Jump to content


Photo

Home page gets altered


  • Please log in to reply
7 replies to this topic

#1 StevenDC

StevenDC

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 31 May 2004 - 04:12 PM

Hi,

My home page switches to a site with a lot of links (mshp or something) and some porn links are added to my favorites everytime I restart the computer.

I checked with AdAware, Spybot etc. I read the FAQ page and have deleted some entries in HijackThis, but they keep coming back when I restart.

I'd really appreciate it if someone could help me.

When I try to open the HijackThis.log file I get a message from my Panda anti-software saying the Trj/Revop.A virus has been neutralised, then I get a message with title c:\windows\bdlb4126.exe that says that I cannot reach the file or path, like I have no access to it.

So, I cannot show you the listing of the HijackThis.log file. I can tell that I have a lot of R0's and R1's and a lot of O4's eg madmodw, rundll32 and Mspy2002. Also 3 BHO's.

Anyone out there that knows what I can do?

Thanks in advance,

Steven

Edited by StevenDC, 31 May 2004 - 04:14 PM.


#2 StevenDC

StevenDC

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 June 2004 - 12:46 PM

:huh:

#3 StevenDC

StevenDC

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 03 June 2004 - 01:09 PM

I managed to get my HijackThis log in here.

I hope someone can help me.

Logfile of HijackThis v1.97.7
Scan saved at 20:07:45, on 3/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
D:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
D:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\System32\sdpsrvs.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
D:\Program Files\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://users.pandora...ven.deceuster1/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pandora.be:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://users.pandora...en.deceuster1/"); (C:\Documents and Settings\Steven\Application Data\Mozilla\Profiles\default\21tdyxlz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Steven\Application Data\Mozilla\Profiles\default\21tdyxlz.slt\prefs.js)
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\ieyg\ieyg.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\wingf\mssearch.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\wingf\msiesh.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [sdpsrvs] C:\WINDOWS\System32\sdpsrvs.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "D:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: ENTERTAINMENT (HKLM)
O9 - Extra button: PILLS (HKLM)
O9 - Extra button: SECURITY (HKLM)
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: Onderzoek (HKLM)
O10 - Unknown file in Winsock LSP: d:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 Acsell

Acsell

    Advanced Member

  • Developer
  • PipPipPip
  • 160 posts

Posted 03 June 2004 - 02:38 PM

1) Start Windows in Safe Mode by pressing F8 as the computer is booting and choosing Safe Mode
How to start in safe mode-
http://www.pchell.co.../safemode.shtml

2) Put a tick Next to these in HijackThis and click "Fix selected"

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\ieyg\ieyg.dll

O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\wingf\mssearch.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\wingf\msiesh.dll

O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install

O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install

O4 - HKLM\..\Run: [sdpsrvs] C:\WINDOWS\System32\sdpsrvs.exe

3) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

how to turn off system restore-
http://www.pchell.co...emrestore.shtml

Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the file names:
IEFEATSL.DLL
MSIESH.DLL
SUBMITHOOK.DLL
UNINSTALL.EXE
UNINSTALL.INI
MSHP.DLL
Click Find Now or Search Now.
Delete the displayed files.

4) Select these in HijackThis and click "Fix Selected"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#22776


4) Reboot the computer and run CWShredder from here-
http://cwshredder.cl...ormoreinfo.com/

Post back a new HijackThis log

Edited by Acsell, 03 June 2004 - 02:43 PM.

ASAP - Alliance of Security Analysis Professionals - Proud Member Since 2004
HJTHotkey - HijackThis Tutorial (Unofficial) - GetFiles
Autohotkey - Automation. Hotkeys and Scripting - Mozilla Firefox

#5 StevenDC

StevenDC

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 03 June 2004 - 05:35 PM

Thanks for the reply. I did all what you proposed and this is the resulting HijackThis-log:

Logfile of HijackThis v1.97.7
Scan saved at 0:33:37, on 4/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
D:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
D:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\iavideow.exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
D:\program files\Office\Winword.exe
D:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pandora.be:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://users.pandora...en.deceuster1/"); (C:\Documents and Settings\Steven\Application Data\Mozilla\Profiles\default\21tdyxlz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Steven\Application Data\Mozilla\Profiles\default\21tdyxlz.slt\prefs.js)
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\syssz\syssz32.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iavideow] C:\WINDOWS\System32\iavideow.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "D:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Onderzoek (HKLM)
O10 - Unknown file in Winsock LSP: d:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#6 StevenDC

StevenDC

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 03 June 2004 - 05:41 PM

And it seems to have worked.

THANKS!! :bounce:

How can I give a donation to this site?

Edited by StevenDC, 03 June 2004 - 05:42 PM.


#7 Acsell

Acsell

    Advanced Member

  • Developer
  • PipPipPip
  • 160 posts

Posted 03 June 2004 - 05:49 PM

Hi, Fix these two with HijackThis-

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\syssz\syssz32.dll
O4 - HKLM\..\Run: [iavideow] C:\WINDOWS\System32\iavideow.exe

Then, delete these files (bold) if they exist-

C:\WINDOWS\syssz\syssz32.dll

Then do an online virus scan here-
http://housecall.tre.../start_corp.asp

Edited by Acsell, 03 June 2004 - 05:50 PM.

ASAP - Alliance of Security Analysis Professionals - Proud Member Since 2004
HJTHotkey - HijackThis Tutorial (Unofficial) - GetFiles
Autohotkey - Automation. Hotkeys and Scripting - Mozilla Firefox

#8 Acsell

Acsell

    Advanced Member

  • Developer
  • PipPipPip
  • 160 posts

Posted 03 June 2004 - 05:56 PM

Hi StevenDC, Glad to here it is fixed :)

Just do the fixes above, reboot and post a log back, hopefully it will be clean.

here is the donations page

http://www.spywareinfo.com/support.php

Edited by Acsell, 03 June 2004 - 07:09 PM.

ASAP - Alliance of Security Analysis Professionals - Proud Member Since 2004
HJTHotkey - HijackThis Tutorial (Unofficial) - GetFiles
Autohotkey - Automation. Hotkeys and Scripting - Mozilla Firefox




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button