Browser Hijacked!! Please Help!!

Hi,

My Windows Explorer seems to have been hijacked. Avast notifies me of Win32:Qucan[Trj] every time I open the internet explorer. Also I am not able to make any changes to the home page setting in Internet Options. It’s kind of faded out. I got this from Yahoo chat. I was foolish enough to click a link there. It started sending wierd messages to all my contacts. Please help me get my homepage back!! :frowning:

Thanks

What Operating System are you using ?
What is your firewall ?

Personally I would try Firefox as the browser hijacks are not so susceptible as IE with activeX and BHOs

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.
  2. Ad-Aware SE Personal Edition
  3. Spybot Search and Destroy
  4. Spywareblaster Don’t install this until you are clean.

General cleaning methods include:

  1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  4. Use the trojan removers posted by David.

Hope it helps.
Did you Google to find specific removal tools for Win32:Qucan[Trj] ?

Thanks David and Tech,

I use windows 2000. Will try your Advice.

Hi David & Tech,

I ran all the mentioned anti spywares and was happy to have my browser back to normal. My happiness lasted until I logged back in to Yahoo Messenger. It’s still behaving the same way sending messages to all my contacts automatically. Should I reinstall Yahoo?

Also, I have installed Spywareblaster.

Thanks for all your help guys.

Hi Addy,

Could you post a HijackThis! log file for us?

http://www.bleepingcomputer.com/tutorials/tutorial42.html

Sorry I don’t use Yahoo Messenger or any other IM program, so I don’t know if it would be as simple as changing the settings to stop this auto sending to your contacts. This does seem to be something directly targeting Yahoo Messenger, perhaps a visit to their support/forums as I doubt this has only happened to you.

Re-installation is possibly best, ensure you save your contacts and any other info/settings you need, uninstall, reboot and install again. However, that is no guarantee the next installation wont be similarly effected if what is targeting YM isn’t also removed. HiJackThis as FWF suggests could give an indication to that malware.

Do you know what message is being sent out to your contacts ?

Hi FwF

I remember you helping me once before…almost a year ago!!

Below is the log of Hijackthis.

Thanks!!

Addy

Logfile of HijackThis v1.99.1
Scan saved at 22:45:50, on 2006/11/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\svhost32.exe
C:\Program Files\AWS\WeatherBug\weatherbug.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\DOCUME~1\user\LOCALS~1\Temp\svhost32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\imejpmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\デスクトップ\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1041,ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [LVCOMSX] C:\WINNT\System32\LVCOMSX.EXE
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Task Manager] C:\WINNT\svhost32.exe
O4 - HKLM..\Run: [SVCHOST] C:\WINNT\svhost.exe
O4 - HKCU..\Run: [WeatherBug] C:\Program Files\AWS\WeatherBug\weatherbug.exe
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU..\Run: [LogitechSoftwareUpdate] “C:\Program Files\Logitech\Video\ManifestEngine.exe” boot
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Hi David,

I uninstalled and reinstalled YM but the problem persists. The message it’s sending is a malicious url. I got the bug by clicking on similar message that came to me. Apparantly this bug is infecting all IM programs.

Thanks

Addy

I believe that all instances of “svhost.exe” & “svhost32.exe” are malware. Double-check at an on-line scanner.
If I am correct, you can fix them with Hijackthis.

As Spyros mentions thes usually indicate malware infection and an on-line analysis http://hijackthis.de/logfiles/31bc9760ee59c5da6696d10da19481bc.html reports these as running process. (svhost32.exe) Win32.Rbot worm variant:
C:\WINNT\svhost32.exe
C:\DOCUME~1\user\LOCALS~1\Temp\svhost32.exe

O4 - HKLM..\Run: [Task Manager] C:\WINNT\svhost32.exe
O4 - HKLM..\Run: [SVCHOST] C:\WINNT\svhost.exe

Other unknown entries that needs checked out:
C:\WINNT\system32\imejpmgr.exe,
O4 - HKLM..\Run: [TCASUTIEXE] TCAUDIAG -off, (See http://www.liutilities.com/products/wintaskspro/processlibrary/tcaudiag/)

The on-line analysis link also has a means of uploading those suspect unknown/nasty files for AV scanning.

Try these removal tools:

http://www.softpedia.com/get/Antivirus/F-Secure-F-Bot-cleaner-tool.shtml

http://www.sophos.com/support/disinfection/rbotek.html

:slight_smile: Hi Addy :

 AFTER you get your machine cleaned up, I noticed from your HijackThis log that you are
 using a very old version of "Ewido", so I recommend you uninstall it, then choose one of
the versions available at www.filehippo.com/download_ewido/ .
ALSO your Sun Java program is 3 Updates behind and is therefore a serious security risk.
I recommend you uninstall it, then go to www.majorgeeks.com/download4648.html
to get their latest .
LASTLY, I see your HJT log showing you have the adware, if not spyware, Weatherbug ;
would recommend you read the info @ www.searchlores.org/weatherbug.htm  AND
www.pchell.com/support/weatherbug.shtml . On this last site, it recommends a better
alternative, called "WeatherPulse", which I am using on my computer .

Hi Guys,

Thanks all for your help and suggestions. I seem to have resolved the problem. Yahoo Messenger doesn’t seem to be sending those weird messages now. My IE browser had got hijacked again. I fixed the svhost32.xe and svhost.xe files through HijackThis. I then uninstalled my old Ewido and downloaded AVG and ran it. After that my browser came back to normal as did YM.

Is there anything else I need to do to be sure the bug’s gone?

Thanks again.

Addy 8)

Yes, try firefox, opera ;D or any non IE based browser as they aren’t as susceptible to these hijackings. With win2k you won’t be able to use IE7 (as far as I’m aware XP SP2, is minimum OS requirement), so you won’t be able to take advantage of its added security.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Hi,

Just wondering if it’s alright to keep both Avast and AVG on my machine. Is keeping the resident shield on for both bad?

If you mean AVG antivirus → NEVER use two antiviruses at the same time. They will conflict during an infection and leave your system unprotected (if not cause you blue screens and other system stability problems). You can use a second antivirus only if it doesn’t have resident protection, for example the free version of BitDefender.

If you mean AVG antispyware (X-“ewido”) → Yes, you can keep it active.

Thanks Spyros,

Yes, I meant AVG Anti Spyware.

it seems that this virus is getting diversified, a lot of my friends got it because of… me…

it usually starts with a message and a link an your computer and after clicking on it, the virus sends itself trugh ym, and modifies the registry…

“svchost12”

If a virus is replicant (coming and coming again), you should:

  1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  4. Use a-squared, Free AVG Antispyware, SUPERantispyware or Spyware Terminator (trojan removers).

Hope this helps you get clean…