Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SymantecResponse Homepage Hijacker?


  • Please log in to reply
1 reply to this topic

#1 nniebur

nniebur

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 29 October 2010 - 02:35 PM

I have a system that the homepage seems to have been hijacked and redirects to a Symantec-response url but the page comes up with connection cannot be made. I found that in Internet Options on WinXP on the connections tab and lan settings button, the use proxy server has been checked and it wasn't before. After this happens the first time then every other time IE7 or 8 is opened, it does this until the use proxy server box is unchecked and the homepage reset. Then all seems to work as normal. Malwarebytes updated and full scan finds nothing. Using Symantec EndPoint v11.0.6.6005.526 for antivirus and a view of quarantine finds a couple of instances of W32.silly.trojan which indicate that they have been cleaned by deletion.....I don't trust this situation. How can I tell if there is malware or a virus on this system? I know that systems don't just change their homepage or lan settings by themselves.

BC AdBot (Login to Remove)

 


#2 McGrubber

McGrubber

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:23 PM

Posted 29 October 2010 - 02:47 PM

I had the same issue yesterday with a users laptop at work, most of the information you need to know about the virus can be found here http://www.threatexpert.com/report.aspx?md5=ed4be72d5af50da710796024221d3d4b

I ran malwarebytes then deleted the infected registry keys and then followed up with a Symantec scan. this Reg key in particular is the one that was redirecting my homepage and blocking other sites.

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\”ProxyEnable” = “0″ - needs to be deleted it will recreate the correct file on reboot.

also need to change some of the values in the same hive/key "ProxyServer"="http=127.0.0.1:50370" needs removed.

Hope this helps! once I was able to find all of the files/reg keys associated it wasnt too hard to clean up.

\\YOURMACHINE\c$\Documents and Settings\user.name\Application Data\Microsoft\

Svchost.exe = bad

\\YOURMACHINE\c$\Documents and Settings\user.name\Application Data\Microsoft\

stor.cfg = bad

\\YOURMACHINE\c$\Documents and Settings\user.name\Application Data\Microsoft\Windows

Shell.exe = bad

\\YOURMACHINE\c$\Documents and Settings\user.name\Local Settings\Temp

Dwm.exe = bad

Edited by McGrubber, 29 October 2010 - 03:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users