Hijacked homepage?

Discussion in 'adware, spyware & hijack cleaning' started by mandarinkaxx, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. mandarinkaxx

    mandarinkaxx Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    3
    Hi,

    it has all began with avast! antivirus alerts - it found a trojan - Win32: StartPage-006. It was not able to treat it.

    After this I downloaded Ad-Aware, Spybot, CWShredder and let them run.

    They found something, removed it. But now, even the homepage of EI is often changed to e.g. www.msn.com...

    What more, when spybot starts, there is always a funny message poping-up: Fehler bei Einfugen von RichEdit-Zeile. ERROR.

    So, I would like to ask you for a help. (I have also switched the system restore function off) Here is my logfile:


    Logfile of HijackThis v1.97.7
    Scan saved at 23:58:20, on 3.6.2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\wuauclt.exe
    D:\TOMAS\software\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {686C4469-7B03-471A-BD3F-FB7C5920ACAF} - C:\WINDOWS\System32\gdh.dll (file missing)
    O2 - BHO: (no name) - {A8B6C7DE-A621-4985-A014-F1AE0CBF3397} - C:\WINDOWS\System32\khhjk.dll (file missing)
    O2 - BHO: (no name) - {BC368087-EA2C-4494-AC71-A7483EDD4D57} - C:\WINDOWS\System32\kndnca.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D10B5C22-DC60-430D-B548-489CB49A2367} (FreeScan Class) - http://alternatedownload.zeroads.com/zerospyware/landingpage/files/zsfreescan.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks.

    mandarinkaxx
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello mandarinkaxx,

    The first thing I would like to point out is that your Windows XP and IE are not up-to-date. Please go to windows update and update all critical files.

    Next, Run HJT again and check these items and then on Fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

    O2 - BHO: (no name) - {686C4469-7B03-471A-BD3F-FB7C5920ACAF} - C:\WINDOWS\System32\gdh.dll (file missing)
    O2 - BHO: (no name) - {A8B6C7DE-A621-4985-A014-F1AE0CBF3397} - C:\WINDOWS\System32\khhjk.dll (file missing)
    O2 - BHO: (no name) - {BC368087-EA2C-4494-AC71-A7483EDD4D57} - C:\WINDOWS\System32\kndnca.dll (file missing)

    Reboot the computer and post a new log here.
     
  3. mandarinkaxx

    mandarinkaxx Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    3
    Hi Taz71498,

    It took a little while to download and install all the updates.

    Here is my HijackThis log after fixing the recommened items and rebooting the system:

    Logfile of HijackThis v1.97.7
    Scan saved at 18:51:19, on 6.6.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    D:\TOMAS\software\HijackThis\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D10B5C22-DC60-430D-B548-489CB49A2367} (FreeScan Class) - http://alternatedownload.zeroads.com/zerospyware/landingpage/files/zsfreescan.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks.

    mandarinkaxx
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  5. mandarinkaxx

    mandarinkaxx Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    3
    Hi Pieter,

    thank you for your advices. I do not know why the spykiller is still shown in the Hijack This. It should be uninstalled and I cannot find it.

    I use Java 2 Runtime Environment, SE 1.4.2_04. Is it OK or should I switch to something else?

    Although the log file looks good, the previous problems seem to come back and some of the still remain:

    -already mentioned funny message when Spybot starts
    -error message after installation of Spyware Blaster (and also Spyware Guard) saying something about bad sector or a virus...

    It looks like the trojan startpage is hidden somewhere in the system, because it becomes a rule: when avast! shouts it has found a trojan I will find spyware in my comp and the most of it is from CWS... After removing all the crap it changes my home page...

    I tried Trojan Remover but I received the same message as in the case of Spyware Blaster...

    Then I tried Trojan Hunter but it found just Savno.100 (it removed it)

    Finally, I follow the instruction by symantec: http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.html (Removed all the infected filles in safe mode, but I did not found any of the key entries to delete as it was recommended).

    But just few minutes ago, there was another avast! warning...

    Can you, please, help me?

    mandarinkaxx

    P.S. I am going to install Kerio Firewall, but I think, since the trojan is (in my opinion) in the system, it won't help in this case, but may prevent another attacks
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Let's find out. Download http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice on the root drive, in your case C:\

    Run start.bat and press option 1. 'output.txt' will be created in the folder

    Please post that report

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.