On IE startup browser is hijacked to
http://www.searchmeup.cc/o/cgi-bin/index.cgi?c=4This was part of a broader infection, the rest of which has been cleared. However, the start page remains and I cannot see anything else in the HijackThis log (below) that stands out as not belonging there.
Logfile of HijackThis v1.98.0
Scan saved at 15:36:33, on 04/08/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
.exe
C:\WINNT\system32\services
.exe
C:\WINNT\system32\lsass.ex
e
C:\WINNT\system32\svchost.
exe
C:\WINNT\system32\spoolsv.
exe
C:\WINNT\System32\svchost.
exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Net Nanny\nnsvc.exe
C:\WINNT\System32\PGPsdkSe
rv.exe
C:\WINNT\system32\regsvc.e
xe
C:\WINNT\system32\MSTask.e
xe
C:\WINNT\System32\WBEM\Win
Mgmt.exe
C:\Program Files\Network Associates\PGP for Windows 2000\PGPservice.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\NORTON~1\navap
w32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Net Nanny\nntray.exe
C:\Program Files\HijackThis\HijackThi
s.exe
R0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://www.google.co.uk/O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
F10577473F
7} - c:\program files\google\googletoolbar
1.dll
O2 - BHO: CBnClient Object - {B957F25D-F812-44c4-A23C-2
49CCFE0AAE
0} - C:\Documents and Settings\Norman1\Applicati
on Data\msnet30.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
ADC6B08487
2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi
o - {8E718888-423F-11D2-876E-0
0A0C908246
7} - C:\WINNT\System32\msdxm.oc
x
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
859DF00B1D
6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
09027A5CD4
F} - c:\program files\google\googletoolbar
1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navap
w32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
" -atboottime
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bi
n\attune_c
e.exe
O4 - HKLM\..\Run: [NNTray] C:\Program Files\Net Nanny\nnstart.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
n.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
1.dll/cmse
arch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
1.dll/cmba
cklinks.ht
ml
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
1.dll/cmca
che.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
1.dll/cmsi
milar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar
1.dll/cmtr
ans.html
O17 - HKLM\System\CCS\Services\T
cpip\..\{4
CE2D185-ED
C6-4E35-BE
BB-F352F3D
8E403}: NameServer = 212.42.162.1,212.42.162.2
O17 - HKLM\System\CS1\Services\T
cpip\..\{4
CE2D185-ED
C6-4E35-BE
BB-F352F3D
8E403}: NameServer = 212.42.162.1,212.42.162.2
O17 - HKLM\System\CS2\Services\T
cpip\..\{4
CE2D185-ED
C6-4E35-BE
BB-F352F3D
8E403}: NameServer = 212.42.162.1,212.42.162.2
