Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

my browser was hijacked

Posted on 2004-07-31
8
Medium Priority
?
2,209 Views
Last Modified: 2010-05-19
1. 0websearch has been set as the start page. 2. I change the start page to about:blank, it changes back to 0websearch after a while. 3. I can't open txt files with notepad any longer. 4. When I hit CTRL + ALT + DEL, I see "Services" running on the bottom. 5. When I shut down "Services" and run Notepad or try to open a txt file, "Services" runs again.

Logfile of HijackThis v1.97.6
Scan saved at 06:16:04, on 31/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\INETDATA\SERVICES.EXE
C:\PROGRAMAS\HIJACK THIS!\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
F1 - win.ini: run=C:\WINDOWS\INETDATA\SERVICES.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar.dll
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\SYSTEM\ALXTB1.DLL (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARQUIV~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE
O8 - Extra context menu item: &Google Search - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: Download with GetRight - C:\Programas\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programas\GetRight\GRbrowse.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1068806402120
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/light/UOLActiveInstall.cab
O16 - DPF: {DA4EB021-5F1C-11D4-B006-00104B98E2C7} (McAfee Clinic Installer Control) - http://download.mcafee.com/molbin/shared/MInstall.cab
0
Comment
Question by:superquestions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 140 total points
ID: 11683463
Hello superquestions =)

First Download these tools and install Adaware and Spybot:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================
then turn off ur system restore >> http://support.microsoft.com/default.aspx?kbid=264887
After the fix the following entries:

========================================================
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
F1 - win.ini: run=C:\WINDOWS\INETDATA\SERVICES.EXE
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\SYSTEM\ALXTB1.DLL (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVICES.EXE
O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com
================================================

then Boot ur system in Safemode and run the above tools to delete everything they detect !!!!!
then empty the C:\Windows\Temp folder and delete Temporary Internet Files, Cookies and History of IE !!!!!

reboot back in safemode and check if same problems ??
0
 
LVL 1

Author Comment

by:superquestions
ID: 11683668
I did everything you said and then I even deleted notepad, but then I noticed there was a "notepad.exe.bak", so I renamed it to "notepad.exe" and run it. The problem started all over again. I had not created a "notepad.exe.bak" by the way.

I deleted notepad again. Can you tell me where to get another notepad free from "Services"?
0
 
LVL 12

Assisted Solution

by:rossfingal
rossfingal earned 80 total points
ID: 11684005
Hi!

Go to the following site, Merijn has replacement files and instructions:
http://www.spywareinfo.com/~merijn/winfiles.html

Good luck!
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 5

Expert Comment

by:AshuraKnight
ID: 11690611
A link worth to read

http://crazyone.tekmasters.com/malwaretools.html

from CrazyOne :)
0
 

Expert Comment

by:xsgwiseman
ID: 11724030
Spywareinfo/~merjin is down 90% of the time.
Theres a better mirror here for the link recommended above.

http://www.richardthelionhearted.com/~merijn/winfiles.html
0
 
LVL 1

Expert Comment

by:CharlyPhilly
ID: 12031136
Install Lavasoft.de Adaware SE (its free)...run a scan and delete the files it finds. good sites to block the activex controls of alot of sites and restrict them are the registry files from http://spywareguide.com/blockfile.php (minimal download) and the ie-ads.reg and adult.reg from https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD. These registry files have helped keep me from getting alot of annoying popups and spyware. make sure you get the zip file from the bottom of the page.
0
 

Expert Comment

by:zackzaim
ID: 13248520
install CW shredder and adaware
0
 

Expert Comment

by:zachdoty
ID: 13256524
Also try spyware blaster http://www.javacoolsoftware.com/spywareblaster.html
I blocks a lot of browser hijacks
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
How does someone stay on the right and legal side of the hacking world?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question