Broadband Tech > Security > Security > browser jacked can't fix it

browser jacked can't fix it

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com
 */isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.c
 *om/?said=114
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.c
 *om/?said=114
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com
 */isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.micros
 *oft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINBLOWS\SYSTEM\blank.
 *htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acro
 *bat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINBLOWS\System32\MTC.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINBLOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: Win32 Classes -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://dow
 *nload.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messe
 *nger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/
 *IA/nethv32_EN_XP.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://me
 *ssenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://downlo
 *ad.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

(*) WARNING 12 long line(s) split

I'm going to move this to the Security Forum, but you will be asked to go through the steps outlined in this FAQ first so you might as well get started....»Security »I think my computer is infected or hijacked. What should I do?

Good luck to you.
--
I do know everything, just not all at once. It's a virtual memory problem.

reply to Solid_Snake
Move to security forum...

»Security

reply to Solid_Snake
Welcome to the Security Forum SolidSnake.

I see they've already got you started on "I think my computer is infected or hijacked. What should I do?"

As you work through it there will be a point where you post your results from scans so far.

When you get there we'll be ready to help.
--
(Virus&Hijacking FAQ + Submit suspected malware + Backups FAQ + Security FAQ TOC)

reply to Solid_Snake
anti vir found a BDS/ServU-Based... how can i remove this have found little info on the net. other than its a backdoor trojan

Log Listing for Solid_Snake

Logfile of HijackThis v1.97.7
Scan saved at 9:32:14 PM, on 9/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINBLOWS\System32\smss.exe
C:\WINBLOWS\system32\winlogon.exe
C:\WINBLOWS\system32\services.exe
C:\WINBLOWS\system32\lsass.exe
C:\WINBLOWS\system32\svchost.exe
C:\WINBLOWS\System32\svchost.exe
C:\WINBLOWS\system32\spoolsv.exe
C:\WINBLOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINBLOWS\System32\nvsvc32.exe
C:\WINBLOWS\System32\svchost.exe
C:\WINBLOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINBLOWS\system32\LEXBCES.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\SNAKE\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.makemesearch.com/?said=114
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.makemesearch.com/?said=114
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINBLOWS\SYSTEM\blank.htm
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINBLOWS\System32\MTC.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINBLOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: Win32 Classes -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···r/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···8578.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - »akamai.downloadv3.com/binaries/I···N_XP.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···8578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - »download.mcafee.com/molbin/iss-l···scan.cab
--
Write your questions down on the back of a $20 dollar bill and send them to me

reply to Solid_Snake
First off, you have an older version of HijackThis.

Simply delete your old version of HijackThis and download the new version from this link.
»computercops.biz/zx/Merijn/hijackthis.zip

or here:
»www.majorgeeks.com/download3155.html
................
Next, why do you not have at least SP1 on your XP or IE? With out the windows critical security updates you are a sitting duck for future infections.

In fact, SP2 is now available. You really urgently need to update your operating system and your IE browser.
»v5.windowsupdate.microsoft.com/e···ault.asp
......................
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.makemesearch.com/?said=114

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.makemesearch.com/?said=114

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINBLOWS\SYSTEM\blank.htm

O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINBLOWS\System32\MTC.dll

O16 - DPF: Win32 Classes -

O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - »akamai.downloadv3.com/binaries/
*IA/nethv32_EN_XP.cab
.................
Reboot your PC.

Scan once more with the new version of HJT (1.98.2) and post a fresh log please.
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/

reply to Solid_Snake
Logfile of HijackThis v1.98.2
Scan saved at 10:48:55 AM, on 9/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINBLOWS\System32\smss.exe
C:\WINBLOWS\system32\winlogon.exe
C:\WINBLOWS\system32\services.exe
C:\WINBLOWS\system32\lsass.exe
C:\WINBLOWS\system32\svchost.exe
C:\WINBLOWS\System32\svchost.exe
C:\WINBLOWS\system32\spoolsv.exe
C:\WINBLOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINBLOWS\System32\nvsvc32.exe
C:\WINBLOWS\System32\svchost.exe
C:\WINBLOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINBLOWS\system32\LEXBCES.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\SNAKE\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.ebay.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINBLOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···8578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···8578.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - »download.mcafee.com/molbin/iss-l···scan.cab

what you suggest seemed to work thanks guys

btw why do i have multiple "C:\WINBLOWS\System32\svchost.exe
" running?
--
Why Am I Fighting To Live,
If Im Just Living To Fight.
Why Am I Trying To See,
When There Aint Nothing In Sight.
Why Am I Trying To Give,
When No One Gives Me A Try.
Why Am I Dying To Live,
When Im Just Living To Die

reply to Solid_Snake
Multiple instances of svchost running is normal. Here is a detailed explanation

Description of Svchost.exe in Windows XP
»www.mvps.org/sramesh2k/svchost.htm

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
»support.microsoft.com/default.as···s;310405

Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help .
»Security »How do I prevent browser hijacks and spyware?

None of the above is going to help much though if you don't get the Windows Updates. You have an open door for worms and other malware by running that PC with an unpatched OS and IE. Those are the exploits the bad boys like to use these days.
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/

reply to Solid_Snake
Solid_Snake:

What is actually causing this are these 3 keys-
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.makemesearch.com/?said=114
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.makemesearch.com/?said=114
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINBLOWS\System32\MTC.dll

You need to REMOVE the MTC.dll file from your /system32 directory. Also look for an MTC.ini file; remove if found.
Even with the latest signature updates Ad-Aware and Spybot
"will not" detect this. Ad-Watch will see the attempt to modify the registry and when you click to block it, Ad Watch
will for some reason ALLOW the registry mod....your hijack
can can happen with either IE or Firefox...If you were browsing with firefox this sneaky hijack will alter your IE;
not firefox...in other words it's seeking IE as a target.
After you have successfully cleaned your system rerun Hijack
to confirm....good luck.

reply to Solid_Snake
got another one... sorry guys

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.ebay.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = »www.ebay.com/
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINBLOWS\localNRD.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINBLOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nuhtbtr] C:\WINBLOWS\System32\hfhkkqs.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [px] C:\WINBLOWS\System32\px.exe
O4 - HKCU\..\Run: [win87em] C:\WINBLOWS\System32\win87em.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···r/sw.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···8578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···8578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - »download.mcafee.com/molbin/iss-l···scan.cab
--
Why Am I Fighting To Live,If Im Just Living To Fight.Why Am I Trying To See,When There Aint Nothing In Sight.Why Am I Trying To Give, When No One Gives Me A Try.Why Am I Dying To Live, When Im Just Living To Die

That's only half the log. We need the whole thing. It begins with this part:

Logfile of HijackThis v1.97.7
Scan saved at 6:55:28 PM, on 9/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Also, have you gotten those service packs and critical security updates installed yet? Otherwise, as I said, this will be an ongoing occurence for you
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/

reply to Solid_Snake

hijackthis.zip 1,398 bytes (hijackthis.log)

reply to Solid_Snake
Here is Solid__Snakes HJT file unzipped.
edit: removed due to being wrong version of log.
--
Computer got a lot of idle cycles? Put them to work! Join Team Discovery!

reply to Solid_Snake

said by Solid_Snake:

---

here is whole thing

---

reply to Solid_Snake

said by Solid_Snake:

---

Logfile of HijackThis v1.97.7
Scan saved at 10:04:31 PM, on 9/6/2004
Platform: Windows XP (WinNT 5.01.2600)---Note: NO SP1 or SP2
MSIE: Internet Explorer v6.00 (6.00.2600.0000)---Note: NO SP1 or SP2

---

said by CalalmityJane:

---

02 Sep 2004

Next, why do you not have at least SP1 on your XP or IE? With out the windows critical security updates you are a sitting duck for future infections.

In fact, SP2 is now available. You really urgently need to update your operating system and your IE browser.
»v5.windowsupdate.microsoft.com/e···ault.asp
.............................
None of the above is going to help much though if you don't get the Windows Updates. You have an open door for worms and other malware by running that PC with an unpatched OS and IE. Those are the exploits the bad boys like to use these days.
..........................
06 Sept 2004
Also, have you gotten those service packs and critical security updates installed yet? Otherwise, as I said, this will be an ongoing occurence for you
-

---

reply to Solid_Snake
ok i didn't have updates before... you guys helped me

i accidentally went to a wrong link and i got this crap. now i go to about 10 different sites on the internet. 2 mishaps. if i go to the same 10 sites for the last 2 years without updates.. why do i need them now. don't really see need for updates for these 10 sites but whatever--
Why Am I Fighting To Live,
If Im Just Living To Fight.
Why Am I Trying To See,
When There Aint Nothing In Sight.
Why Am I Trying To Give,
When No One Gives Me A Try.
Why Am I Dying To Live,
When Im Just Living To Die

reply to Solid_Snake

hijack.zip 1,314 bytes

No, it's not. You have a leaky boat, you need to fix it

quote:

---

Logfile of HijackThis v1.98.2
Scan saved at 5:25:45 PM, on 9/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

---