Browser hijack...http://213.159.117.134/index.php

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kaneda, Oct 8, 2004.

  1. kaneda

    kaneda Private E-2

    Before I start: Yes, I have done *everything* in the 'READ ME FIRST" thread.

    My browser won't change from the following:
    http://213.159.117.134/index.php


    There was worse happening, like a constant casino and search bar, but that is now gone via ad-aware SE.

    When this happened, about 30 sites opened up and avg reported about 10 trojans. I removed a bunch of them with AVG and then ran Ad-Aware, which fixed the bulk, but every now and then I get two error messages right after each other that don't actually say much other than 'error', and my homepage/search page etc. have been hijacked...

    Any help would be greatly apreciated. Thankyou :)
     
    kaneda, Oct 8, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder or choose run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Oct 8, 2004
    #2
  3. kaneda

    kaneda Private E-2

    Ok those errors have come up again...

    One says "Error occured, program will exit now" and in its title bar it says 'Error'..

    The other says 'Dialer' in the title bar and "Already running!" in the message box part... I think this one popped up first.

    Wierd :rolleyes:
     
    kaneda, Oct 8, 2004
    #3
  4. kaneda

    kaneda Private E-2

    Here is my hijack this log...
     

    Attached Files:

    kaneda, Oct 8, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to get HJT into its own folder. You have it running from a temp directory.
     
    chaslang, Oct 8, 2004
    #5
  6. kaneda

    kaneda Private E-2

    It's in its own folder... I extracted it into 'Hijack this' ...

    E.G. Desktop/Misc/HijackThis/
     
    kaneda, Oct 8, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    NO! Go back and read my original message again. No temps and no Desktop. FIX THAT FIRST AND THEN CONTINUE WITH BELOW.

    Make sure system restore is disabled and viewing of hidden files is enabled.

    Please run HijackThis and click on the "Config" button in the bottom-right hand corner. Then click on "Misc tools" on the top, and then "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\inetdata\services.exe
    C:\WINDOWS\System32\systime.exe
    C:\WINDOWS\System32\windllsys32.exe
    C:\WINDOWS\System32\systime.exe
    C:\Documents and Settings\Administrator\Application Data\autp.exe

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe
    O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O4 - HKCU\..\Run: [Uahe] C:\Documents and Settings\Administrator\Application Data\autp.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O15 - Trusted Zone: *.windupdates.com
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=714b9e99bb1ec51fadc828f5983e23109b906c2b320d9f1b39ed54699be7e97f4caf42694383070009646062296ff92e68cfba8c:eb8a1fb09d00c5943edceabcca450006

    Boot in safe mode and use Windows Explorer to delete:
    C:\WINDOWS\inetdata\services.exe
    C:\WINDOWS\System32\systime.exe
    C:\WINDOWS\System32\windllsys32.exe
    C:\WINDOWS\System32\systime.exe
    C:\Documents and Settings\Administrator\Application Data\autp.exe

    Now reboot in normal mode and post a new HJT log and tell me how things are working.
     
    chaslang, Oct 8, 2004
    #7
  8. kaneda

    kaneda Private E-2

    Sorry, I didn't see the desktop thing, I'm all in a rush and at work and so on.

    First, thankyou for your help!

    Second, I couldn't find "C:\Documents and Settings\Administrator\Application Data\autp.exe" ...(yes I have all hidden files shown, etc.)

    And this was entered twice, (C:\WINDOWS\System32\systime.exe
    C:\Documents and Settings\Administrator\Application Data\autp.exe), so after deleting it once, it wasn't there to delete a second time.

    I'll post my log in a sec, just have to close this browser. :)
     
    kaneda, Oct 8, 2004
    #8
  9. kaneda

    kaneda Private E-2

    Ok, so the homepage was set to about:blank after I 'fixed' with 'hijackthis'.

    Then I went to scan again to get you the log, and my homepage is now set as "http://www.searchportal.info/10039/"

    :rolleyes:

    Anyway, here is the log...
     

    Attached Files:

    kaneda, Oct 8, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your HJT log does not show that home page. So either I need a new log, or you just need to Reset your web settings.

    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
     
    chaslang, Oct 8, 2004
    #10
  11. kaneda

    kaneda Private E-2

    It appears I have a trojan dialer thingy called 'dstart.exe'...

    C:\Windows\dstart.exe

    ...AVG found it, I've cured it about 5 times now, it comes back with every reboot.
     
    kaneda, Oct 12, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you tried booting in safe mode and delete the file C:\Windows\dstart.exe
     
    chaslang, Oct 13, 2004
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds