Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Home Page Been Taken Over + Others

Started by biggam , Aug 21 2006 10:43 AM

Please log in to reply

#1
biggam

Posted 21 August 2006 - 10:43 AM

Member

Member
76 posts

Hi

My younger cousin was surfing the net when a pop up came up about computer having a virus and my homepage got taken over by securitynetpage.net i dont have a antivirus or firewall for something to come up telling me i got a virus. also i popup comes up in the corner.(see attechment). so i have a feeling i have spyware or a virus may you please help. also i am running on dial up 25kb. :whistling:

.

Logfile of HijackThis v1.99.1
Scan saved at 7:22:46 PM, on 8/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\F.bondok\Desktop\hijackthis\HijackThis.exe

O1 - Hosts: 82.146.56.35 personal.barclays.co.uk
O1 - Hosts: 82.146.56.35 barclays.co.uk
O1 - Hosts: 82.146.56.35 ibank.barclays.co.uk
O1 - Hosts: 82.146.56.35 www.barclays.co.uk
O1 - Hosts: 82.146.56.35 hsbc.co.uk
O1 - Hosts: 82.146.56.35 www.hsbc.co.uk
O1 - Hosts: 82.146.56.35 personal.hsbc.co.uk
O1 - Hosts: 82.146.56.35 abbey.com
O1 - Hosts: 82.146.56.35 www.abbey.com
O1 - Hosts: 82.146.56.35 www.abbey.co.uk
O1 - Hosts: 82.146.56.35 abbey.co.uk
O1 - Hosts: 82.146.56.35 www.banesto.es
O1 - Hosts: 82.146.56.35 banesto.es
O1 - Hosts: 82.146.56.35 www.bbvanet.com
O1 - Hosts: 82.146.56.35 bbvanet.com
O1 - Hosts: 82.146.56.35 www.halifax.co.uk
O1 - Hosts: 82.146.56.35 halifax.co.uk
O1 - Hosts: 82.146.56.35 bankofscotlandhalifax.co.uk
O1 - Hosts: 82.146.56.35 www.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 82.146.56.35 www.co-operativebank.co.uk
O1 - Hosts: 82.146.56.35 co-operativebank.co.uk
O1 - Hosts: 82.146.56.35 www.co-operativebank.com
O1 - Hosts: 82.146.56.35 co-operativebank.com
O1 - Hosts: 82.146.56.35 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 82.146.56.35 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 82.146.56.35 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 82.146.56.35 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 82.146.56.35 www.woolwich.co.uk
O1 - Hosts: 82.146.56.35 woolwich.co.uk
O1 - Hosts: 82.146.56.35 cahoot.com
O1 - Hosts: 82.146.56.35 www.cahoot.com
O1 - Hosts: 82.146.56.35 www.cahoot.co.uk
O1 - Hosts: 82.146.56.35 cahoot.co.uk
O1 - Hosts: 82.146.56.35 www.smile.co.uk
O1 - Hosts: 82.146.56.35 smile.co.uk
O1 - Hosts: 82.146.56.35 www.volksbank.de
O1 - Hosts: 82.146.56.35 volksbank.de
O1 - Hosts: 82.146.56.35 www.berliner-volksbank.de
O1 - Hosts: 82.146.56.35 postbank.de
O1 - Hosts: 82.146.56.35 www.postbank.de
O1 - Hosts: 82.146.56.35 banking.postbank.de
O1 - Hosts: 82.146.56.35 direkt.postbank.de
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Nemesis4] C:\Documents and Settings\F.bondok\Desktop\Program Hack Msn\Pro.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINDOWS\System32\mmsvc32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F07EEF05-D653-4062-93AD-23BC1565AB69}: NameServer = 217.139.192.10 217.139.145.10
O21 - SSODL: hubbsi - {7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885} - C:\WINDOWS\System32\vwlummc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

thank you

Edited by biggam, 21 August 2006 - 10:45 AM.

#2
biggam

Posted 26 August 2006 - 08:26 AM

Member

Topic Starter
Member
76 posts

Any Help Please

#3
andydf

Posted 26 August 2006 - 03:08 PM

Visiting Staff

Visiting Consultant
1,660 posts

Hi, biggam

Sorry about the delay in replying to your post, the forums have been very busy lately. As it's been a few days since your origional post, please could you post a new HJT log for me to see.

Andy :whistling:

#4
biggam

Posted 26 August 2006 - 03:41 PM

Member

Topic Starter
Member
76 posts

Logfile of HijackThis v1.99.1
Scan saved at 12:20:43 AM, on 8/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\ismon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\isnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\F.bondok\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINDOWS\System32\mmsvc32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F07EEF05-D653-4062-93AD-23BC1565AB69}: NameServer = 217.139.192.10 217.139.145.10
O21 - SSODL: hubbsi - {7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885} - C:\WINDOWS\System32\vwlummc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

thank you

#5
biggam

Posted 26 August 2006 - 03:53 PM

Member

Topic Starter
Member
76 posts

i also just got this alert (check attachment)

Attached Thumbnails

#6
biggam

Posted 26 August 2006 - 04:07 PM

Member

Topic Starter
Member
76 posts

also this poped up

Attached Thumbnails

#7
andydf

Posted 27 August 2006 - 12:29 PM

Visiting Staff

Visiting Consultant
1,660 posts

Hi biggam

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Andy :whistling:

#8
biggam

Posted 27 August 2006 - 06:11 PM

Member

Topic Starter
Member
76 posts

hi when i open smitfraudfix.cmd it opens for a second then closes

Edited by biggam, 27 August 2006 - 06:12 PM.

#9
biggam

Posted 27 August 2006 - 06:37 PM

Member

Topic Starter
Member
76 posts

also when i open task manager it closes straight away. i tried smitfraud in safe mode and it worked.

SmitFraudFix v2.81

Scan done at 3:01:56.10, Tue 08/29/2006
Run from C:\Documents and Settings\F.bondok\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\vwlummc.dll FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\F.bondok\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\FEF74~1.BON\FAVORI~1

C:\DOCUME~1\FEF74~1.BON\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"hubbsi"="{7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885}"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

#10
andydf

Posted 28 August 2006 - 12:50 PM

Visiting Staff

Visiting Consultant
1,660 posts

Hi biggam

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Andy :whistling: