My Windows Explorer seems to have been hijacked. Avast notifies me of Win32:Qucan[Trj] every time I open the internet explorer. Also I am not able to make any changes to the home page setting in Internet Options. It’s kind of faded out. I got this from Yahoo chat. I was foolish enough to click a link there. It started sending wierd messages to all my contacts. Please help me get my homepage back!!
I ran all the mentioned anti spywares and was happy to have my browser back to normal. My happiness lasted until I logged back in to Yahoo Messenger. It’s still behaving the same way sending messages to all my contacts automatically. Should I reinstall Yahoo?
Sorry I don’t use Yahoo Messenger or any other IM program, so I don’t know if it would be as simple as changing the settings to stop this auto sending to your contacts. This does seem to be something directly targeting Yahoo Messenger, perhaps a visit to their support/forums as I doubt this has only happened to you.
Re-installation is possibly best, ensure you save your contacts and any other info/settings you need, uninstall, reboot and install again. However, that is no guarantee the next installation wont be similarly effected if what is targeting YM isn’t also removed. HiJackThis as FWF suggests could give an indication to that malware.
Do you know what message is being sent out to your contacts ?
I remember you helping me once before…almost a year ago!!
Below is the log of Hijackthis.
Thanks!!
Addy
Logfile of HijackThis v1.99.1
Scan saved at 22:45:50, on 2006/11/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
I uninstalled and reinstalled YM but the problem persists. The message it’s sending is a malicious url. I got the bug by clicking on similar message that came to me. Apparantly this bug is infecting all IM programs.
I believe that all instances of “svhost.exe” & “svhost32.exe” are malware. Double-check at an on-line scanner.
If I am correct, you can fix them with Hijackthis.
As Spyros mentions thes usually indicate malware infection and an on-line analysis http://hijackthis.de/logfiles/31bc9760ee59c5da6696d10da19481bc.html reports these as running process. (svhost32.exe) Win32.Rbot worm variant:
C:\WINNT\svhost32.exe
C:\DOCUME~1\user\LOCALS~1\Temp\svhost32.exe
AFTER you get your machine cleaned up, I noticed from your HijackThis log that you are
using a very old version of "Ewido", so I recommend you uninstall it, then choose one of
the versions available at www.filehippo.com/download_ewido/ .
ALSO your Sun Java program is 3 Updates behind and is therefore a serious security risk.
I recommend you uninstall it, then go to www.majorgeeks.com/download4648.html
to get their latest .
LASTLY, I see your HJT log showing you have the adware, if not spyware, Weatherbug ;
would recommend you read the info @ www.searchlores.org/weatherbug.htm AND
www.pchell.com/support/weatherbug.shtml . On this last site, it recommends a better
alternative, called "WeatherPulse", which I am using on my computer .
Thanks all for your help and suggestions. I seem to have resolved the problem. Yahoo Messenger doesn’t seem to be sending those weird messages now. My IE browser had got hijacked again. I fixed the svhost32.xe and svhost.xe files through HijackThis. I then uninstalled my old Ewido and downloaded AVG and ran it. After that my browser came back to normal as did YM.
Is there anything else I need to do to be sure the bug’s gone?
Yes, try firefox, opera ;D or any non IE based browser as they aren’t as susceptible to these hijackings. With win2k you won’t be able to use IE7 (as far as I’m aware XP SP2, is minimum OS requirement), so you won’t be able to take advantage of its added security.
You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
If you mean AVG antivirus → NEVER use two antiviruses at the same time. They will conflict during an infection and leave your system unprotected (if not cause you blue screens and other system stability problems). You can use a second antivirus only if it doesn’t have resident protection, for example the free version of BitDefender.
If you mean AVG antispyware (X-“ewido”) → Yes, you can keep it active.