Home Page hijacked (Resolved)
-
Home Page hijacked (Resolved)
Hi All
Im trying to help out a neighbour whose homepage in ie keeps getting hijacked. I've run AVG anti virus and Ad Aware and removed all the 'nasties'. However, on boot up, the pie home page STILL gets modified. I just ran Hijack this and the log is below. Can anyone see anything that might look a bit suspicious?
Thanks
Steve
Logfile of HijackThis v1.97.7
Scan saved at 15:57:45, on 20/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KAREN\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ê 1%2O
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1507
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.net/welcome/freeserve.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDO WS\System32\svcpack.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Browser Hijack Blaster.lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Freeserve (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - Home Prefix: http://www.google.co.uk
O13 - Mosaic Prefix:
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.net/
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://63.217.31.12/dial1/058362uk.exe
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F16A1606-55ED-4FF3-85DE-32641E378843}: NameServer = 158.152.1.43 158.152.1.58
-
4-counter is a CoolWebSearch infection. Download, update and run
CWShredder
Click Fix, don't just scan. Let it fix everything it asks about.
Reboot, then post a fresh HijackThis log.
-
Thanks for the tip. Neighbours gone away on holiday 
...will run shredder when she gets back and repost log
Thanks
Steve
-
Hi - I ran shredder..said it rmoved 9 entries
Here is the new post. Any reason WHY ad-aware didn't sort it out first time around?
Logfile of HijackThis v1.97.7
Scan saved at 08:09:59, on 25/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Documents and Settings\KAREN\My Documents\Steve's stuff (don't delete please)\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ê 1%2O
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1507
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.net/welcome/freeserve.htm
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Browser Hijack Blaster.lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Freeserve (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - Home Prefix: http://www.google.co.uk
O13 - Mosaic Prefix:
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.wanadoo.co.uk/time/anyti...s/sd0101_5.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F16A1606-55ED-4FF3-85DE-32641E378843}: NameServer = 195.92.195.95 195.92.195.94
-
Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ê 1%2O
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1507
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
I can't see a Firewall enabled, this one is free, Sygate Personal Firewall
-
Thanks Nirvana!
I'll check it out and get back to you.
Any ideas why Adaware doesn't 'pick this up' and solve it?
Steve
-
Adaware picks bits of it up but it can't remove it.
-
Thanks again Nirvana - thought I was going nuts!!
