Spywareblaster missed a browser hijack

Hi, yesterday my browser was hijacked. It did not happen when i was on the computer so i am not sure what website did it... I already zapped it with hijackthis!, but here are my logfiles from hijackthis!. I hope this will help...

Here is the logfile of when my computer was 100% clean of spyware:

Logfile of HijackThis v1.97.0
Scan saved at 4:35:16 PM, on 9/25/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.210.176.44:8888
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://mess.be, http://www.mess.be, http://www.desertcombat.com; http://desertcombat.com; http://www.galactic-conquest.net; http://galactic-conquest.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.4935763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

----------

Here are the new items that i found this morning when I did a hijackthis! scan:

Logfile of HijackThis v1.97.0
Scan saved at 10:24:20 AM, on 10/1/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\xampp\apache\bin\Apache.exe
C:\WINDOWS\system32\cisvc.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\xampp\apache\bin\Apache.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA5AC262-4CA8-4A3C-B5A5-CF035252389A}: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CS1\Services\VxD\MSCTP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
-----

I'm pretty sure this was a hijack, i asked everyone in my family who has access to my computer and they said they didn't make any changes to it. I already fixed all of the items that were new, and havent had any problems... Isn't it weird how my browser was hijacked to google? And what was all that other stuff?

thanks, and i hope this will help out spywareblaster in the future to detect whatever this was...

-adam

Oops i forgot to mention that these to entries:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

that were in the log i showed you of when my computer was clean are completely legit.. so dont worry about that.

And also i forgot to say that i ran a scan with Ad-aware 6 and spybot S&D and neither of them found anything...

I am interested in the running processes. I see: C:\xampp\apache\bin\Apache.exe

Are you running a server on purpose that was not running the first time you ran the check or is someone trying to get your computer to act as a server? Whatever the case I would think this a serious breach unless you are the one in the control seat.

I read a little bit about it here:
http://sourceforge.net/projects/xampp/

Just curious, but understand my questions and comments as coming from someone that is just a home computer user.
Brian K

[AdamAntium]

Hello, yes i have those their on purpose (notice the msql-ntd.exe too). I'm currently learning php. Recently I installed apache+php+mysql (using the "xampp" package..) on my machine so that i can test all of my scripts locally.

[AdamAntium]

So could anyone please tell me what these are

Quote:

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA5AC262-4CA8-4A3C-B5A5-CF035252389A}: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CS1\Services\VxD\MSCTP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175

And why i was hijacked to google I always thought google were the good guys

[LowWaterMark]

Well, it isn't really a hijack to Google. There is a really bad new form of spyware / malware intrusion going on right now that involves changing your DNS server to a central corrupt one. See this write up at McAfee:

http://us.mcafee.com/virusInfo/defau...virus_k=100719

It may just be me, but I really think these people are going way too far now a days!


You can fix most of that in HijackThis, but read the McAfee article carefully and keep your eyes on the security forums as all of this is very new and solutions are just now being worked out!

[Pieter_Arntz]

Hi AdamAntium,

You can have HijackThis Fix all the items listed under O17
Then do a Find Files for hosts (no extension) and let me know in which locations that file is found.

Regards,

Pieter

[AdamAntium]

I used hijackthis and fixed all of these yesterday:

Quote:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA5AC262-4CA8-4A3C-B5A5-CF035252389A}: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CS1\Services\VxD\MSCTP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175

Here are my search results
http://www.odna.net/~adam/screenshot.jpg

[AdamAntium]

I followed the manual instructions from the mcaffee link you gave me on how to remove it. As far as i know everything is fine now. I found out exactly where i got the hijacker too, it was from a fortune city popup. Is there any other steps i need to do to or am i completely clean now? Thanks,

adam

[Pieter_Arntz]

Hi AdamAntium,

Looking at your screenshot, you could delete the hosts file in C:\Windows\Help which was put there by the hijacker.
If you were using a hosts file of your own before this happened (judging from the 1 kb size, you weren't) please let me know.

Regards,

Pieter

[AdamAntium]

Yeah i already deleted that, i followed the manual instructions on how to remove the hijacker that was in the mcafee link. I deleted C:\windows\help\hosts and i deleted C:\windows\winlog and i deleted the registry key "r0x" and i changed the value to the registry key "DataBasePath" just like the mcafee link says ... Everything has been great so i guess im good to go. Thanks for all the help guys.