hijacked home page

Printable View

June 26th, 2004, 06:44 PM
michelle black

hijacked home page

A friend is running Windows XP. His home page has been hijacked, and nothing we do can get this page off and return him to normal. He's run AdAware, Hijack This, Spybot and Spykiller. He runs Norton AV. I asked him to give me the Source Code of the page, and this is what it is:

Home Search td { color: black; font: 11px Verdana, Arial, Tahoma} A { FONT-SIZE: 12px; FONT-FAMILY: "Trebuchet MS", Verdana; color:#34006D } A:hover { FONT-SIZE: 12px; COLOR: #ff0000; FONT-FAMILY: "Trebuchet MS", Verdana; TEXT-DECORATION: none } .top { Verdana; COLOR: #0; } .head{ font: 14px Verdana, Arial, Tahoma; color: #1000FF; font-weight: bold; } body { background-color: #ffffff;} :-h\"zjtli.3au zW6w|Wz'ouilH''omk_YT_H'A':zB\r\nO /.LHzW6w|WzpGGHzWlTPlB\r\n}\r\n\r\nJu_omcoHoLTFo7__u2M' Tiul.kL1\"./1','6T_1kLui1','Kul.LI','K.Jk_ST','N\"_.1l.uLoKul.LIoxT_J.ST',' \"kYTow1iuLYoVTYY.LI','6k1loNu_Y1','QkJT',' Tiul.kL1\"./o7YJ.ST','/TL.1oTLiu_ITfTLlo/.ii1','&iYT_oVkfuLo6T_1kLui','E_TTo&Li.LToKul.LI',' /.LHzW6w|B\r\nk/TLM To display this page you need a browser with JavaScript support.

How does he remove this and get back to 'normal'?
It may have come as a payload in a download from something called EUniverse. But we can't find the file to delete it.
TIA.
June 26th, 2004, 07:10 PM
Soda_Popinsky

First off, either import or download new reference files for AdAware and spybot by updating them or retrieving them from their respective sites. Then run those programs in safe mode, including CWShredder from the same site as hijack this, by pressing f8 at the winxp bootup. Update NAV, and run that as well, if you can access the internet. Once you are done with that, update Windows at windowsupdate.microsoft.com, and run housecall.trendmicro.com's free virus scanner because you probably have other malware as well.

If there are still problems, attach the saved Hijack this log to a post and we can check it out.

Reminder :

Don't remove any entries in HJT...

Hijack This does not work with definitions, it simply finds values that could be a hijack. If you simply "Select all, delete" in HJT, you will find yourself without an operable computer.
June 26th, 2004, 08:09 PM
michelle black

Thanks. I'll let ya know how it goes.
June 26th, 2004, 08:25 PM
moxnix

It is quite possible that it was bundled with the other software you mentioned, especially if it was "free'. You probably even aggreed to allow it when you agreed to the ULA presented at the installation of the software you were actually loading.
Soda's advice is good and you should follow it. But also, you might look in your control panel under add/remove programs. Some times they do include an uninstall for some of these there.
Be aware though, the original software you were going after, might not work with the removale of its supporting (financually supporting) software.