Hijacked Homepage

Discussion in 'adware, spyware & hijack cleaning' started by Brian Wilson, Mar 20, 2004.

Thread Status:
Not open for further replies.
  1. Brian Wilson

    Brian Wilson Guest

    Hi,

    I carried out a scan using ad-aware 6.0, followed by the hijacked this scan. The problem I'm having is that my homepage keep defaulting to 'about:blank' :rolleyes: every time I log on. I continually chage my homepage to bbc but when re-booting it always reverts to about:blank.
    The result of the hijack log is below.

    Logfile of HijackThis v1.97.7
    Scan saved at 18:01:03, on 20/03/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\NILaunch.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\windows\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Washer\washer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Brian Wilson\Local Settings\Temp\Temporary Directory 5 for hijackthis1977[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.inf/?id=54
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aifind.inf/?id=54
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aifind.inf/?id=54
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btbroadbandstart.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.008i.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html
    O1 - Hosts: 213.159.117.235 auto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\Program Files\SurfSecret\Popup Eliminator\AutoDisplay510.dll (file missing)
    O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\Brian Wilson\Application Data\msly\mssearch.dll
    O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O3 - Toolbar: Popup Eliminator - {F50CE767-AE72-45EB-AECD-E8786C240373} - C:\Program Files\SurfSecret\Popup Eliminator\PEToolBar510.dll (file missing)
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
    O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [sys] regedit /s sys.reg
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
    O4 - HKLM\..\Run: [Syscheck] C:\WINDOWS\Fonts\win.hta
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [PopupEliminator] C:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator TRIAL.exe /min
    O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
    O9 - Extra button: Popup Eliminator (HKLM)
    O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.99/060011/uk/adult1/adult1.exe
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} - http://info.httpsgateway.com/download/dialer/eu_cax.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38047.4848842593
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{64219767-748F-4CB2-8257-36486879BB7F}: NameServer = 194.72.9.34 217.35.209.180
    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}

    Many thanks and hope you can help.

    Brian Wilson
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi Brian,

    Could you please find C:\WINDOWS\Fonts\win.hta
    and mail it to the address in my profile?

    Next check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.inf/?id=54
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aifind.inf/?id=54
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aifind.inf/?id=54
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.008i.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html
    O1 - Hosts: 213.159.117.235 auto.search.msn.com

    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\Program Files\SurfSecret\Popup Eliminator\AutoDisplay510.dll (file missing)
    O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll

    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\Brian Wilson\Application Data\msly\mssearch.dll
    O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - (no file)

    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O3 - Toolbar: Popup Eliminator - {F50CE767-AE72-45EB-AECD-E8786C240373} - C:\Program Files\SurfSecret\Popup Eliminator\PEToolBar510.dll (file missing)

    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [sys] regedit /s sys.reg

    O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
    O4 - HKLM\..\Run: [Syscheck] C:\WINDOWS\Fonts\win.hta

    O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe

    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install

    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.99/060011/uk/adult1/adult1.exe

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} - http://info.httpsgateway.com/download/dialer/eu_cax.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab

    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}

    Then download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot and delete:
    C:\Program Files\MyWebSearch <= entire folder
    C:\WINDOWS\image.dll
    C:\windows\rundll32.exe <= Note: DON'T delete C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Submit <= entire folder
    sys.reg

    Regards,

    Pieter
     
  3. brianinsp

    brianinsp Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    1
    Hi Pieter,

    Many thanks, I've deleted all the items you listed and when I ran CWshredder this appear to have worked.

    When you said to reboot and delete the other four items
    C:|Program Files etc did you mean from the Hijacklist or where else will I find them, also excuse my ignorance but how do I copy the font file you asked me to copy to your profile.

    Manay thanks again

    Regards

    Brian.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi Familyblack,

    Click here for a tutorial on how to mail attachments

    As example how to delete the MyWebSearch folder:
    Open explorer by doubleclicking "My Computer"
    Doubleclick the icon for the C: drive
    Doubleclick the Program Files folder
    Rightclick the MyWebSearch folder and choose delete.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.