Jump to content


Photo

Home page hijacked......HELP PLS!!!!


  • Please log in to reply
6 replies to this topic

#1 gelindo

gelindo

    Member

  • New Member
  • Pip
  • 3 posts

Posted 31 May 2004 - 08:44 AM

I am using Win2k and MSIE 5.0. My Homepage gets changed to 213.159.117.132. I have read the FAQ but no help. I have used Spybot, Spysweeper and Spyware Blaster till now. I've already used CWShredder (late release).None of them has helped. Can someone please help me.
Waiting for any solution,
Thanks,
Gelindo.

My hijack this log file is listed below :

Logfile of HijackThis v1.97.7
Scan saved at 20.08.17, on 30/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\Norton Personal Firewall\NISUM.EXE
C:\Programmi\Norton Personal Firewall\ccPxySvc.exe
C:\WINNT\System32\CTSvcCDA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\SymTray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Programmi\Trust\Ami Mouse 300 Optical Dual Scroll\Amoumain.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Programmi\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\RunDll32.exe
C:\Programmi\File comuni\Roxio Shared\Project Selector\projselector.exe
C:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Documents and Settings\riccardo1\Documenti\My eBooks\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Fastweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Programmi\Trust\Ami Mouse 300 Optical Dual Scroll\Amoumain.exe
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [CTDVDDet] C:\Programmi\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programmi\File comuni\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [projselector] "C:\Programmi\File comuni\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINNT\System32\E_S7.tmp"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpyKiller] C:\Documents and Settings\riccardo1\Documenti\My eBooks\SpyKiller\spykiller.exe /startup
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Programmi\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: Translator (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mid: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fastweb.it
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.1....chm::/load.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteit...plugins/ncs.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 gelindo

gelindo

    Member

  • New Member
  • Pip
  • 3 posts

Posted 31 May 2004 - 10:40 AM

BUMP......... :scratchhead:

#3 whizzkid3

whizzkid3

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 31 May 2004 - 10:49 AM

What does "Bump " mean? I got this same problem this weekend

#4 pbR

pbR

    Member

  • New Member
  • Pip
  • 1 posts

Posted 31 May 2004 - 11:30 AM

i have the same problem and practically the same Hijack log file . it's seems the trojan it's very recent and i cannot remove with cwshredder, and other tools, i found the trojan infected the hosts file in "c:\windows" and "c:\windows\system32\driver\etc" directorys. Asigning various urls to the localhost ip.
please anybody can help me?

#5 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 31 May 2004 - 11:47 AM

whizzkid3 and pbR - Please start your own New Topics. This is gelindo's thread.

Bump means add a reply to your own thread to move it to the top of the forum list. Do it if you think you've been overlooked, but preferably not more that once or twice a day.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#6 gelindo

gelindo

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 June 2004 - 08:53 AM

help me pls....................!

#7 mabada

mabada

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 June 2004 - 09:18 AM

try this:
strat -> run -> "regedit"

goto key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

export it to a backup file

on the right pane see if there's a "system" entry, if so - delete it
restart computer
run hijackthis - remove R0 & R1 entries
enter a different homepage
see if it sticks
delete a file "system32.dll" in the windows dir (or windows\system32 - not sure)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button