Home Page and Favorites Attacked

Spyware and Ad Ware installed - sweeps reveal nothing active. Yet, my home page continues to be changed and unwanted favorites added. HELP!

 

I've been having problems with that too - well at least with favorites links. It keeps adding some very unwanted "favorites" to my list. Bleh!

 

Installed Spybot as suggested ...it found 3 prblems - Avenue A.inc, DSO Exploit and Media Plex. Also ran AdAware - no problems found. The unwanted home page is: http://yoursearcher,com. I also have 4 unwanted adds to favorites - the home page and adds are added every 5 minutes. If I delete the favorites, they return. I've tried everything I can think of -can you help?

 

this should explain the DSO exploit

http://www.majorgeeks.com/vb/showthread.php?t=33321&highlight=dso+exploit

post your log here for one of us to look into

 

hey, i'm getting pretty much the same problem. i've turned off my system restore, i've scanned with Ad aware, Spybot search and destroy, CWshredder and none of these picked up on the problem althought Spybot found one of the favourite hijacks but it doesnt fix the problem cause everytime i start windows again it comes right back. So i then tried Hijackthis! and after the scan returned it came up with a lot of file for the hijacked home site (http://69.50.191.139/search.php). So i deleted the files where i've put the *** next to them in the log file and made sure nothing else was running at the time, BUT each time i turn on the computer the same problem is there the same home page, the same favourites, even the exact same HijackThis! log with all the deleted files (***) back again.

When you goto this site (http://69.50.191.139/search.php) it tries to infect you with a trojan aswell. At the bottom of the page it says "if problem click here" and then they tell you to download an unistaller and delete a certain folder in the win registry. But this all looks very sus, having to download something from a hijacked home page, but any way i have been trying to fix it all week so i tried their method as a last resort, scanned the unistaller for virus's before i used it, then followed their steps but the folder they say to delete doesnt exist in the registry, so i dont know what the hell the uninstaller did, and the problem hasnt stopped its exactly the same but hopefully the uninstaller hasnt done anything bad (atleast i have noticed) and all my antispyware programs cant detect anything.

I'll through in my hijackthis log and even the instructions the hijacked home page site offers.

Logfile of HijackThis v1.97.7
Scan saved at 8:54:34 PM, on 6/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Simon\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
***R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
***R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.139/search.php
***R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.139/search.php
***R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.139/index.php
***R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php
***R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php
***R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php
***R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
***R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.139/index.php
***R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.139/search.php
***R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.139/search.php
***R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/
***R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php
***R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php
***R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php
***R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
***R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38140.8196990741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{474F6DA5-057B-4775-8F53-BB52B10867C2}: NameServer = 100.100.100.105
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6FB8149-D79D-4B15-8B05-9788C7AE63BF}: NameServer = 203.2.75.132 198.142.0.51



These are the instructions on the site.

If you don't want to continue using this page, follow instruction below:
1. Download uninstaller(right click and choose "Save target as.." from pulldown menu

2. Run it

3. Reboot your PC

4. Run it second time

5. Change your start page to "about:blank" in the IE settings (Tools -> Internet Options)

6. Click "Start" -> "Run" -> regedit

7. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

8. Select key {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} and delete it





Sorry i wrote so dam much crap but this thing has been really annoying and if u guys can figure out how to solve this one or Guts problem it should help to solve the remaing one.

 

Just looking through the hijackthis! log these items look a bit sus, their are probably nothing to do with the problem, but i don't recognize them.

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{474F6DA5-057B-4775-8F53-BB52B10867C2}: NameServer = 100.100.100.105

O17 - HKLM\System\CCS\Services\Tcpip\..\{F6FB8149-D79D-4B15-8B05-9788C7AE63BF}: NameServer = 203.2.75.132 198.142.0.51

maybe if gut or newgroove posted their logs there might be a comparison between them or probably not.

 

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

This is Adobe Acrobat.

O17 - HKLM\System\CCS\Services\Tcpip\..\{474F6DA5-057B-4775-8F53-BB52B10867C2}: NameServer = 100.100.100.105

This is a reserved IP address, it shouldn't be in use, I would find it suspicious.


O17 - HKLM\System\CCS\Services\Tcpip\..\{F6FB8149-D79D-4B15-8B05-9788C7AE63BF}: NameServer = 203.2.75.132 198.142.0.51

203.2.75.132 looks fishy at http://www.samspade.org.

198.142.0.51 this is a DNS server belonging to an Aussie company, probably an ISP.

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{F6FB8149-D79D-4B15-8B05-9788C7AE63BF}: NameServer = 203.2.75.132 198.142.0.51

203.2.75.132 looks fishy at http://www.samspade.org.

198.142.0.51 this is a DNS server belonging to an Aussie company, probably an ISP.[/QUOTE]
thanks, i just checked it out and it is my ISP, but i still dont understand what the IP port is doing...