Homepage hijacking

[Ken L]

Despite having XP's firwall active and Norton Antivirus running, I've had my home page hijacked by a dodgy ad and am having problems with dial up and slow speed on net access.

 

I supsect that a whole bunch of addware/spyware has found it's way past the usual safeguards and I'm not very happy about it.

 

A full virus scan with Norton has turned up nothing and I'm very dubious about downloading removal software from unknown sites found using a search engine in case this just allows more malicious junk onto the system.

 

Any suggestions for a safe and free download for removing this rubbish would be greatfully recieved.

[Newt]

Ad-aware (free version). Download, install, UPDATE, and run. Delete all it finds.

 

Spybot (also free). Download, install, UPDATE, and run. Delete all it prechecks or shows in red. The other is optional.

 

Things will be much better after those two have run. Good idea to do them weekly or something. If you still have problems, download Hijackthis. Put it in a folder other than Temp. No install needed for this one - there is just a single .exe you run.

 

Run it and direct it to scan and give you a log of the scan. Don't fix anything. Just save the log and then post it here.

[David C]

I hope you have'nt got the same dialer virus as me. This changes your home page & turns off your modem sound. See this forum:

 

http://www.modemhelp.net/vblite/showthread...3?threadid=2324

 

As yet nobody seems to have come up with a foolproof way of getting rid of it, I thought I had for nearly a week then it came back !

[Newt]

David C - post the problem to the security section of www.windowsbbs.com

 

I have yet to see a system we couldn't get clean.

[David C]

Thanks Newt, will do

[David C]

Newt, I have tried posting in windows bbs security forum but for some reason I do not have permission. I have been registered on there for over a year, I will persevere, in the meantime, here is my hijackthis log:

I have removed some items since my last post on the advice of the modemhelp forum, and have been clear since, but I'm not convinced its gone.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:57:09, on 03/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:PROGRA~1GrisoftAVG6avgserv.exe

C:Program FilesCommon FilesEPSONEBAPISAgent2.exe

C:WINDOWSSystem32nvsvc32.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSExplorer.EXE

C:Program FilesLogitechiTouchiTouch.exe

C:PROGRA~1LogitechMOUSEW~1SYSTEMEM_EXEC.EXE

C:PROGRA~1GrisoftAVG6avgcc32.exe

C:Program FilesCommon FilesRealUpdate_OBrealsched.exe

C:WINDOWSSystem32qttask.exe

C:Program FilesDesktop Messenger8876480ProgramBackWeb-8876480.exe

C:Program FilesMessengermsmsgs.exe

C:WINDOWStwain_32S6U12BXWATCH.exe

C:WINDOWSSystem32spoolDRIVERSW32X863E_S10IC2.EXE

C:Program FilesUlead SystemsUlead Photo Express 3.0 SECalCheck.exe

C:Program FilesLogitechiTouchkbdtray.exe

C:Program FilesBTopenworldDialBTIAnytime.exe

C:Program FilesInternet Exploreriexplore.exe

C:Documents and SettingsDavidMy DocumentsPersonalHijackThis.exe

 

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.timesupport.com

R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,Shellnext = http://www.btinternet.com/DiallerCheck.htm...@btinternet.com

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:windowsgoogletoolbar_en_2.0.108-big.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:windowsgoogletoolbar_en_2.0.108-big.dll

O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM..Run: [nwiz] nwiz.exe /install

O4 - HKLM..Run: [supastatus] C:Program FilesInternet ExplorerConnection Wizardstatus.exe

O4 - HKLM..Run: [zBrowser Launcher] C:Program FilesLogitechiTouchiTouch.exe

O4 - HKLM..Run: [EM_EXEC] C:PROGRA~1LogitechMOUSEW~1SYSTEMEM_EXEC.EXE

O4 - HKLM..Run: [Gtwatch] C:WINDOWSgtwatch.exe

O4 - HKLM..Run: [AVG_CC] C:PROGRA~1GrisoftAVG6avgcc32.exe /STARTUP

O4 - HKLM..Run: [DXM6Patch_981116] C:WINDOWSp_981116.exe /Q:A

O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot

O4 - HKLM..Run: [QuickTime Task] C:WINDOWSSystem32qttask.exe

O4 - HKLM..Run: [system Process] C:WINDOWSsvchost.exe /i

O4 - HKCU..Run: [LDM] C:Program FilesDesktop Messenger8876480ProgramBackWeb-8876480.exe

O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:Program FilesDesktop Messenger8876480ProgramLDMConf.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:WINDOWSsystem32spooldriversw32x863E_SRCV02.EXE

O4 - Global Startup: Watch.lnk = C:WINDOWStwain_32S6U12BXWATCH.exe

O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:Program FilesUlead SystemsUlead Photo Express 3.0 SECalCheck.exe

O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:windowsGoogleToolbar_en_2.0.108-big.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:windowsGoogleToolbar_en_2.0.108-big.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:windowsGoogleToolbar_en_2.0.108-big.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:windowsGoogleToolbar_en_2.0.108-big.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:windowsGoogleToolbar_en_2.0.108-big.dll/cmtrans.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19b058372c22e80ba205/...ip/RdxIE601.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/hou...all/Xscan53.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/templates/...bcontrol012.cab

O17 - HKLMSystemCCSServicesTcpip..{D255BE7B-6309-4E50-8890-D1C6F206B7A4}: NameServer = 213.1.119.100 213.1.119.99

[Newt]

David C - I will try to figure out what went wrong with your windowsbbs.com account and get it activated. Same as you are using here?

 

Most likely the email addy you used didn't work but I'll get the account activated for you.

 

Meanwhile I'll post a copy of the hijackthis log on there for you. I see a couple of things I don't like very much but I am not an expert and some on there are.

 

For instance, this one seems to be dropped on your PC when you install most newer HP printers. I think it may be for their update routine but it is spyware and the do not ask. I removed it from my PC and no problems.

 

O4 - HKCU..Run: [LDM] C:Program FilesDesktop Messenger8876480ProgramBackWeb-8876480.exe

 

At any rate, your log is posted to This thread so you can follow along with their suggestions.

[David C]

Thanks Newt, much appreciated.

[Newt]

Your account was auto-inactivated after a year of no logins. It is still there but flagged as inactive. The software is set to do this.

 

Email webmaster@windowsbbs.com for re-activation. Include your email address along with the account name.

[David C]

OK. Newt, sent the email. The site seems to be down at the minute, I'll try again later or tomorrow.

 

PS. My apologies Ken for hijacking your post!!!