Jump to content


Photo

Need Help with Hijacked Homepage


  • This topic is locked This topic is locked
6 replies to this topic

#1 RC211

RC211

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 May 2004 - 07:36 PM

Hello everyone, my homepage has recently been hijacked. I have ran ad-aware 6.0, spybot search-destroy, cwshredder and hijackthis. None of them has worked. I have been able to fix previous hijackings, but this one doesn't want to go away. The problem with this one is that after I run hijackthis, I click fix on the ones I know are not supposed to be there and hijackthis deletes it, but then I run hijackthis right after again, and the ones that I just fixed is back again. Here is my log from Hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 5:04:10 PM, on 5/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\valve\steam\steam.exe
C:\WINDOWS\system32\deinst_qfe002.exe
C:\WINDOWS\System32\winttr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\x0r\svshost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tommy\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mssys.exe /u
O4 - HKLM\..\Run: [xor] C:\WINDOWS\System32\x0r\svshost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\deinst_qfe002.exe
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\winttr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8112.0291550926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


I checked the ones below to be fixed but it keeps coming back instantly as soon as I run hijackthis again back to back.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php


This has been giving me a headache all morning, any suggestions on how to fix this is appreciated. My only other option is to reformat, but something I don't really want to do. Thanxs for reading my problem.

#2 RC211

RC211

    Member

  • New Member
  • Pip
  • 3 posts

Posted 23 May 2004 - 07:17 AM

bump

#3 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 May 2004 - 07:44 AM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mssys.exe /u
O4 - HKLM\..\Run: [xor] C:\WINDOWS\System32\x0r\svshost.exe
O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\deinst_qfe002.exe
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\winttr.exe

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, reboot into safe mode by tapping F8 after the BIOS has loaded, find and delete the following:

C:\WINDOWS\mssys.exe
C:\WINDOWS\System32\x0r\ <-- folder
C:\WINDOWS\system32\deinst_qfe002.exe
C:\WINDOWS\System32\winttr.exe

Reboot back into normal mode, rescan with HJT and post a new log here for a final check over.
Posted Image

#4 RC211

RC211

    Member

  • New Member
  • Pip
  • 3 posts

Posted 23 May 2004 - 06:15 PM

Daemon, I did as you instructed, but my homepage is still hijacked, I have ran a new scan with Hijackthis and this is the new result:


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\recover.exe
C:\Program Files\Messenger\msmsgs.exe
C:\valve\steam\steam.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tommy\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [mmsys] C:\recover.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8112.0291550926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

I ran ad-aware scan after I followed your steps, and the scans came up clean for the first time. But my IE homepage is a different story. I ran cwshedder and it also came up clean, but yet my homepage is still hijacked. How should I proceed now? Thanxs for your time.

#5 hnlk808

hnlk808

    Member

  • New Member
  • Pip
  • 2 posts

Posted 23 May 2004 - 07:28 PM

I'm not sure how a typical hijacker works, but the cashsearch.biz is added to the registry by the process "explorer.exe". ie, when you open My Computer, My Documents, etc, explorer.exe will change the R0/R1 to cashsearch. Any suggestion?

#6 hnlk808

hnlk808

    Member

  • New Member
  • Pip
  • 2 posts

Posted 23 May 2004 - 08:27 PM

RC211, I have the same problem but the default homepage is hijacked to cashsearch.biz. By doing some virus scanning I found that I got a virus called Trojan.Startpage. By getting rid of the virus and deleting [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"
(http://www.spywarein...0&hl=cashsearch)
everything's fine. Hope this help.

After removing the virus everything's fine.

#7 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 24 May 2004 - 11:33 AM

Please post a startuplist log. Open HJT>Config>Misc Tools, check the two boxes under the button.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button