Viruses, Spyware and...

Hijacked

Thread Solved

•

Join Date: Mar 2004

Posts: 2

Reputation: alan is an unknown quantity at this point

Solved Threads: 0

alan

Offline

Newbie Poster

Hijacked

Mar 26th, 2004

When I boot up,I get this as my default page in Internet Options:
http://%76%70%75%7A%65%65%2E%74%2E%6...0?%61%69%64=35

The page eventually loads as :
http://th.msie.cc/index.php?aid=20035

On running hijack this,the file looks as follows:

Logfile of HijackThis v1.97.7

Scan saved at 22:04:29, on 26/03/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\GSICON.EXE

C:\WINDOWS\SYSTEM\DSLAGENT.EXE

C:\PROGRAM FILES\BT BROADBAND\HELP\BIN\MPBTN.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://vpuzee.t.muxa.cc/h.php?aid=35 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.255.207.252:8080

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://vpuzee.t.muxa.cc/h.php?aid=35 (obfuscated)

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder

O4 - HKLM\..\Run: [sys] regedit -s sys.reg

O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [Evidence Eliminator] C:\PROGRAM FILES\EVIDENCE ELIMINATOR\ee.exe /m

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe

O8 - Extra context menu item: Download with Go!Zilla - file://C:\PROGRAM FILES\GO!ZILLA\download-with-gozilla.html

O8 - Extra context menu item: Web Search - c:\windows\ex.htm

O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

Can you help,please,it's driving me nuts

)

Many thanks to you all for a great forum.

•

Join Date: Mar 2004

Posts: 219

Reputation: BountyX is an unknown quantity at this point

Solved Threads: 8

BountyX

Offline

Code Guru

Re: Hijacked

Mar 26th, 2004

it sounds like somobody or something has edited your system's HOSTS file to redirect your defualt page (homepage right?) or a specific url to another website.

go to C:\WINDOWS\system32\drivers\etc and open up the file called HOSTS in notepad. All you should see is a comment header and a single line with 127.0.0.1 localhost incase it dosn't, erase everything and enter the line below into your HOSTS file and save.

clean hosts file for you:

Help with Code Tags

(Toggle Plain Text)

 127.0.0.1 localhost

A Hacker's Mind:
"I thought what I'd do was, I'd pretend I was one of those deaf-mutes..." - J.D.Salinger

•

Join Date: Feb 2004

Posts: 10,096

Reputation: crunchie is a splendid one to behold

Solved Threads: 766

crunchie

Offline

Spyware Killer

Re: Hijacked

Mar 27th, 2004

Have only HJT running & fix these entries=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://vpuzee.t.muxa.cc/h.php?aid=35 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vpuzee.t.muxa.cc/s.php?aid=35 (obfuscated)
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster