[FIXED]Myexexex.com Hijackings

bjc210 · Posted: Wed Jun 02, 2004 2:18 pm Post subject: Myexexex.com Hijackings

Hi all. Recently I've been having homepage hijackings and address bar hijackings. As you will see in the attached HijackThis log, they link to www.myexexex.com. Let me explain some of the effects.

My homepage changes to C:\spad\start.htm - it contains porn links and when you delete it it comes back again a few days later.

If you don't put http:// in the web address, the computer adds it in for you, this has been changed to http://www.myexexex.com/search= or something like that so that unless you put http:// in every time you get redirected.

Obviously when you search using the address bar (although I don't very often due to having the Google Toolbar) it goes to myexexex.com too. Occasionally a link on my desktop appears with an X on it. The latest one links to http://www.casinopalazzo.com/index.php?sourceid=101969.
This whole hijacking just used to affect my user settings (I use WinXP) but now it has spread.
I have tried using Ad-Aware 6.0 and HijackThis in combination -- sometimes you can't "Fix" the items using HijackThis. Mostly eventually you can but it will re-appear a few days later. I believe there is some type of spyware on my system but I don't know.
Here is my HijackThis log:
--------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 19:16:20, on 02/06/2004 **that's 2nd June for you Americans**
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\AKT\My Documents\Downloaded\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O13 - DefaultPrefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - WWW Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14e5dbf25d2...xIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me...Client.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...6449537037
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa...Plugin.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF300152-0CAF-465C-B301-754FA5D7D88E}: NameServer = 212.74.114.129 212.74.114.193
-------------------
Hoping someone out there can help......
Adam T
Birmingham, UK

Homeboy · Trooper Joined: May 29, 2004 Posts: 21 Location: USA

This is Homeboy...I have experienced the same problem. These guys have been great help! One question: Did you get a desktop shorcut entitled "default" ?

bjc210 · Posted: Wed Jun 02, 2004 2:32 pm Post subject: Re: Default icon

hey Homeboy

Yes i did - it has an X on it

-- Adam

Homeboy · Trooper Joined: May 29, 2004 Posts: 21 Location: USA

That's the one... You can see my post thread entitled: "Another New Browser Page Change? Sad

I can tell you that this is a newer hijack and they are working on it... We got to hang in and give them some time...

Shocked

bjc210 · Posted: Wed Jun 02, 2004 2:56 pm Post subject:

OK - thanks,
I'll have to hope for the best. Were they able to cure you completely?

--Adam

Mosaic1 · Posted: Wed Jun 02, 2004 2:58 pm Post subject:

Copy the contents of the quote box to notepad. Name as Spad.reg
save as type all files.

bjc210 · Posted: Wed Jun 02, 2004 5:25 pm Post subject: Re: Myexexex - Hijack This Log

OK, I did as much as I could but

Mosaic1 · Posted: Wed Jun 02, 2004 7:14 pm Post subject:

I tremoved the loading point for this and stopped the auto reinstall it had set up.

Go ahead and reset your Home and search pages and then see how it goes.

This entry should be fixed using Hijackthis as well:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14e5dbf25d2...xIE601.cab

bjc210 · Posted: Thu Jun 03, 2004 5:33 am Post subject:

OK - done that. It doesn't appear to be reoccurring yet (as of 10:30 GMT) so thanks and I'll get back to you if it reoccurs again

--Adam Smile

Mosaic1 · Posted: Thu Jun 03, 2004 5:40 am Post subject:

After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
----------------------------
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html

Mosaic1 · Posted: Fri Jun 04, 2004 1:38 pm Post subject:

Sandog,

We can only help one person at a time in any topic. I have split off your question to its own thread. Please work there until your problem has been resolved.

Here's a link to it:
http://computercops.biz/postt47195.html
Mosaic1

wadeige · Cadet Joined: Jun 05, 2004 Posts: 1 Location: Japan

Mosaic1,

Since a few days my pc was showing the same symptoms as bjc210's so I tried to follow the instructions you gave him. Several files were not on my system, but as far as I can see ... it worked!

One thing, could you give a short explanation of what the registry changes (Spad.reg) are for? I mean, what exactly was "infected" on my machine?

Thanks for all your help.

-- Peter

Mosaic1 · Posted: Sat Jun 05, 2004 2:49 am Post subject:

wadeige,

Please start your own topic if you need more help. The registry changes removed the hijack by removing the exporer extensions and Class ID's which were responsible.

Mo

azn_gamer2003 · Cadet Joined: Jun 05, 2004 Posts: 6 Location: USA

[quote="Mosaic1"]Copy the contents of the quote box to notepad. Name as Spad.reg
save as type all files.

Mosaic1 · Posted: Sat Jun 05, 2004 11:05 pm Post subject:

azn_gamer2003,

We can only help one person at a time in any thread. It is too confusing otherwise. Please start your own topic and ask your questions there. Post your hijackthis log. That reg file was for 2k and XP. Not for ME or 98.

The newest CWShredder now removes this hijack,so try that first.
Here's a link to it:

http://www.spywareinfo.com/downloads/tools/CWShredder.exe

--------------------------

We have had several people add their logs and questions here. The original Poster seems to have been repaired. I am going to lock this now. Anyone who needs help, please start your own topic.

Mosaic1


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 946 pages served in previous 5 minutes. Page Rendered: 0.826 seconds.