Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: Homepage hijacked

  1. #1
    Junior Member
    Join Date
    Jul 2004
    Posts
    14

    Unhappy Homepage hijacked

    something changed my homepage to
    res://gwcya.dll/index.html#27063

    i tried changing it in my internet options and it keeps going back to that.
    i've used spybot and adaware and nothings found it.

    does anyone know what i should do now?
    the new crap search engine website always has this pop up that says SPYWARE DETECTED
    and im like WELL DUH YOU PUT IT THERE

    anyway if anyone could help me figure out how to change it back any help is appreciated

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Hrmm, that surprises me that spybot and adaware hasn't found it. Those are two of the three (IMO) leading spyware detection/removal tool's. Anyways, search google for hijackthis and do a scan. Then come back and post your hijackthis logs. I as well as a certain groovicus could be able to help you out possibly.
    Space For Rent.. =]

  3. #3
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    That's the new CWS(don't run CWS shredder, it will mask the symptoms)...currently, nothing but manual removal fixes it.

    'Hijack This!'.
    Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

    Then post your log as a hidden post, and someone will get a chance to look at it.

  4. #4
    Junior Member
    Join Date
    Jul 2004
    Posts
    14
    yeah damnit i ran that cwshredder thing. so i guess that was a load of crap then?
    alright ill try that hijackthis thing

  5. #5
    Junior Member
    Join Date
    Jul 2004
    Posts
    14
    ok i got my scan log. how do i post it as a hidden post?

  6. #6
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Simply put your log in here like you normally would, then put a checkmark in the "Hide this post" box on the lower left side of the "Add reply" screen, under options.

  7. #7
    Junior Member
    Join Date
    Jul 2004
    Posts
    14
    Logfile of HijackThis v1.98.0
    Scan saved at 1:15:20 PM, on 7/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\sdkvm32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\jxnfed.exe
    C:\Program Files\WindowsSA\omniscient.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\sysud.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\CleanCache 2.0\CleanCache.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloaded Programs\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = no
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gwcya.dll/sp.html#27063
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gwcya.dll/index.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gwcya.dll/index.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gwcya.dll/sp.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gwcya.dll/sp.html#27063
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gwcya.dll/index.html#27063
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {29DA78D1-B9B4-67A0-5BB2-59403A46FD87} - C:\WINDOWS\atldq32.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [cvwcfiebhydgk] C:\WINDOWS\System32\jxnfed.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [sysud.exe] C:\WINDOWS\sysud.exe
    O4 - HKLM\..\RunOnce: [sdkvm32.exe] C:\WINDOWS\system32\sdkvm32.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...6/sdcregie.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23ea10ff...p/RdxIE601.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

  8. #8
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Verify that your Adaware definitons are up to date first. Click on the globe with the spyglass in the upper right corner, and let it do it's thing. Also, print out this entire thread for reference.

    Please do not open Internet Explorer during any portion of this process. Please print out the directions listed below. If you open IE during any part of this process, all the file names will morph, and we will have to start over.

    Please also make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Step 1:


    Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the service to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

    Step 2:

    Press control-alt-delete to get into the task manager and end the follow processes if they exist:

    The name of the file from the service above
    C:\WINDOWS\system32\sdkvm32.exe
    C:\Program Files\WindowsSA\omniscient.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\WINDOWS\System32\jxnfed.exe
    gwcya.dll
    C:\WINDOWS\atldq32.dll


    Step 3:
    I now need you to delete the following files:

    The name of the file from the service above
    C:\WINDOWS\system32\sdkvm32.exe
    C:\Program Files\WindowsSA\omniscient.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\WINDOWS\System32\jxnfed.exe
    gwcya.dll
    C:\WINDOWS\atldq32.dll


    Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other. If you are using explorer to search for these files, make sure that you check the option to search hidden files and folders, otherwise you won't find them. If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

    Step 4:
    Then run hijackthis and fix these entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = no
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gwcya.dll/sp.html#27063
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gwcya.dll/index.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gwcya.dll/index.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gwcya.dll/sp.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gwcya.dll/sp.html#27063
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gwcya.dll/index.html#27063
    O2 - BHO: (no name) - {29DA78D1-B9B4-67A0-5BB2-59403A46FD87} - C:\WINDOWS\atldq32.dll
    O4 - HKLM\..\Run: [cvwcfiebhydgk] C:\WINDOWS\System32\jxnfed.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23ea10f...ip/RdxIE601.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/...ion=4,3,2,20802

    Step 5:

    In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 but may be called something differently on your computer.

    Go to Start>Run and type regedit.

    Press enter.

    Navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3

    If __NS_Service_3 exists , right click on it and choose delete from the menu.

    Now navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3

    If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.

    If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


    Step 6:

    Restore files deleted by this malware.

    • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

    • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

    • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.


    Boot into SAFE MODE by tapping the f8 key during boot up.
    Run Adaware with the following options:

    In Ad-aware click the Gear Icon at the top of the screen.

    The following items should be on a green check, not on a red X.

    Under the Scanning button:

    Scan within archives

    Under Memory & Registry, Check EVERYTHING

    In Check Drives & Folders, make sure all of your hard drives are selected

    Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

    Under the Tweak button...

    Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

    In Scanning Engine:

    Unload recognized processes during scanning

    Include info about ignored objects in logfile, if detected in scan

    Include basic Ad-aware settings in logfile

    Include additional Ad-aware settings in logfile

    Include used command line parameters in logfile

    In Cleaning Engine:

    XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

    Let Windows remove files in use at next reboot

    UNCHECK: Automatically try to unregister objects prior to deletion

    Click Proceed to save these settings.
    Reboot and post a fresh HJT log.

  9. #9
    Junior Member
    Join Date
    Jul 2004
    Posts
    14
    ugh. sorry guys ive been out of the house.
    but okay i updated adaware then i scanned with it. and the homepage went away for like 20 minutes then it changed to this other search page with pop ups. and id change the homepage and it would change back later again. so should i do a HJT scan again and post a new log?

    Also, in the quote directions you said to go Start > Control Panel > Administrative Programs but i didn't see Administrative Programs on my Control Panel

  10. #10
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Can we see a new log please?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •