0

Hey Guys, I got hijacked also the other day. I have been trying to fix it, but it still keeps coming up in IE with 'Top Search' when I try to search for something in the location bar. I downloaded all the apps mentioned, but still it shows that page. It hides under this web address 'http://search.msn.com/'. Following is the log from HJT.

I was wondering, if someone can make this and hijack it to go to their desired 'home' page and reset the search page to what ever, why then, hasn't anyone made a hijack that will reset it to IE's default and all we would have to do is DL that hijack?

Anyhow, any help is much appreciated.

HJT Log:
Logfile of HijackThis v1.97.7
Scan saved at 6:00:01 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Card Reader\shwicon.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Apacer USB Device\shwicon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Onscreen Display\osd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\hppapml0.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim Jolley\Local Settings\Temp\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bcfas.org/
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.bcfas.org"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\lmwfnvrf.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\lmwfnvrf.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ShowIcon_The Company_Card Reader v1.14e049] "C:\Program Files\Card Reader\shwicon.exe" -t"The Company\Card Reader v1.14e049"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [ShowIcon_Apacer Technology Inc._Apacer USB Device v1.16e012] "C:\Program Files\Apacer USB Device\shwicon.exe" -t"Apacer Technology Inc.\Apacer USB Device v1.16e012"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Shortcut to osd.lnk = C:\Program Files\Onscreen Display\osd.exe
O4 - Startup: Shortcut to PHONES.EXE.lnk = C:\Program Files\PHONES\PHONES.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37938.5929398148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


Thanks

Jolleyboy

4
Contributors
11
Replies
12
Views
13 Years
Discussion Span
Last Post by jolleyboy
0

Nothing showing in your log except messenger plus. Uninstall it as it comes with Lop, nasty little critter.

Download & instal Adaware from http://majorgeeks.com/download.php?det=506
& update it B4 scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
Also in tweaks under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion.'
Remove what it finds by placing a check in the box to the left of the object.
Download & instal Spybot S&D from http://www.safer-networking.org/index.php?page=download Update it B4 scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. Download that & you can keep it updated by selecting the same link that you use to download it.

0

Nothing showing in your log except messenger plus. Uninstall it as it comes with Lop, nasty little critter.

Messenger Plus can be installed without the spyware. Just select custom install, and don't agree to the Spyware's License Agreement ;-). Messenger Plus rules :!:

0

These might be legit, but look a little suspicious:

O4 - Startup: Shortcut to osd.lnk = C:\Program Files\Onscreen Display\osd.exe
O4 - Startup: Shortcut to PHONES.EXE.lnk = C:\Program Files\PHONES\PHONES.EXE

0

OSD, is my on screen display for my HP keyboard, and PHONES is an old adress book proggie that I still use, both of these are legit :) Thanks for pointing them out though.

When it comes to Spybot, AddAware, SpyBlaster, Spyguard and HijackThis, I have all of those installed, and none of them found anything out of the ordinary. I am completly stomped on this one. I have gone through the registry and checked out everything. Even went as far as copying the IE registry entries, from a clean system and importing them on my own. Everything copied fine, EXCEPT, for the search page. Is there anyway there could be another setting, or registry key, that could partain to this problem?

0

Also, verify your proxy settings. I've seen some nasty spyware that runs a proxy and gives ya the wrong pages ;-).

What happens when you go to http://search.msn.com/? At the command prompt, trying pinnging search.msn.com (by typing: ping search.msn.com). Compare them to my results, lets see if your getting the *real* site or not.

ping search.msn.com
 
Pinging a134.x.akamai.net [209.66.98.105] with 32 bytes of data:
Reply from 209.66.98.105: bytes=32 time=14ms TTL=54
Reply from 209.66.98.105: bytes=32 time=9ms TTL=54
Reply from 209.66.98.105: bytes=32 time=9ms TTL=54
Reply from 209.66.98.105: bytes=32 time=21ms TTL=54
 
Ping statistics for 209.66.98.105:
	Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
	Minimum = 9ms, Maximum = 21ms, Average = 13ms
0

Is there any way there could be another setting, or registry key, that could pertain to this problem?

Yes. You may also have a problem with your Hosts file. See http://www.mvps.org/winhelp2002/hosts.htm for information on where to find it and what to do with it, including using it to block ad cookies.

I would also manually clean out your Temporary Internet Files, as well. See Microsoft's Really Hidden Files for more on this issue (warning: potentially offensive site-name and email address).

0

That's also worth a shot, but I'm pretty sure HJT would list anything in the hosts file (other than localhost), I've seen it do that before.

0

That's also worth a shot, but I'm pretty sure HJT would list anything in the hosts file (other than localhost), I've seen it do that before.

Thanks for reminding me. You're right, but the linked page does have some good tips. Just trying to cover all bases, I guess.

0

Okay, pinged search.msn.com and guess what, I got a totally different IP:

Pinging search.msn.com [64.72.98.250] with 32 bytes of data:
Reply from 64.72.98.250: bytes=32 time=27ms TTL=240
Reply from 64.72.98.250: bytes=32 time=46ms TTL=240
Reply from 64.72.98.250: bytes=32 time=26ms TTL=240
Reply from 64.72.98.250: bytes=32 time=26ms TTL=240
Ping statistics for 64.72.98.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 26ms, Maximum = 46ms, Average = 31ms


So, what to do know. Also, I found out that it appearantly has effected the other computers on my network also. I have all the latest virus defs and installed all the spyware and bot detectors on all computers, before this had started, and none of them seem to have noticed that this has occurred. This is getting pretty serious.
Below is a screenshot of what my IE looks like today when I do a search from the address bar. I wished I had made a screenshot last week when it was showing a different page.

0

Oh, and yes I did try the system restore, but it didn't change anything.

Tallcool 1, thanks for that tip, I did downoad and install that host file.
Tekmaven, Sorry, forgot to mention, that yes I have XP, with SP1 and all the latest updates too.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.