home page hijacked Need Help

Discussion in 'Trojan Defence Suite' started by higginb, Jun 20, 2004.

Thread Status:
Not open for further replies.
  1. higginb

    higginb Registered Member

    Jun 20, 2004
    Please help. my homepage is now constantly about:blank. Here are my hijackthis and TDS logs
    Scan Control Dumped @ 18:21:03 20-06-04
    Suspicious Filename: HTA file in suspicious location
    File: c:\program files\microsoft money\system\discover.hta

    Suspicious Filename: HTA file in suspicious location
    File: c:\program files\microsoft money\system\lnpg.hta

    Suspicious Filename: HTA file in suspicious location
    File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp12\a0000937.hta

    Logfile of HijackThis v1.97.7
    Scan saved at 6:28:00 PM, on 6/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Dell\AccessDirect\DadTray.exe
    c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Online Services\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {8E71EC01-D3F1-4D4F-B3B8-37D34DC04AAB} - C:\WINDOWS\System32\gcp.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
  2. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Hi there Higginb, welcome to the forum!
    I see you posted the HJT log also overhere http://www.wilderssecurity.com/showthread.php?t=37284 so let's suggest to let the HJT experts do that part of the job with you and overhere we concentrate on the HTA alerts with TDS.
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Feb 10, 2002
    Perth, Western Australia

    Those HTA files are fine. You can ignore the detection of this HTA file, Microsoft use a lot of these now in wizards and the help system in Windows 2000/XP

    We will be revising the suspicious detection reports of HTA files for TDS-4, as this old detection is now a little too sensitive.
  4. Ice Cold

    Ice Cold Guest

    You are having the same issue I am in the R0 and R1 entries (sp.html). I have
    used CWShredder which is constantly finding CWS.Searchx on my machine. After cleaning registy and rebooting, the browser is OK the first time in but SpywareGuard reports hijack attempt on the second time in during the same session (no reboot)... and we go through the process again. Spybot reports a clean system as does Norton. I am running XP with SP1a and have installed all MS critical updates. SpywareBlaster 3.1 will install but WILL NOT RUN on my machine. Error message is "Program corrupted - reinstall". I have downloaded from 3 different sites and installed into different directories with the same result. Any ideas? I am convinced that there is a malicious dll or trojan in the registry which is causing this. Please help.
  5. LowWaterMark

    LowWaterMark Administrator

    Aug 10, 2002
    New England
    Ice Cold,

    Actually a couple points for you... First, the automated anti-spyware tools don't yet cover all these browser hijackers. Often they don't identify all the problems and they certainly don't clean them all. That's why there are so many HijackThis logs being posted at security forums, because manual one-on-one cleaning is all that is completely effective at the moment. Hopefully in time there will be much more covered by the automated scanning and cleaning applications, but we aren't there yet.

    Secondly, many of these latest spyware infections can prevent either the installation or operation of many protection programs. SpywareBlaster is targeted by a few spyware infectors (some perhaps deliberately and some probably not intentionally, but they were just lucky :doubt: ).

    Your best bet is to do what the topic starter has done and post a HJT log in the appropriate forum section following these procedures:

    HOW TO? Read here about how to post your log!!

    HijackThis Log Posting Now Requires Member Registration
  6. Ice Cold

    Ice Cold Guest

    Problem solved. After searching other forums I found a genius who has discovered that indeed there is a hidden dll in the HKLM\Software\microsoft\windowsNT\Currentversion\windows\\AppInt_DLLs path.

    Following the instructions on how to blow away the dll resulted in SpywareBlaster 3.1 running like a charm and "cool search" no longer getting me hot and bothered.
  7. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Hi Ice,
    have seen that thing mentioned here as well somewhere; can you please find back the place where you found your help so our techs can have a look if they want too? Thank you soo much for this information!

    Did you mean this thread?
    In another thread at that same forum it did not help the user for some reasons.
    Here in Wilders forum i see what sounds a safer way:

    Navigate to this key next:
    Microsoft\Windows NT\CurrentVersion\Windows
    Find this value on the right panel:
    "Appint_Dlls"< RightClick and rename to:
    Close regedit, reopen it to the same key, Hilite the
    'Windows' key there,
    Export it the same way and save.

    And i see in a few places a link to the dllfix as explained step by step on Subratam's forum with screenshots.

    I do advice though do such things all step by step with the experts who have the overview over your HJT log etc. for very understandable reasons.
    Last edited: Jun 22, 2004
  8. subratam

    subratam Registered Member

    Nov 14, 2003
    Issaquah, WA
    dllfix is now pulled up by shadowwar , the developer.
    This particular infection R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html will now be done by FAL's FINDnFIX but take help as already said from "experts" only.

  9. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Was the other tool not adequate enough anymore for the current attacks?
    FAL's Fix is a beauty from what i've seen in the HJT logs but really needs very experts hands!
    I've not half an idea what is possible with it, but what i saw is very promissing.
Thread Status:
Not open for further replies.