Browser Hijacking

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by garystone, Oct 5, 2004.

  1. garystone

    garystone Private E-2

    Helppppppppp......
    I am running IE on Windows XP and have had my home page hijacked.
    I have disabled the restore function, downloaded all the removal tools listed but when I change the homepage back to google for example, within a matter of seconds the registry changes and the homepage is changed .

    The homepage details always change and are in the format of 78%63% etc etc.

    Can anybody shed any light please.

    Thanking you in advance

    Gary
     
    garystone, Oct 5, 2004
    #1
  2. Kodo

    Kodo SNATCHSQUATCH

    Kodo, Oct 5, 2004
    #2
  3. garystone

    garystone Private E-2

    Hi Kodo,

    I have to the best of my knowledge, followed the instructions as shown.

    Gary
     
    garystone, Oct 5, 2004
    #3
  4. Kodo

    Kodo SNATCHSQUATCH

    ok, the next step is this

    http://forums.majorgeeks.com/showthread.php?t=38752
    Hijack This Tutorial And How To Post Your Log File

    Please read this tutorial carefully. Do not run HiJackThis from any folder within Documents and Settings, desktop, temp folder or an archive.
     
    Kodo, Oct 5, 2004
    #4
  5. garystone

    garystone Private E-2

    Hi Kodo,

    I will follow instructions and post log file when I get home.

    Thank you.
     
    garystone, Oct 5, 2004
    #5
  6. garystone

    garystone Private E-2

    Hi Kodo

    Please find log file as requested,

    thanks

    Gary
     
    garystone, Oct 5, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First, you need to get HijackThis off your Desktop and into its own folder. Like c:\Program File\HJT or c:\HJT.

    Also while I look at your log. Check for SyncroAd and WinSync in Add/Remove programs and uninstall them if found. Let me know if you find them.

    You also need to visit Microsoft's Windows Update to get your WinXP and Internet Explorer updated.
     
    chaslang, Oct 5, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You never ran the TrendMicro online scan. Why?
     
    chaslang, Oct 5, 2004
    #8
  9. garystone

    garystone Private E-2

    Hi Chaslang,

    Thanks for your reply, in add/remove programs I have a' Windows SyncroAd' listed. Should this be removed? WinSync is not listed.
    I will definitely update my system when clean!!
    I have also moved Hijack This to its own folder on c:\

    Gary
     
    garystone, Oct 5, 2004
    #9
  10. garystone

    garystone Private E-2

    I couldn't connect to the internet even though I had logged on in safe mode with network support.
     
    garystone, Oct 5, 2004
    #10
  11. Kodo

    Kodo SNATCHSQUATCH

    yes, get rid of syncroad.

    Post a new Log file please.
     
    Kodo, Oct 5, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a lot of trojans on the computer. You MUST update your OS and IE and install some protection.

    Make sure system restore is disabled and viewing of hidden file is enabled.
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them (if found):
    SyncroAd.exe
    MSMSGSVC.exe
    WinSync.exe
    lsrv.exe
    serm32.exe
    msfrewall.exe
    ndis.exe
    sp2update.exe
    xpcd.exe
    winmon.exe



    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
    O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
    O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
    O4 - HKLM\..\Run: [Microsoft WinUpdates] serm32.exe
    O4 - HKLM\..\Run: [MS FIREWALL] msfrewall.exe <---- http://www.sophos.com.au/virusinfo/analyses/w32sdbotpk.html
    O4 - HKLM\..\Run: [NDIS Adapter] ndis.exe
    O4 - HKLM\..\Run: [sdfsdfsdf] C:\sp2update.exe
    O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
    O4 - HKLM\..\Run: [msjava service] xpcd.exe
    O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
    O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
    O4 - HKLM\..\RunServices: [Microsoft WinUpdates] serm32.exe
    O4 - HKLM\..\RunServices: [MS FIREWALL] msfrewall.exe
    O4 - HKLM\..\RunServices: [NDIS Adapter] ndis.exe
    O4 - HKLM\..\RunServices: [msjava service] xpcd.exe
    O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
    O4 - HKCU\..\Run: [MS FIREWALL] msfrewall.exe
    O4 - HKCU\..\Run: [NDIS Adapter] ndis.exe
    O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
    O4 - HKCU\..\RunServices: [MS FIREWALL] msfrewall.exe
    O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
    O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
    O19 - User stylesheet: (file missing)


    Boot in safe mode and use Windows Explorer to delete:
    C:\WINDOWS\dpe.dll
    C:\Program Files\Windows SyncroAd <--- the whole directory
    C:\WINDOWS\System\MSMSGSVC.exe
    c:\windows\system32\lsrv.exe
    c:\windows\system32\serm32.exe
    c:\windows\system32\msfrewall.exe
    c:\windows\system32\ndis.exe
    C:\sp2update.exe
    c:\windows\system32\xpcd.exe
    c:\windows\system32\winmon.exe

    Some of the above file may not be located where I indicated. You may need to use Windows Advance search options to find them. Here is how to configure search:

    Click Start, Search, All files and folders, enter the file name in the box provided, then click More advanced options and make sure you have checked:
    - Search system folders
    - Search hidden files and folders
    - Search subfolders

    Eneter the filename and then click the Search button.

    After this boot in normal mode and post a new HJT log attachment and let us know how things are working.
     
    chaslang, Oct 5, 2004
    #12
  13. garystone

    garystone Private E-2

    I have followed instructions, please find log file.
    Now when I log on to internet, it does not take me to different search pages but takes me to 'http://spywarealert.net'.

    Gary
     
    garystone, Oct 5, 2004
    #13
  14. garystone

    garystone Private E-2

    Sorry chaslang but I keep getting an upload error when trying to upload the log file.
    I have tried deleting the 2 previous uploads but it will not let me.

    Gary
     
    garystone, Oct 5, 2004
    #14
  15. garystone

    garystone Private E-2

    Hi all,

    I have re-run Hijack this - please find enclosed log file (hopefully). No visible signs of hijacking now, where is the best place to download updated versions of xp & ie?

    thank you

    Gary
     

    Attached Files:

    garystone, Oct 5, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Fix these line with HijackThis after shutting down all browser sessions:
    O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - (no file)
    O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe

    Did you miss this O4 line last time?

    Did you get the C:\WINDOWS\System\MSMSGSVC.exe file deleted last time when I had you boot in safe mode? Make sure. Go look for it.
     
    chaslang, Oct 5, 2004
    #16
  17. garystone

    garystone Private E-2

    Hi,

    I searched for the file but could not find it.
    Any ideas?

    Thank you for all your help so far. At least I can let my kids search the web without being bombarded with c#@p.

    Gary
     
    garystone, Oct 6, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Were you able to fix those lines in HJT? Show me another log.

    You asked where to go for updates:
    Go here and get your updates do all but Win XP SP2. Do not upgrade to SP2 while having any problems.

    Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
     
    chaslang, Oct 6, 2004
    #18
  19. garystone

    garystone Private E-2

    Hi Chaslang,

    HJT deleted the files.
    This is the new log.

    Thanks
     

    Attached Files:

    garystone, Oct 6, 2004
    #19
  20. Kodo

    Kodo SNATCHSQUATCH

    well, you still have a cws on your machine if you deleted this line

    O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - (no file)

    and it came back.

    for the MSMSGSVC.exe go to start..run .. type CMD and hit enter.
    and the prompt type

    DEL C:\WINDOWS\System\MSMSGSVC.exe

    run CWshredder once more and post a new log.
     
    Kodo, Oct 6, 2004
    #20
  21. garystone

    garystone Private E-2

    Kodo,

    Please find new log file

    Gary
     

    Attached Files:

    garystone, Oct 6, 2004
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log looks clean now. Go get your Windows updates!
     
    chaslang, Oct 7, 2004
    #22
  23. Kodo

    Kodo SNATCHSQUATCH

    yes.. please!!
     
    Kodo, Oct 7, 2004
    #23
  24. garystone

    garystone Private E-2

    Thank you all for your help!

    Gary
     
    garystone, Oct 7, 2004
    #24
  25. Kodo

    Kodo SNATCHSQUATCH

    You're welcome!
     
    Kodo, Oct 7, 2004
    #25

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds