Hijacked !
17 April 2005, 09:08 AM
#1
Scooby Regular
Thread Starter
Join Date: Jun 2002
Posts: 625
Likes: 0
Received 0 Likes
on
0 Posts
Hijacked !
I've hit this problem before and got help via the Tomcoyote forum but I am still awaiting their help (I've also posted to the SWI forums) : I appreciate that the guys on those forums are just volunteers so I'm not going to hassle them any more.
My home page is hijacked to http://search-links.net/
I've run cwshredder, hijackthis plus Trend and even done so in safe more but the damn thing is never killed.
Anyone offer some assistance : hijack this log is here.
Logfile of HijackThis v1.99.1
Scan saved at 09:09:14, on 17/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FBM Software\ZeroSpyware\NetGuard.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\SupaDial\SupaDial.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taskmgr.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.supanet.com/search/iepanel/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search-links.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.supanet.com/search/iepanel/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search-links.net/?my= (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search-links.net/?my= (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Supanet Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [NetGuard] "C:\Program Files\FBM Software\ZeroSpyware\NetGuard.exe" -STARTUP
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: DVD@ccess.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://%73%65%61%72%63%68%2D%6C%69%6...%6E%65%74/?my=
O13 - WWW Prefix: http://%73%65%61%72%63%68%2D%6C%69%6...%6E%65%74/?my=
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {0D3BB340-300B-43FD-AF64-D637B94911B2} (VivianControl Class) - http://www.viametrix.com/production/vivianx.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe...nttracking.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099706437734
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - http://register.btinternet.com/templ...control013.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F750BDB-8F6D-4E5E-A178-37A4B4355700}: NameServer = 194.72.9.39 194.74.65.87
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
My home page is hijacked to http://search-links.net/
I've run cwshredder, hijackthis plus Trend and even done so in safe more but the damn thing is never killed.
Anyone offer some assistance : hijack this log is here.
Logfile of HijackThis v1.99.1
Scan saved at 09:09:14, on 17/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FBM Software\ZeroSpyware\NetGuard.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\SupaDial\SupaDial.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taskmgr.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.supanet.com/search/iepanel/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search-links.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.supanet.com/search/iepanel/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search-links.net/?my= (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search-links.net/?my= (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Supanet Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [NetGuard] "C:\Program Files\FBM Software\ZeroSpyware\NetGuard.exe" -STARTUP
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: DVD@ccess.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://%73%65%61%72%63%68%2D%6C%69%6...%6E%65%74/?my=
O13 - WWW Prefix: http://%73%65%61%72%63%68%2D%6C%69%6...%6E%65%74/?my=
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {0D3BB340-300B-43FD-AF64-D637B94911B2} (VivianControl Class) - http://www.viametrix.com/production/vivianx.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe...nttracking.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099706437734
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - http://register.btinternet.com/templ...control013.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F750BDB-8F6D-4E5E-A178-37A4B4355700}: NameServer = 194.72.9.39 194.74.65.87
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
17 April 2005, 09:25 AM
#2
Scooby Regular
Join Date: Jun 2003
Posts: 30
Likes: 0
Received 0 Likes
on
0 Posts
You need to make sure that there are no versions of Internet Explorer running. What i've seen on my sisters pc, is some strange .exe program running that continuously restarts itself and it's this program that could be constantly setting your homepage. Look through the list of .exe's and see if any look suspicious to you.
Good luck.
Dave
Good luck.
Dave
17 April 2005, 09:55 AM
#3
Scooby Regular
Join Date: Apr 2002
Location: elsewhere
Posts: 1,212
Likes: 0
Received 0 Likes
on
0 Posts
Could you close down all open applications before running HT as it will make picking through the logs a lot easier 
You may have a trojan or worm which is changing settings then unloading itself. Download Avast! Cleaner, burn it to a CD, boot in Safe Mode and run the app. from the CD.
Oh and upgrade to SP2 and get some full-time anti-virus! Trend HouseCall is on demand only.
You may have a trojan or worm which is changing settings then unloading itself. Download Avast! Cleaner, burn it to a CD, boot in Safe Mode and run the app. from the CD.
Oh and upgrade to SP2 and get some full-time anti-virus! Trend HouseCall is on demand only.
Last edited by class_A; 17 April 2005 at 09:59 AM.
17 April 2005, 10:00 AM
#4
Scooby Regular
iTrader: (13)
Join Date: Jan 2001
Location: Midlands - between notts and derby !
Posts: 4,997
Likes: 0
Received 0 Likes
on
0 Posts
see here for a sample http://castlecops.com/postp513049.html
and also use www.pestscan.com - this should tell you all the files and registry that needs removing
Dave.
and also use www.pestscan.com - this should tell you all the files and registry that needs removing
Dave.
17 April 2005, 12:05 PM
#5
Scooby Regular
Join Date: Dec 2002
Location: Here!
Posts: 5,145
Likes: 0
Received 0 Likes
on
0 Posts
17 April 2005, 06:45 PM
#7
Scooby Regular
iTrader: (3)
Join Date: Aug 2000
Location: 1600cc's of twin scroll fun :)
Posts: 25,565
Likes: 0
Received 2 Likes
on
2 Posts
Originally Posted by dlharris
You need to make sure that there are no versions of Internet Explorer running. What i've seen on my sisters pc, is some strange .exe program running that continuously restarts itself and it's this program that could be constantly setting your homepage. Look through the list of .exe's and see if any look suspicious to you.
Good luck.
Dave
Good luck.
Dave
shutdown -a that should halt that
Tony
Trending Topics
19 April 2005, 01:17 AM
#8
Scooby Regular
Thread Starter
Join Date: Jun 2002
Posts: 625
Likes: 0
Received 0 Likes
on
0 Posts
Even sh!!tier
Oh bollocks, got impatient waiting for responses from the 3 forums I'd posted my hijack info on so I did this :
I had been noticing that a process 'kb32.exe' was attempting to access the net (Zonalarm flags it up) - this starting seemed to coincide with the page hijack, ad a google search indicated 'kb32.exe' was evidence of a trojan : it suggested looking for c:\windows\system32\kb32.exe
I did, and I found it, so deleted it : to do so i had to boot into safe mode and then terminate the kb32.exe process that was running via task manager before I could finally remove the file - at worst, I thought, it'll be no worse and I could restore the file from the recycle bin and get back to where I had started from this morning.
NOPE !
Rebooted and now all I get is the desktop wallpaper but no desktop items, no nothing and all I had access to was the Taskmanager.
Using Regedit I found that there is an entry in the registry against explorer for a debug item and it contains kb32.exe : I wondered whether this is what causes windows to boot up only partially as it needs to find this item before it proceeds further, or the fact that the kb32.exe is against explorer which is such a vital part of windows, is the problem.
Anyway, I enlisted the help of my father-in-law and he has now started along the road of reinstalling XP as he has a full XP CD (I've only got a crappy driver disk that was supplied with the machine from Time Computers)
Just praying that I don't lose too much info (documents, emails etc).
Fecking Viruses !
I had been noticing that a process 'kb32.exe' was attempting to access the net (Zonalarm flags it up) - this starting seemed to coincide with the page hijack, ad a google search indicated 'kb32.exe' was evidence of a trojan : it suggested looking for c:\windows\system32\kb32.exe
I did, and I found it, so deleted it : to do so i had to boot into safe mode and then terminate the kb32.exe process that was running via task manager before I could finally remove the file - at worst, I thought, it'll be no worse and I could restore the file from the recycle bin and get back to where I had started from this morning.
NOPE !
Rebooted and now all I get is the desktop wallpaper but no desktop items, no nothing and all I had access to was the Taskmanager.
Using Regedit I found that there is an entry in the registry against explorer for a debug item and it contains kb32.exe : I wondered whether this is what causes windows to boot up only partially as it needs to find this item before it proceeds further, or the fact that the kb32.exe is against explorer which is such a vital part of windows, is the problem.
Anyway, I enlisted the help of my father-in-law and he has now started along the road of reinstalling XP as he has a full XP CD (I've only got a crappy driver disk that was supplied with the machine from Time Computers)
Just praying that I don't lose too much info (documents, emails etc).
Fecking Viruses !
Thread
Thread Starter
Forum
Replies
Last Post