Jump to content


Photo

Searchportal.info has hijacked home page


  • Please log in to reply
1 reply to this topic

#1 FiliusLunae

FiliusLunae

    Member

  • New Member
  • Pip
  • 2 posts

Posted 01 July 2004 - 02:28 AM

Hello. This is a great board, and I want to thank everyone who reads this ahead of time. :)

A close friend of mine has recently gotten this CWS trojan. I ran HijackThis, Shredder and AdAware on his computer already. Shredder did indeed find the CWS trojan and deleted it. I also ran AdAware and it found some files which were put in quarantine/deleted. With this done, some of the symptoms have dissappeared. For instance, Internet Explorer stalled very much everytime one attemped to go to a different site; the history file, which used to get filled with URL's to porn pages, remains as it should; and, some icons that led to more porn sites that appeared over and over again on the desktop, don't anymore. I ran Shredder again and it doesn't detect anything anymore. I ran AdAware again and it found five more CWS files, which were deleted as well. However, the homepage is still hijacked by Searchportal.info. If I try to change it through IE, it'll sometimes freeze, or if I'm able to change it, it will revert to Searchportal.info after a few reloads. The same occurs if I change it through the registry. I have tried as well to fix the first line reading "Searchportal.info" in HijackThis. This does gets fixed, but the problems comes back after I restart IE. Another important thing, the Windows Media Player has been taken over by the same trojan. WMP will not open, instead, its icon has been replaced by an X-type one, and if clicked on, will open a casino site. This happened to my friend after some people used his computer who surely visited some 'improper' sites, as we found out through the history file. At the beginning, also, there was an "xxxtoolbar" reference (no actual toolbar), but it seems that it's not there anymore. I have read about this "xxxtoolbar" on some of the help files. Also, I did run WindowsUpdate and installed all the updates listed.
In conclusion, I have tried some of the methods recommended to get rid of this, and some things have gone away, though the homepage hijacking still remains.
I leave here a HijackThis log file from my friend's computer.
Thank you very much for your attention; any help will be greatly appreciated. :cool:

Logfile of HijackThis v1.97.7
Scan saved at 4:17:45 PM, on 6/30/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\INETSRV\SERVICES.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SYSTEM.EXE
C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE
C:\WINDOWS\SYSTEM\NDRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\UTILITIES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\INETSRV\SERVICES.EXE
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD-1.DLL
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\SYSTEM\NDRV.DLL
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETSRV\SERVICES.EXE
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETSRV\SERVICES.EXE
O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\SYSTEM\SYSTEM.EXE
O4 - Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB

#2 FiliusLunae

FiliusLunae

    Member

  • New Member
  • Pip
  • 2 posts

Posted 01 July 2004 - 08:56 PM

^_^
Does anyone have any guidance as to what steps to follow next?
Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button