your log, suggest you post on one of these forums. Fixing the
registry by un trained personnel can kill you computer.

http://forums.tomcoyote.org/index.php?showforum=27
http://forums.net-integration.net/index.php?s=853f186bf90302d57a6840f00475ff6b&showforum=32
http://forums.spywareinfo.com/index.php?s=1413794b9fe306155560c99576acc3a8&showforum=11
http://www.lavasoftsupport.com/index.php?s=c0d583c0e136d2133506ec492cb6bd40&showforum=44
http://www.cybertechhelp.com/forums/forumdisplay.php?f=19
http://boards.cexx.org/viewforum.php?f=1&sid=0b5c7c42dc70e12ffe32f4a0807ff6a3
http://www.dslreports.com/forum/security,1

Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
===
Erzeon said:
My homepage keeps changing to
http://296f8.ilxt.info/index.php?aid=20009 for some
reason.
I have searched some websites and they say its a trojan I
think. One of the websites told me to download a program
called hijack and get the log and then post it to find
out how to fix the problem. So i thought you guys might
know. Heres the log:




Logfile of HijackThis v1.97.7
Scan saved at 9:17:34 PM, on 7/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SMC\SMC2802W 54 Mbps WLAN
Utility\SMCUTIL.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\LifeView TVR\TVR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Ahead\Nero\nero.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Homework\HijackThis.exe
C:\Program Files\Registrar Lite\rl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
= http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = http://super-spider.com/sp.htm?
id=9
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = http://super-
spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://super-
spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) =
http://red.clientapps.yahoo.com/customize/ycomp_wave/defau
lts/su/*http://www.yahoo.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-
2A4752CA7F4E} - C:\WINDOWS\System32\c5a7sbc8u44l8o.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32
\\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI
Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program
Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32
\matrixhere.exe
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -
silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32
\matrixhere.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: HP Digital Imaging Monitor.lnk =
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMC2802W 54 Mbps WLAN Utility.lnk =
C:\Program Files\SMC\SMC2802W 54 Mbps WLAN
Utility\SMCUTIL.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Download with GetRight -
C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser -
C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX
ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://fpdownload.macromedia.com/get/shockwave/cabs/direct
or/sw.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}
(Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.c
ab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/16459f9b626798061505/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?38167.0321527778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

IE searches re directed to Morwill 1
IE6 slow and hangs when launched 4
Help with Malware 3
Search Engine Question 1
Problem searching on google and other sites 1
coolwebsearch won't go away. 5
IE Shuts down regularly 12
problems with IE6 2

Top