Spywareblaster missed a browser hijack

Discussion in 'SpywareBlaster & Other Forum' started by adamantium, Oct 1, 2003.

Thread Status:
Not open for further replies.
  1. adamantium

    adamantium Guest

    Hi, yesterday my browser was hijacked. It did not happen when i was on the computer so i am not sure what website did it... I already zapped it with hijackthis!, but here are my logfiles from hijackthis!. I hope this will help...

    Here is the logfile of when my computer was 100% clean of spyware:

    Logfile of HijackThis v1.97.0
    Scan saved at 4:35:16 PM, on 9/25/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Hijackthis!\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.210.176.44:8888
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://mess.be, http://www.mess.be, http://www.desertcombat.com; http://desertcombat.com; http://www.galactic-conquest.net; http://galactic-conquest.net
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.4935763889
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    ----------

    Here are the new items that i found this morning when I did a hijackthis! scan:

    Logfile of HijackThis v1.97.0
    Scan saved at 10:24:20 AM, on 10/1/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\xampp\apache\bin\Apache.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\xampp\mysql\bin\mysqld-nt.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\xampp\apache\bin\Apache.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Hijackthis!\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CA5AC262-4CA8-4A3C-B5A5-CF035252389A}: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CS1\Services\VxD\MSCTP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
    -----

    I'm pretty sure this was a hijack, i asked everyone in my family who has access to my computer and they said they didn't make any changes to it. I already fixed all of the items that were new, and havent had any problems... Isn't it weird how my browser was hijacked to google? :doubt: And what was all that other stuff? o_O

    thanks, and i hope this will help out spywareblaster in the future to detect whatever this was...

    -adam
     
  2. adamantium

    adamantium Guest

    Oops i forgot to mention that these to entries:

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    that were in the log i showed you of when my computer was clean are completely legit.. so dont worry about that.

    And also i forgot to say that i ran a scan with Ad-aware 6 and spybot S&D and neither of them found anything...
     
  3. Brian K

    Brian K Guest

    I am interested in the running processes. I see: C:\xampp\apache\bin\Apache.exe

    Are you running a server on purpose that was not running the first time you ran the check or is someone trying to get your computer to act as a server? Whatever the case I would think this a serious breach unless you are the one in the control seat.

    I read a little bit about it here:
    http://sourceforge.net/projects/xampp/

    Just curious, but understand my questions and comments as coming from someone that is just a home computer user.
    Brian K
     
  4. AdamAntium

    AdamAntium Registered Member

    Joined:
    Oct 1, 2003
    Posts:
    7
    Hello, yes i have those their on purpose (notice the msql-ntd.exe too). I'm currently learning php. Recently I installed apache+php+mysql (using the "xampp" package..) on my machine so that i can test all of my scripts locally.
     
  5. AdamAntium

    AdamAntium Registered Member

    Joined:
    Oct 1, 2003
    Posts:
    7
    So could anyone please tell me what these are o_O
    And why i was hijacked to google o_O I always thought google were the good guys :mad:
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Well, it isn't really a hijack to Google. There is a really bad new form of spyware / malware intrusion going on right now that involves changing your DNS server to a central corrupt one. See this write up at McAfee:

    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719

    It may just be me, but I really think these people are going way too far now a days!


    You can fix most of that in HijackThis, but read the McAfee article carefully and keep your eyes on the security forums as all of this is very new and solutions are just now being worked out!
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi AdamAntium,

    You can have HijackThis Fix all the items listed under O17
    Then do a Find Files for hosts (no extension) and let me know in which locations that file is found.

    Regards,

    Pieter
     
  8. AdamAntium

    AdamAntium Registered Member

    Joined:
    Oct 1, 2003
    Posts:
    7
    I used hijackthis and fixed all of these yesterday:
    Here are my search results
    http://www.odna.net/~adam/screenshot.jpg
     
  9. AdamAntium

    AdamAntium Registered Member

    Joined:
    Oct 1, 2003
    Posts:
    7
    I followed the manual instructions from the mcaffee link you gave me on how to remove it. As far as i know everything is fine now. I found out exactly where i got the hijacker too, it was from a fortune city popup. Is there any other steps i need to do to or am i completely clean now? Thanks,

    adam
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi AdamAntium,

    Looking at your screenshot, you could delete the hosts file in C:\Windows\Help which was put there by the hijacker.
    If you were using a hosts file of your own before this happened (judging from the 1 kb size, you weren't) please let me know.

    Regards,

    Pieter
     
  11. AdamAntium

    AdamAntium Registered Member

    Joined:
    Oct 1, 2003
    Posts:
    7
    Yeah i already deleted that, i followed the manual instructions on how to remove the hijacker that was in the mcafee link. I deleted C:\windows\help\hosts and i deleted C:\windows\winlog and i deleted the registry key "r0x" and i changed the value to the registry key "DataBasePath" just like the mcafee link says ... Everything has been great so i guess im good to go. Thanks for all the help guys.
     
Loading...
Thread Status:
Not open for further replies.