I am infected with a homepage virus

well here is how it happened;

I was surfing the net, and went to a bad site (cant remember the address). My Avast home ed bells started to ring, and it was giving me the options to delete, or vault etc… I clicked delete, and tried to close the site window, but it kept on staying open and the alarm bells kept ringing. Eventually i got the window to close, and deleted the virus.
I did a virus scan, 0 viruses found, I also did the avast virus/worm cleaner application, again 0 found.

Now the homepage is set to http://good.allxun.com/ and some of the links i click get diverted to this site; http://error.newcell.cn/?id=1 and sometimes all of my internet explorer windows suddenly close.

I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  3. Use a-squared, Free AVG Antispyware, SUPERantispyware or Spyware Terminator (trojan removers).

:slight_smile: Hi :

 You did NOT have a "virus", but something more serious; should ALWAYS "quarantine" FIRST,
 UNLESS you know SPECIFICALLY WHAT it "is". You have now a "Hijacker" and your 1st attempt
 at getting rid of it is to use one or more of the programs recommended by "Tech", though I
 recommend you start by using the FREE version of "SUPERantispyware" available from :
 www.superantispyware.com .

Thanks for the help.

I clicked http://www.superantispyware.com/ and The page cannot be displayed , i typed it into the address bar, and also tried to click it via google. I can’t get to the site.
Can you guys get to the site or is it just my computer?

I can get to a-squared. Free AVG Antispyware, and Spyware Terminator though, which one of these would be the best

I have just tried the superantispyware.com link and it is working.

Preference, AVG-AS, SuperAntiSpyware, Spyware Terminator, a-squared. The only clause is not to have two resident anti-spyware scanners installed at the same time. AVG-AS is resident for the first 30 days trial, Spyware Terminator is resident always, so that is what you have to check before installing multiple anti-spyware tools.

Download Spywareguard to protect against future highjackers

  1. I cleaned my temporary files
  2. Did the boot time scan, with the archive files. How is this different to a high scan to when the computer is on?
  3. I then installed and ran AVG antisoftware. It found 3 infections, i quarantined them.

http://i59.photobucket.com/albums/g284/thecreat/avg.jpg

Unfortunately my homepage is still set to good.allxun.com, I have tried to change it tools>internet options.

A boot scan scans before windows is loaded, and usually will pick up infecte files as they are being loaded.

Looking at the picture you posted, 1 file is in the system restore. That is the first file listed. To remove it, turn system restore off, schedule a boot time scan. Note you will lose all restore points.

The other two are probably the ones that are redirecting your browser and preventing you from changing your home page. Locate the files, scan them and if they are infected ,MOVE them to the chest and see if your problem goes away. Make sure that you do the disable system restore first or that file will be resotred to your computor.

SpywareGuard hasn’t had any update in nearly two years, I removed it ages ago, a security program that doesn’t get maintained loses its benefit.

  1. Your image would appear to contradict this as one of the files detected is in a temp location.
  2. Covered by oldman.
  3. The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows (so I believe that may still be there), the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.
    Win XP-ME - How to disable System Restore

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3
On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

You will see the an entry or entries like this, which redirect your home page, fix the one relating to good.allxun.com:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

You could also choose a different browser which isn’t as susceptible to these browser hijacks, like firefox or opera or any non IE based clone.

This is my current hijackthis log, The system restore is disabled, and I am just about to fix the highlighted files. Is fixing the same as deleting?

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
c:\windows\pmsgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX00.734\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = good.allxun.com
O1 - Hosts: 222.88.90.22 www.4199.com
O1 - Hosts: 222.88.90.22 4199.com
O1 - Hosts: 222.88.90.22 www.9505.com
O1 - Hosts: 222.88.90.22 9505.com
O1 - Hosts: 222.88.90.22 7939.com
O1 - Hosts: 222.88.90.22 www.7939.com
O1 - Hosts: 222.88.90.22 www.3448.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeEventObj Class - {0FAFD871-DFE0-496D-8953-0D5BA28E9766} - C:\Program Files\Internet Explorer\PLUGINS\AviPlayer.dll (file missing)
O2 - BHO: 360°²È«ÎÀÊ¿ - {8C7A85DB-99B6-4477-B14B-28FC27766244} - C:\WINDOWS\system32\fjzthwal.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [IntelAudioStudio] “C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe” TRAY
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Hijackthis couldnt delete/fix the files.
This pops up a few times (little bit different each time);

An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=O1 - Hosts: 222.88.90.22 4199.com)
Error #70 - Permission denied

Please email me at merijn@spywareinfo.com, reporting the following:

  • What you were trying to fix when the error occurred, if applicable
  • How you can reproduce the error
  • A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

Hi karavirs,

You need to fix this entry with HijackThis!

O2 - BHO: 360°²È«ÎÀÊ¿ - {8C7A85DB-99B6-4477-B14B-28FC27766244} - C:\WINDOWS\system32\fjzthwal.dll

Reboot into safe mode after fixing the entry and delete the file if it has not been deleted already. You may need to eneable ‘view hiddedn files’.

http://www.pchell.com/support/safemode.shtml

http://www.bleepingcomputer.com/tutorials/tutorial62.html

Try to delete the R0/01 entries again after you have done this.

You need to investigate the following further:

C:\WINDOWS\system32\cisrv.exe
c:\windows\pmsgr.exe

Try to find the files and submit them to VirusTotal:

http://www.virustotal.com/en/indexf.html

:slight_smile: Hi Karavirs :

 IF Frank's recommendations do NOT result in you being able to "fix" those "01" entries,
 I recommend you download "Hoster" from www.funkytoad.com/download/hoster.zip .
 After installing that program, I recommend you click the "Restore Microsoft's Original
 Hosts File" button .

 HijackThis "fix" is NOT the same as "Deleting"; I understand from the Editor of Spyware
 Weekly Newsletter that HijackThis's "fix" then allows an antiSPYWARE program to
"quarantine/delete" what it could NOT do BEFORE the HijackThis "fix" !?