Yesterday when I browse the net I look at many sites and wneh I finish I close and ShutDown the PC.When I start the PC again I found that in registry have a new key added in run programs.I show the key below:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run-]
"sp"="regedit -s C:\\WINUX\\sp.dll"

I try and look for this DLL file and what is my amazing i found this inside:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
"SearchURL"="http://www.jethomepage.com/ie/"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.jethomepage.com/ie/"
"Search Page"="http://www.jethomepage.com/ie/"
"Search Bar"="http://www.jethomepage.com/ie/"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.jethomepage.com/ie/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.jethomepage.com/ie/"
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer]
"SearchURL"="http://www.jethomepage.com/ie/"
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.jethomepage.com/ie/"
"Default_Search_URL"="http://www.jethomepage.com/ie/"
"Search Bar"="http://www.jethomepage.com/ie/"
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.jethomepage.com/ie/"

When I see this I go to this site and visit it, to try to found a source code of the HTML document that put this files in my computer and make Registry changes without authorization.I would like to ask and to receive an good answer.Please help me if you know the answer and send to me a sample code of HTML that have the ability to start and modify the Registry and to insert and install without prompting this SP.DLL that I found in c:\windows.
Thankk you in advance.

<font color=blue>Posted by</font color=blue>
<font color=red>ERROR_404</font color=red><font color=blue>©Y2K1</font color=blue>

"...Please help me if you know the answer and send to me a sample code of HTML that have the ability to start and modify the Registry and to insert and install without prompting ..."

first - there is no example of html code in this answer.

Let me try and give an answer based on what you described:

J predict that you have set in Internet Options &gt; Security tab &gt; "Internet" zone the Security Level to "Low".

If this is true, you have opened your machine to automatic downloads of ActiveX programs without asking you to accept them. ActiveX programs (contrary to Java applets) can contain code for full access to the Windows operating system. Both the download and the execution of this program will have been scripted in the html of a web page.

That means, you have given such an ActiveX program the possibility to create and store that sp.dll file on your machine and add the registry Run statement. J would not be surprised, if the intruder would also have stored a RunOnce entry to drop the ActiveX program in an attempt to remove further traces.

Of course the naming of the text file as sp.dll is simple hiding, a .reg may have been too obvious to find.

______________
Regards - Richard

My Internet Options of the security tab is set to medium.And I don't understand how is possible to start a script or ActiveX without prompting the user for action.I go to this web page that set this and view her source code.But inside the source code i not found nothing that be able to start ActiveX or Script.Thanks for your reply, but your answer is not really what I want to know.Thanks.

<font color=blue>Posted by</font color=blue>
<font color=red>ERROR_404</font color=red><font color=blue>©Y2K1</font color=blue>

"...answer is not really what I want to know..."
Sure - you asked for the script code. But you also need the security settings in a form that lets the web page content operate your machine and not only within the browser engine.


______________
Regards - Richard

from my point of view J have overlooked a rather obvious scheme:

from your wording it was clear, that you were unhappy with the intrusion, and J assumed it must be something "bad", and as such it would have needed to be an unsigned ActiveX program that was downloaded.

But why not assume that this intrusion was done with a signed ActiveX program ? In this case some of the security triggers will not apply. Signing an applet only guarantees that it was built by a specific author (company), it does not guarantee any specific ("good") behaviour. This offending site may have done something like this to get the search feature redirected to their site.

You also mentioned that you visited the site once more and checked the web page source code. Before you did this second visit, did you delete any cookies that may have been set by the site ? They may "know" that they had patched your system already and will send different content in the future.

______________
Regards - Richard

Today I have the same problem ... How did you restore MS Search page? What are the values should be replace those "jethomepage" ?

Thanks

Have A Nice Day
tomo :-)

Open Notepad and copy and paste the following between the lines and save the file as searchfix.reg. Double-click on the file to merge the contents into the registry.
=====================BEGIN CUT======================

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
"Provider"="yaho"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
===========================END CUT=========================

If you see a SearchBar entry under [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main], delete it.

reghakr

Thanks REGHAKR

oppss ... you mean "provider" = "yaho" (or yahoo) ?

Have A Nice Day
tomo :-)

Nope, yaho

reghakr

Thanks again. Everything's OK now.

Have A Nice Day
tomo :-)

A "page" can also be an exe-file (for example www.dieBahn.de search there for surf&rail and you will open without your knowledge the surfer.exe) and an exe-file is very easy to make it modifieing the registry see Delphi5 Tregistry