PDA

View Full Version : Weird Hack thingy? HELP!

07-26-2004, 07:12 AM
Everytime I make my home to say rct2.com/forums.index.php I get this thingy come up and change it to, search200.com/passthrough/index.html?http://www.rct2.com/forums/index.php. Can you PLEASE help me? It also has this little menu bar that it puts at the top of every page.. Can someone PLEASE help me?

Thanks

-Ben

mikmik
07-26-2004, 11:17 AM
Here is a page from another security forum that discusses the same problem: http://www.broadbandreports.com/forum/remark,10702094~mode=flat

This may be a fairly involved procedure to get rid of it. Start by uninstalling any programs that you have installed just recently, and follow the steps given on the DSLreports page. There are links to HiJack This and another trojan removal tool, followed by instructions to scan your computer.

http://www.spychecker.com/program/hijackthis.html

If you are still not sure, post back here again with your Hijack this log, okay?

07-26-2004, 02:23 PM
Ok, thanks MikMik.

Thanks

-Ben

wenwilder
07-26-2004, 02:27 PM
Mik this is a CWS issue. A quick download and run of CWShredder (http://www.thinkingcritically.net/security101/CWShredder.exe) will fix the problem, with a double check from HiJackThis (http://www.thinkingcritically.net/security101/hijackthis.zip).

P.S. The links provided are to direct downloads from my site. Be prepared to save and run.

mikmik
07-26-2004, 03:20 PM
Is it a good idea to just automatically use the CWShredder to start with anyways?
If they don't have CWS, then no harm done?

wenwilder
07-26-2004, 07:00 PM
CWShredder, HiJackThis, Adaware, Spybot S & D, a good firewall, and AVG should be the first things installed on a computer before it is even connected to the internet. (Hard I know because most of them are downloaded off the internet - unless you're lucky enough to have friends with them burned on disk) ;)

There are other programs that should be on the list of "necessities" but that list is still being compiled.

Hijackthis should be used with caution - delete the wrong file on accident and you may be worrying about more than just a Browser hijacking or virus.

As usual Mik, you're information is always, always!!! helpful and spot-on. ;)

vivekar
07-26-2004, 09:44 PM
SpyBot search and destroy is also worth trying.
An indispensable tool for every one.

http://www.safer-networking.org/en/index.html

07-27-2004, 01:50 PM
Darn, the Search200 thing has got even worse. It now has a pop-up search bar at the bottom of my screen appear aswell as the one at the top of the page. Also the Passthrough has come back. Also when a page is unavaliable it has the page cannot be displayed thing and has added a search bar to the cannot be displayed page.

-Ben

mikmik
07-27-2004, 04:09 PM
uncle_adolph, this is a bad one, but it can be got. Many others have had severe problems aslo.
Can you tell me what version of Windows you are running?

I will do some more detailed research at some other sites including all the anti-virus places, and I will gather several links for some tools to download that can help stop it from running.

You might also try downloading Mozilla which most likely won't be affected and let you use the internet properly, without hassle while we work on Internet ecplorer.

http://www.mozilla.org/ , it automatically imports your IE favourites so that you can keep using your bookmarks without hassle.

You see, I have something on my computer that is so bad, I have to buy a new motherboard (you don't have this) and I have learned a LOT of tricks!

I also want you to copy this next bit into a new txt document with notepad, and save it using "Save as...", calling it 'unhookExec.inf :

[Version]
Signature="$Chicago$"
Provider=Symantec

[DefaultInstall]

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies \System,DisableRegistryTools,0x00000020,0
You can use notepad and save it as any name really, but the 'inf' part is important, and remember to choose "Save as' and give it the name (I use) 'unhook.inf' and save as 'All file types' like you do to make an html doc.

Once you do that, right click on the 'unhook.inf' file and select 'install'.
What this may do is stop some hijack operations.
It is just something to try for now, until I get full instructions and the proper tools line up.

With you all the way,
mikmik (Mike Laing)

ddemarest
07-27-2004, 04:28 PM
Darn, the Search200 thing has got even worse. It now has a pop-up search bar at the bottom of my screen appear aswell as the one at the top of the page. Also the Passthrough has come back. Also when a page is unavaliable it has the page cannot be displayed thing and has added a search bar to the cannot be displayed page.

-Ben

It is soooooo annoying that these morons can hijack your pc, install a bunch of tool bars, click trackers, data miners, redirect your search engine prefs and load spyware processes in the background.

I have had instances where they have edited my hosts file. It is such an intrusion I wonder why this is legal!

I live on Ad-aware. I run it at least once a day, if not my PC would just die on the vine:

The other tools mentioned here are just as good.

07-27-2004, 04:29 PM
I run Win 98 (not Win 98SE.), and if this is important. I had a virus on this pc before, havn't a clue what it was but I re-formatted it.

-Ben

07-27-2004, 04:31 PM
Sorry about the double post.... lol.

Darn, the Search200 thing has got even worse. It now has a pop-up search bar at the bottom of my screen appear aswell as the one at the top of the page. Also the Passthrough has come back. Also when a page is unavaliable it has the page cannot be displayed thing and has added a search bar to the cannot be displayed page.

-Ben

It is soooooo annoying that these morons can hijack your pc, install a bunch of tool bars, click trackers, data miners, redirect your search engine prefs and load spyware processes in the background.

I have had instances where they have edited my hosts file. It is such an intrusion I wonder why this is legal!

I live on Ad-aware. I run it at least once a day, if not my PC would just die on the vine:

The other tools mentioned here are just as good.

I've tried Ad-Aware and all it seemed to do is mess up my AVG. So I had to re-install AVG...

Thanks for helping though...

-Ben

Edit: I'm using Mozilla Firefox.. It seems cool and OK for the moment.

mikmik
07-29-2004, 01:44 AM
Okay, sorry if I am slow these days, I am moving this week :O)

The reason I asked about the version of windows is to make sure that you don't have 'System Restore' like XP and ME. That has to be shut off in those cases to remove some problems.Glad the Mozilla is working, however, I guess we both know that your system must get cleaned.

Have you tried the CWS that wen gave the link for above? Then run the Hijack This program, and copy the output here. I need to see what is in your registry so we can get it that way.

Sound okay?

07-29-2004, 04:31 AM
Eh, ok. Thanks. I'll try that.

-Ben

07-29-2004, 02:08 PM
This stuff?

It's from copied from the log.

Logfile of HijackThis v1.97.7
Scan saved at 18:56:58, on 29/07/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\FELLOWES\MEDIAFACE 4.0\SETHOOK.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\TRILLIAN\TRILLIAN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = URL (http://www.cirznzgtdcqpkfscwcxlycdl.net/CglR3EvV6/CpisMa01agx3/Culalags9NE7s8R3md08.html)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = URL (http://wwkajvchgtbneqb.biz/CglR3EvV6/AmY6B2wUBDhtjqTySkpYw2LmyY1kAnZa35ykVwHLCELn6w19mH bUUQ.jpg)
O2 - BHO: (no name) - {CB6ED890-EE0B-8647-E426-D4AF70232010} - C:\PROGRAM FILES\DEAD REF\PILE FREE.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BurnOption] C:\PROGRA~1\STOPTH~1\copy shim.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [1 Flap Ball Stupid] C:\WINDOWS\Application Data\Flaw Bike 1 Flap\holebird.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/
ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014754.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {0873478E-E67A-4876-B0A9-9A36D3AB3602} (vviewer control) -
http://www.thepaymentcentre.com/build/vviewer.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38176.0116666667
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-
dl.real.com/264b9403b90d8ec40805/netzip/RdxIE601.cab

-Ben

mikmik
07-29-2004, 02:25 PM
Okay, uncle_adolph! I can definitely see there are some bad entries in your registry and program files.

I am going to fire up my Windows 98 computer to get a quick refresher on how all the stuff works, like what can be done in safe mode. I also want5 to double check a file called 'sysoc.inf' that will force your computer to show all the hidden programs that are installed.

I also sent you a private message.
Can't gaurantee exactly when, but I will be back, hopefully a bit later this afternoon, with the Cavalry! :O)

Good work!

wenwilder
07-29-2004, 03:14 PM
Wow! You do have fun files going on your computer - before you do anything else. Let's look at a couple of online resources that will help you remove some of your problems.

Run a couple of online virus scans. One is good, two is better, three is best.

First one: Bit defender (http://www.bitdefender.com/scan/licence.php)
Second one: Housecall (http://housecall.trendmicro.com/)
Third One: McAfee online scan (http://us.mcafee.com/root/mfs/default.asp)

MWSOEMON.EXE - MyWebSearch Spyware
Mwsoemon.exe installs with a newer variant of the MyWebSearch spyware program. Generally, a browser helper ojbect called mwsbar.dll will install at the same time.The toolbar does add search features but the search results you see will be hijacked to mywebsearch.com.

MWSOEMON shown on the task manager ( Press Ctrl-Alt-Del ), then try to end the task of the process mwsoemon.

Uninstall Myway MySpeedbar from Control Panel> Add/Remove programs. It might be called 'My Search Bar', 'MyWay Speed Bar' or 'My Web Search Bar', Click 'Remove' for what you find. Also remove 'Fun Web Products Easy Installer' if it is present.

If not you can remove them manually by running Regedit and find MWSOEMON and delete the key.

Restart computer and Find/Delete MWSOEMON.EXE.

You need to delete the RO's and 02-BHO. The BHO is Lop.com. Adaware and/or Spybot Search and Destroy should detect and remove this one, if not you may have to do a manual removal.

These need to be deleted:
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014754.exe
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014754.exe

This is just a beginning. You may have to manually delete some of these

07-29-2004, 05:37 PM
Wow! You can actually understand what all these lines of stuff actually mean! Wow!

Although, wenwilder, i'll have to check with my parents about editing the registry.

I should be able to though..

MikMik, waitin' for the PM, thanks.... :p

-Ben