Browser Hijack!! in Security http://www.dslreports.com/forum/r8400055 en Mon, 09 Nov 2009 15:10:37 EDT Mon, 09 Nov 2009 15:10:37 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8412084 Paul928 : Thanks for the help Zupe. I will run another scan on the system with the Symantec QHosts removal tool. When i did it the first time, it said that "there was no instance found of the Qhosts Trojan" Or something to that effect. I'll try running it again tonight and see what happens. You said to delete the files in that list with Hijack This tool, but one in particular that I know I need is
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx
This is for a radio plug-in that I listen to, but the other entries that you recommended deleting seem okay I guess.....Thanks for the help, and I'll post again later when I get home......Thank You!!
[text was edited by author 2003-11-04 12:52:00]
]]> http://www.dslreports.com/forum/remark,8412084 Tue, 04 Nov 2003 12:51:08 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8403576 Zupe :
said by Paul928 See Profile:
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe

O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - »www.ipix.com/viewers/ipixx.cab

O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - »cs6b.instantservice.com/jars/cus···d35.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{33480BEB-FB8D-465D-AE4A-6BB4469C927C}: NameServer = 216.127.92.38

O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB061A3-A055-43A0-9B3B-2003FA486F41}: NameServer = 216.127.92.38

O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
All of these should still be removed.

First, please re-rerun the Symantec QHosts removal tool, as to my knowledge it should get rid of those 017 entries.

Next, go to start->run and type

regsvr32 /u C:\WINDOWS\ieasst.dll

Then, in Hijack This, check off all of the above, hit "Fix Checked" and reboot, then rescan and post another log.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?
[text was edited by author 2003-11-03 16:18:45]]]> http://www.dslreports.com/forum/remark,8403576 Mon, 03 Nov 2003 16:15:47 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8403231 anon : try downloading adaware6 it really helps for getting rid of browser hijacks
]]> http://www.dslreports.com/forum/remark,8403231 Mon, 03 Nov 2003 15:42:29 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8403170 Paul928 : Logfile of HijackThis v1.97.3
Scan saved at 3:32:55 PM, on 11/3/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\My Music\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »rd.yahoo.com/customize/ymsgr/def···ahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »rd.yahoo.com/customize/ymsgr/def···rch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »www.seekseek.com/quicksearch.asp···on_id=18
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···tc_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - »office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - »www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - »thesims.ea.com/teleport/hotdate/···eleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - »aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/254e0d9dc812f8d037···E601.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - »thesims.ea.com/teleport/supersta···eleX.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - »cs6b.instantservice.com/jars/cus···ed35.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - »us.dl1.yimg.com/download.yahoo.c···mapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - »download.abacast.com/download/fi···etup.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - »fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33480BEB-FB8D-465D-AE4A-6BB4469C927C}: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB061A3-A055-43A0-9B3B-2003FA486F41}: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38

This is my latest scan after doing what I was advised...does it look okay now?....thanks]]> http://www.dslreports.com/forum/remark,8403170 Mon, 03 Nov 2003 15:35:39 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8402477 Zupe :
said by Paul928 See Profile:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »tooncomics.com/main/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »tooncomics.com/main/sp.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »www.seekseek.com/quicksearch.asp···n_id=18

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = »www.fastwebfinder.com/hp.php

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated)

O1 - Hosts file is located at: C:\WINDOWS\help\hosts
O1 - Hosts: 88.88.88.88 elite
O1 - Hosts: 207.44.220.30 www.google.akadns.net
O1 - Hosts: 207.44.220.30 www.google.com
O1 - Hosts: 207.44.220.30 google.com
O1 - Hosts: 207.44.220.30 www.altavista.com
O1 - Hosts: 207.44.220.30 altavista.com
O1 - Hosts: 207.44.220.30 search.yahoo.com
O1 - Hosts: 207.44.220.30 uk.search.yahoo.com
O1 - Hosts: 207.44.220.30 ca.search.yahoo.com
O1 - Hosts: 207.44.220.30 jp.search.yahoo.com
O1 - Hosts: 207.44.220.30 au.search.yahoo.com
O1 - Hosts: 207.44.220.30 de.search.yahoo.com
O1 - Hosts: 207.44.220.30 search.yahoo.co.jp
O1 - Hosts: 207.44.220.30 www.lycos.de
O1 - Hosts: 207.44.220.30 www.lycos.ca
O1 - Hosts: 207.44.220.30 www.lycos.jp
O1 - Hosts: 207.44.220.30 www.lycos.co.jp
O1 - Hosts: 207.44.220.30 alltheweb.com
O1 - Hosts: 207.44.220.30 web.ask.com
O1 - Hosts: 207.44.220.30 ask.com
O1 - Hosts: 207.44.220.30 www.ask.com
O1 - Hosts: 207.44.220.30 www.teoma.com
O1 - Hosts: 207.44.220.30 search.aol.com
O1 - Hosts: 207.44.220.30 www.looksmart.com
O1 - Hosts: 207.44.220.30 auto.search.msn.com
O1 - Hosts: 207.44.220.30 search.msn.com
O1 - Hosts: 207.44.220.30 ca.search.msn.com
O1 - Hosts: 207.44.220.30 fr.ca.search.msn.com
O1 - Hosts: 207.44.220.30 search.fr.msn.be
O1 - Hosts: 207.44.220.30 search.fr.msn.ch
O1 - Hosts: 207.44.220.30 search.latam.yupimsn.com
O1 - Hosts: 207.44.220.30 search.msn.at
O1 - Hosts: 207.44.220.30 search.msn.be
O1 - Hosts: 207.44.220.30 search.msn.ch
O1 - Hosts: 207.44.220.30 search.msn.co.in
O1 - Hosts: 207.44.220.30 search.msn.co.jp
O1 - Hosts: 207.44.220.30 search.msn.co.kr
O1 - Hosts: 207.44.220.30 search.msn.com.br
O1 - Hosts: 207.44.220.30 search.msn.com.hk
O1 - Hosts: 207.44.220.30 search.msn.com.my
O1 - Hosts: 207.44.220.30 search.msn.com.sg
O1 - Hosts: 207.44.220.30 search.msn.com.tw
O1 - Hosts: 207.44.220.30 search.msn.co.za
O1 - Hosts: 207.44.220.30 search.msn.de
O1 - Hosts: 207.44.220.30 search.msn.dk
O1 - Hosts: 207.44.220.30 search.msn.es
O1 - Hosts: 207.44.220.30 search.msn.fi
O1 - Hosts: 207.44.220.30 search.msn.fr
O1 - Hosts: 207.44.220.30 search.msn.it
O1 - Hosts: 207.44.220.30 search.msn.nl
O1 - Hosts: 207.44.220.30 search.msn.no
O1 - Hosts: 207.44.220.30 search.msn.se
O1 - Hosts: 207.44.220.30 search.ninemsn.com.au
O1 - Hosts: 207.44.220.30 search.t1msn.com.mx
O1 - Hosts: 207.44.220.30 search.xtramsn.co.nz
O1 - Hosts: 207.44.220.30 search.yupimsn.com
O1 - Hosts: 207.44.220.30 uk.search.msn.com
O1 - Hosts: 207.44.220.30 search.lycos.com
O1 - Hosts: 207.44.220.30 www.lycos.com
O1 - Hosts: 207.44.220.30 www.google.ca
O1 - Hosts: 207.44.220.30 google.ca
O1 - Hosts: 207.44.220.30 www.google.uk
O1 - Hosts: 207.44.220.30 www.google.co.uk
O1 - Hosts: 207.44.220.30 www.google.com.au
O1 - Hosts: 207.44.220.30 www.google.co.jp
O1 - Hosts: 207.44.220.30 www.google.jp
O1 - Hosts: 207.44.220.30 www.google.at
O1 - Hosts: 207.44.220.30 www.google.be
O1 - Hosts: 207.44.220.30 www.google.ch
O1 - Hosts: 207.44.220.30 www.google.de
O1 - Hosts: 207.44.220.30 www.google.se
O1 - Hosts: 207.44.220.30 www.google.dk
O1 - Hosts: 207.44.220.30 www.google.fi
O1 - Hosts: 207.44.220.30 www.google.fr
O1 - Hosts: 207.44.220.30 www.google.com.gr
O1 - Hosts: 207.44.220.30 www.google.com.hk
O1 - Hosts: 207.44.220.30 www.google.ie
O1 - Hosts: 207.44.220.30 www.google.co.il
O1 - Hosts: 207.44.220.30 www.google.it
O1 - Hosts: 207.44.220.30 www.google.co.kr
O1 - Hosts: 207.44.220.30 www.google.com.mx
O1 - Hosts: 207.44.220.30 www.google.nl
O1 - Hosts: 207.44.220.30 www.google.co.nz
O1 - Hosts: 207.44.220.30 www.google.pl
O1 - Hosts: 207.44.220.30 www.google.pt
O1 - Hosts: 207.44.220.30 www.google.com.ru
O1 - Hosts: 207.44.220.30 www.google.com.sg
O1 - Hosts: 207.44.220.30 www.google.co.th
O1 - Hosts: 207.44.220.30 www.google.com.tr
O1 - Hosts: 207.44.220.30 www.google.com.tw
O1 - Hosts: 207.44.220.30 go.google.com
O1 - Hosts: 207.44.220.30 google.at
O1 - Hosts: 207.44.220.30 google.be
O1 - Hosts: 207.44.220.30 google.de
O1 - Hosts: 207.44.220.30 google.dk
O1 - Hosts: 207.44.220.30 google.fi
O1 - Hosts: 207.44.220.30 google.fr
O1 - Hosts: 207.44.220.30 google.com.hk
O1 - Hosts: 207.44.220.30 google.ie
O1 - Hosts: 207.44.220.30 google.co.il
O1 - Hosts: 207.44.220.30 google.it

O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe

O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe

O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - »cs6b.instantservice.com/jars/cus···d35.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{33480BEB-FB8D-465D-AE4A-6BB4469C927C}: NameServer = 216.127.92.38

O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB061A3-A055-43A0-9B3B-2003FA486F41}: NameServer = 216.127.92.38

O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38

O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
You've got a whole bunch of spyware here, including Coolwebsearch, the QHosts trojan, and a newer one called seek-seek. This will take a few steps to get rid of:

1) Download and run CWShredder from here: »www.spywareinfo.com/~merijn/cwsc···les.html (Direct Download: »www.spywareinfo.com/~merijn/file···dder.zip )

2) Download and run the QHosts removal tool from Symantec here: »securityresponse.symantec.com/av···ool.html (Direct Download: »www.symantec.com/avcenter/FixQhost.exe )

3) Go to the C:\Windows\Help directory and delete the file called "Hosts" there, then, as pieter arntz See Profile suggested above, copy and paste this into notepad, save as restorehostspath.reg, doubleclick it and confirm that you want to merge it with the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00

4) Hit Ctrl-Alt-Del, highlight slmss.exe and hit "end Process". Do the same for mwsvm.exe

5) With all browswer windows closed, re-scan with Hijack This and put a check next to any of the items I listed above that still remain, then click "Fix Checked", Reboot and rescan with Hijack This and post your log again

6) Wait for someone to look over your log. Assuming it's clean, you can then delete the following:

C:\WINDOWS\mwsvm.exe
C:\Program Files\Common Files\slmss\slmss.exe (possibly the whole slmss directory)
C:\WINDOWS\ieasst.dll
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?
[text was edited by author 2003-11-03 14:21:41]]]> http://www.dslreports.com/forum/remark,8402477 Mon, 03 Nov 2003 14:05:57 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8402466 John2g :
said by Paul928 See Profile:
Thanks for the help people. What I did was actually delete the whole host file,re-booted and everything was cool....thanks for all the help


It might pay you to read this: »securityresponse.symantec.com/av···sts.html
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,8402466 Mon, 03 Nov 2003 14:04:32 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8402168 Nam Vet : I am going to defer here to someone more knowledgeable.
but look at you host file path (it's wrong)
and all the url's in the hosts file redirect you to 207.44.220.30
which is "ns1.sitething.net"

[text was edited by author 2003-11-03 13:25:36]
]]> http://www.dslreports.com/forum/remark,8402168 Mon, 03 Nov 2003 13:22:56 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8402141 Paul928 : Thanks for the help people. What I did was actually delete the whole host file,re-booted and everything was cool....thanks for all the help]]> http://www.dslreports.com/forum/remark,8402141 Mon, 03 Nov 2003 13:19:28 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8402060 Paul928 : Here is my log file from Hijackthis...kind of a long one.

Logfile of HijackThis v1.97.3
Scan saved at 1:04:31 PM, on 11/3/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Music\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »tooncomics.com/main/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »tooncomics.com/main/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »rd.yahoo.com/customize/ymsgr/def···ahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »rd.yahoo.com/customize/ymsgr/def···rch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »www.seekseek.com/quicksearch.asp···on_id=18
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = »www.fastwebfinder.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = »out.true-counter.com/b/?101 (obfuscated)
O1 - Hosts file is located at: C:\WINDOWS\help\hosts
O1 - Hosts: 88.88.88.88 elite
O1 - Hosts: 207.44.220.30 www.google.akadns.net
O1 - Hosts: 207.44.220.30 www.google.com
O1 - Hosts: 207.44.220.30 google.com
O1 - Hosts: 207.44.220.30 www.altavista.com
O1 - Hosts: 207.44.220.30 altavista.com
O1 - Hosts: 207.44.220.30 search.yahoo.com
O1 - Hosts: 207.44.220.30 uk.search.yahoo.com
O1 - Hosts: 207.44.220.30 ca.search.yahoo.com
O1 - Hosts: 207.44.220.30 jp.search.yahoo.com
O1 - Hosts: 207.44.220.30 au.search.yahoo.com
O1 - Hosts: 207.44.220.30 de.search.yahoo.com
O1 - Hosts: 207.44.220.30 search.yahoo.co.jp
O1 - Hosts: 207.44.220.30 www.lycos.de
O1 - Hosts: 207.44.220.30 www.lycos.ca
O1 - Hosts: 207.44.220.30 www.lycos.jp
O1 - Hosts: 207.44.220.30 www.lycos.co.jp
O1 - Hosts: 207.44.220.30 alltheweb.com
O1 - Hosts: 207.44.220.30 web.ask.com
O1 - Hosts: 207.44.220.30 ask.com
O1 - Hosts: 207.44.220.30 www.ask.com
O1 - Hosts: 207.44.220.30 www.teoma.com
O1 - Hosts: 207.44.220.30 search.aol.com
O1 - Hosts: 207.44.220.30 www.looksmart.com
O1 - Hosts: 207.44.220.30 auto.search.msn.com
O1 - Hosts: 207.44.220.30 search.msn.com
O1 - Hosts: 207.44.220.30 ca.search.msn.com
O1 - Hosts: 207.44.220.30 fr.ca.search.msn.com
O1 - Hosts: 207.44.220.30 search.fr.msn.be
O1 - Hosts: 207.44.220.30 search.fr.msn.ch
O1 - Hosts: 207.44.220.30 search.latam.yupimsn.com
O1 - Hosts: 207.44.220.30 search.msn.at
O1 - Hosts: 207.44.220.30 search.msn.be
O1 - Hosts: 207.44.220.30 search.msn.ch
O1 - Hosts: 207.44.220.30 search.msn.co.in
O1 - Hosts: 207.44.220.30 search.msn.co.jp
O1 - Hosts: 207.44.220.30 search.msn.co.kr
O1 - Hosts: 207.44.220.30 search.msn.com.br
O1 - Hosts: 207.44.220.30 search.msn.com.hk
O1 - Hosts: 207.44.220.30 search.msn.com.my
O1 - Hosts: 207.44.220.30 search.msn.com.sg
O1 - Hosts: 207.44.220.30 search.msn.com.tw
O1 - Hosts: 207.44.220.30 search.msn.co.za
O1 - Hosts: 207.44.220.30 search.msn.de
O1 - Hosts: 207.44.220.30 search.msn.dk
O1 - Hosts: 207.44.220.30 search.msn.es
O1 - Hosts: 207.44.220.30 search.msn.fi
O1 - Hosts: 207.44.220.30 search.msn.fr
O1 - Hosts: 207.44.220.30 search.msn.it
O1 - Hosts: 207.44.220.30 search.msn.nl
O1 - Hosts: 207.44.220.30 search.msn.no
O1 - Hosts: 207.44.220.30 search.msn.se
O1 - Hosts: 207.44.220.30 search.ninemsn.com.au
O1 - Hosts: 207.44.220.30 search.t1msn.com.mx
O1 - Hosts: 207.44.220.30 search.xtramsn.co.nz
O1 - Hosts: 207.44.220.30 search.yupimsn.com
O1 - Hosts: 207.44.220.30 uk.search.msn.com
O1 - Hosts: 207.44.220.30 search.lycos.com
O1 - Hosts: 207.44.220.30 www.lycos.com
O1 - Hosts: 207.44.220.30 www.google.ca
O1 - Hosts: 207.44.220.30 google.ca
O1 - Hosts: 207.44.220.30 www.google.uk
O1 - Hosts: 207.44.220.30 www.google.co.uk
O1 - Hosts: 207.44.220.30 www.google.com.au
O1 - Hosts: 207.44.220.30 www.google.co.jp
O1 - Hosts: 207.44.220.30 www.google.jp
O1 - Hosts: 207.44.220.30 www.google.at
O1 - Hosts: 207.44.220.30 www.google.be
O1 - Hosts: 207.44.220.30 www.google.ch
O1 - Hosts: 207.44.220.30 www.google.de
O1 - Hosts: 207.44.220.30 www.google.se
O1 - Hosts: 207.44.220.30 www.google.dk
O1 - Hosts: 207.44.220.30 www.google.fi
O1 - Hosts: 207.44.220.30 www.google.fr
O1 - Hosts: 207.44.220.30 www.google.com.gr
O1 - Hosts: 207.44.220.30 www.google.com.hk
O1 - Hosts: 207.44.220.30 www.google.ie
O1 - Hosts: 207.44.220.30 www.google.co.il
O1 - Hosts: 207.44.220.30 www.google.it
O1 - Hosts: 207.44.220.30 www.google.co.kr
O1 - Hosts: 207.44.220.30 www.google.com.mx
O1 - Hosts: 207.44.220.30 www.google.nl
O1 - Hosts: 207.44.220.30 www.google.co.nz
O1 - Hosts: 207.44.220.30 www.google.pl
O1 - Hosts: 207.44.220.30 www.google.pt
O1 - Hosts: 207.44.220.30 www.google.com.ru
O1 - Hosts: 207.44.220.30 www.google.com.sg
O1 - Hosts: 207.44.220.30 www.google.co.th
O1 - Hosts: 207.44.220.30 www.google.com.tr
O1 - Hosts: 207.44.220.30 www.google.com.tw
O1 - Hosts: 207.44.220.30 go.google.com
O1 - Hosts: 207.44.220.30 google.at
O1 - Hosts: 207.44.220.30 google.be
O1 - Hosts: 207.44.220.30 google.de
O1 - Hosts: 207.44.220.30 google.dk
O1 - Hosts: 207.44.220.30 google.fi
O1 - Hosts: 207.44.220.30 google.fr
O1 - Hosts: 207.44.220.30 google.com.hk
O1 - Hosts: 207.44.220.30 google.ie
O1 - Hosts: 207.44.220.30 google.co.il
O1 - Hosts: 207.44.220.30 google.it
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···tc_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - »office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - »www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - »thesims.ea.com/teleport/hotdate/···eleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - »rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - »aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/254e0d9dc812f8d037···E601.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - »thesims.ea.com/teleport/supersta···eleX.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - »cs6b.instantservice.com/jars/cus···ed35.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - »us.dl1.yimg.com/download.yahoo.c···mapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - »download.abacast.com/download/fi···etup.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - »fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{33480BEB-FB8D-465D-AE4A-6BB4469C927C}: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB061A3-A055-43A0-9B3B-2003FA486F41}: NameServer = 216.127.92.38
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp]]> http://www.dslreports.com/forum/remark,8402060 Mon, 03 Nov 2003 13:07:13 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8401300 Reverend Ike :
It wouldn't hurt to post the HijackThis log. There could be other more subtle parasites present, or some housecleaning needed. I think the assumption here is Qhosts, but if it wasn't, it would be helpful to see what the various Search registry keys are pointing to. If a search option is hijacked to point at hijacksearchadware.com and that address is being blocked by the Hosts file (so the "cannot be displayed" screen would appear), the user wouldn't want to alter their Hosts file, but fix the registry keys instead ...

[text was edited by author 2003-11-03 11:22:36]
]]> http://www.dslreports.com/forum/remark,8401300 Mon, 03 Nov 2003 11:20:40 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8401275 pieter arntz : It was my understanding, that win9x computers were not vulnerable to the hosts location change, only NT based were.
Which might account for mistaking them for two different hijacks.
But I could well be lagging in this regard.
--
Metallica rulez]]> http://www.dslreports.com/forum/remark,8401275 Mon, 03 Nov 2003 11:16:18 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8401033 Zupe : I think there are actually two variants of the search engine hijack seen in connection with the QHosts trojan. The first just modifies the standard Hosts file, so all that needs to be done is to remove the entries. The second, which is what pieter arntz See Profile is referring to, actually changes the path that windows uses for the hosts file, and then places a hijacking hosts file in the C:\Windows\Help directory.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?
[text was edited by author 2003-11-03 10:37:42]
]]> http://www.dslreports.com/forum/remark,8401033 Mon, 03 Nov 2003 10:36:57 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8400845 pieter arntz : Not quite. Since he is using XP, Windows will be looking in the wrong location for the Hosts file.
Copy and paste the following into notepad, name it restorehostspath.reg, doubleclick it and confirm that you want to merge it with the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00

--
Metallica rulez]]> http://www.dslreports.com/forum/remark,8400845 Mon, 03 Nov 2003 10:08:29 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8400732 John2g : I agree with Nam Vet. He only has to edit his Hosts File.]]> http://www.dslreports.com/forum/remark,8400732 Mon, 03 Nov 2003 09:51:52 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8400289 RankAmateur : »mjc1.com/mirror/hjt/ Explains "HiJackThis" program and gives a link to download it. Post the log from that program back here for more help.]]> http://www.dslreports.com/forum/remark,8400289 Mon, 03 Nov 2003 08:31:38 EDT Re: Browser Hijack!! http://www.dslreports.com/forum/remark,8400254 Nam Vet : check your hosts file!!!!]]> http://www.dslreports.com/forum/remark,8400254 Mon, 03 Nov 2003 08:21:18 EDT Browser Hijack!! http://www.dslreports.com/forum/remark,8400055 Paul928 : Hoping someone here can help me, or lead me in the right direction. I had my browser hijacked, where I couldn't change my homepage. It was like some search engine hijack, and I don't remember the name of it, but I ran Spy Bot, and it detected the hijack files, and I got rid of them. I now have my homepage back normally, but I still can't use any search engines (Yahoo, Google) Every time I go to use the search engines I get "page can't be displayed" BTW this was using IE 6 and Windows XP pro. I downloaded Mozilla, and tried using the search engines using that, with the same results. I think there has to be a system file or registry entry that is duped. I don't remember the name of the hijack, so that's my problem...I can't look for registry entries referring to it.....can anyone make any suggestions?]]> http://www.dslreports.com/forum/remark,8400055 Mon, 03 Nov 2003 07:27:24 EDT