Jump to content


Photo

Homepage Hijacked


  • Please log in to reply
3 replies to this topic

#1 Tydogg

Tydogg

    Member

  • New Member
  • Pip
  • 3 posts

Posted 21 June 2004 - 09:47 AM

This is a sticky problem, but from the looks of it, it's become a fairly common one lately. It's been resetting my homepage to "search-to-find.com" and giving pop-ups of "Simply the Best".

Here's my log:

Logfile of HijackThis v1.97.7
Scan saved at 5:27:30 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\ntru32.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\mfcip.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vugkr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vugkr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vugkr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vugkr.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4602FC29-315E-9E18-D3E6-F9A6B3082D3F} - C:\WINDOWS\system32\ntcc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [mfcip.exe] C:\WINDOWS\system32\mfcip.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKLM\..\RunOnce: [ntru32.exe] C:\WINDOWS\ntru32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.4799189815
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B9F8F10-ECC0-471D-A43E-CEE4FA3383AD}: NameServer = 213.131.65.20 213.131.66.246
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B9F8F10-ECC0-471D-A43E-CEE4FA3383AD}: NameServer = 213.131.65.20 213.131.66.246

#2 Tydogg

Tydogg

    Member

  • New Member
  • Pip
  • 3 posts

Posted 25 June 2004 - 07:57 AM

Fix for the Hijacker program.

I finally fixed this myself... Here is what I did.

I downloaded a task manager program (Security Task Manager) that checks everything -- every exe and every dll and every registry entry and checks them against known and safe files. Everything else is highlighted to be deleted by the user.

Using this once helped identify all of the traces of the homepage hijacker -- and you have to get them all. It's been four days and no trace of the hijacker has come back.

Many of the file names are randomly generated -- but I got rid of:

mfcip.exe
ntcc.dll
vugkr.dll
xrqcu.dat
mfcvq.exe
ntru32.exe
addzv32.exe
ntcc.dll

It was actually quite easy to figure what to delete by using the Secuirty Task Manager program -- the offending files had no description and were easily distinguishable from my computers legitimate drivers and programs.

Good luck!

#3 Mayhem

Mayhem

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 June 2004 - 08:27 AM

Link for it?

#4 Tydogg

Tydogg

    Member

  • New Member
  • Pip
  • 3 posts

Posted 25 June 2004 - 01:55 PM

Try Google to find it -- it's made by neuber. Or I'm sure you could use any similar program, but I found this one to work just fine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button