Browser hijacked

  User-CCA737B4-DBA7-4F4C-BDAAFBC56485ADB2 05:01 16 Feb 2004

Having a problem with browser and unwanted short cuts, have run spybot search and destroy, and still the same. Running windows 2000. When ever i log out and back in again browser is hijacked.Used hijack this, report as follows, any help would be appreciated. I can remove these but as soon as I log out and log in they come back again

Logfile of HijackThis v1.97.7
Scan saved at 05:56:13, on 16/02/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\UPS\Upsman\upsman.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = click here
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = click here
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINNT\system32\rundll32.vbe
O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINNT\system32\rundll32.vbe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINNT\system32\rundll32.vbe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\\InstallStub.exe -a
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{E79F2C8C-47F2-4221-B92C-06AA6E8F98CC}: NameServer =

  GANDALF <|:-)> 07:24 16 Feb 2004

Try Adaware from click here (free version) or try running the command ipconfig /flushdns (not sure if it works in 2000. It may help if yu know the name of the hijacker.


  temp003 07:56 16 Feb 2004

The file which is causing you the problem is rundll32.vbe, it's attached itself to your system32 folder. It is set in the registry to run every time you start. Hence it keeps coming back.

It's not shown in the list of running processes, so maybe it stops running quickly after startup.

Step 1 - show all files

In My Computer, click Tools, Folder Options, View tab, and (1) tick "Show hidden files and folders" (2) untick "Hide file extensions for known file types (3) untick "Hide protected operating system files, and say yes to the confirmation dialogue (4) click OK.

Step 2 - find and delete rundll32.vbe

Then go to C:\WINNT\system32 folder and find the file rundll32.vbe. Make sure you've got the right file extension. Delete it.

If it says cannot delete, Read Only, right click the file, Properties, untick Read Only, click OK.

If it says process is running, cannot delete, right click Desktop taskbar and select Task Manager, Processes tab, see if you can see it listed, if so, highlight it and click End Process. Confirm the action. Exit Task Manager and try deleting it again in My Computer.

Step 3 - Remove Startup items in registry (take this step even if you fail in step 2)

Exit My Computer. Click Start, Run, type regedit and press Enter. Be careful when you're in the registry. Don't make any rash changes.

On the left, expand till you get to the key HKEY Current User\ Software\ Microsoft\ Windows\ Current Version\ Run

Highlight "Run" by clicking it once. At the top left, click Registry and select Export Registry File. You'll be prompted to save it. Save it somewhere you can remember, say, My Documents, and call it curun.reg Click Save. This is a backup of the registry file.

Back in regedit, with "Run" still highlighted, look to the right and find the entry called Windows Security Assistant. Under the Data column, it should refer to the file rundll32.vbe. Right click the name "Windows Security Assistant" and select delete. Confirm it.

Then navigate to HKEY Local Machine\Software\ Microsoft\ Windows\ Current Version\ Run. Highlight "Run" and export it as before, calling the file LMRUN.reg and save it at the same location. Then find the same item "Windows Security Assistant". Delete it as before.

Then somewhere below the Run key on the left, you should see another key called RunServices. Highlight "RunServices" and repeat the steps above of backing up the key, calling it LMRunsvc.reg, and deleting the item "Windows Security Assistant".

Step 4 - remove rogue IE settings

Still in regedit, navigate on the left to HKEY Current User\Software\ Microsoft\ Internet Explorer\ Main. Highlight "Main". Export registry file as before and save it as CUMain.reg

Then with Main still highlighted, on the right, look for all the items which refer to website addresses of brutal-video .net and drusearch .com Right click the items one by one, and delete them. (total 4)

Go to HKEY Local Machine\Software \Microsoft\Internet Explorer\Main, export the "Main" key, save it as LMMain.reg and on the right, delete the items referring to the web addresses (total 6)

After all this, exit regedit. Restart computer. Try IE again to see if it's OK. Don't know what your start page is going to be after this, probably soemthing to do with Microsoft. Try the search function to see what search engine is used. Change settings if desired. close IE and restart to see if settings are retained.

There are 2 items in the registry I'm not sure about. One is HKEY Current User\Software\... Current Version\ Internet Settings - the item Proxy Server, the other is HKEY Local Machine\System .... Name Server. I think they are probably legitimate, maybe something to do with resolution of web addresses.

After making the changes above, try a number of websites, search engines and so on to see if you get to the right website, just in case those 2 items are rogue and redirect web addresses to other rogue sites. If so, post back, but do not delete those items yet.

  Jester2K 07:57 16 Feb 2004

O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINNT\system32\rundll32.vbe

O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINNT\system32\rundll32.vbe

Lovely pair of viruses (well actually both are the same one)....
click here

  Jester2K 07:58 16 Feb 2004

Also ditch Norman AV and get AVG 6 Free click here if its missing that virus. Or update it so it picks it up.

  muppetmark 08:00 16 Feb 2004

Coolwebshredder takes care of the above hijacker

available click here run it hittting FIX rather than scan only.

  Jester2K 08:01 16 Feb 2004

Also ditch Spykiller.

Use Adaware click here and SpyBot click here for free.

  temp003 08:30 16 Feb 2004

About rundll32.vbe - there are legitimate files in the system32 folder with the name rundll32 but different file extensions, so make sure you're deleting .vbe (hence the need to show file extensions).

If IE seems to be working fine afterwards, especially after a couple of restarts, you should delete the 5 backed up registry files: CURun, LMRun, LMRunsvc, CUMain and LMMain.

The other thing about your setup is you have loads of applications/processes running at startup which you probably don't need. They just hog your computer resources.

click here download and install Mike Lin's Startup Control Panel 2.8 (59KB). Then go to Control Panel and you'll get a new icon called Startup. Double click it and go through each tab to see the list of applications running at startup. Untick any item you don't need at startup (they will still start properly as and when you need to use them).

General rule, if you're not sure about any particular item, leave it as ticked.

mobsync.exe - you must keep as ticked.

Norman - I assume it's antivirus - keep the items as ticked

CreateCD - don't need it at startup. Untick it, unless you're really into burning CD every time you use the computer (even then, you don't need it at startup)

DirectCD - do not need it at startup, unless you quite often need to read or write CDs with packet-writing, and initiating DirectCD every time may be a bit of a pain.

HP, Acrobat, WinZip, don't need at startup. You can use them as and when you need.

MSN Messenger (msnmsgr.exe and loadqm.exe) - up to you.

ctfmon.exe - keep it - to do with a feature in Office XP which apparently you can't turn off anyway unless you uninstall "Alternative User Input" in Office XP. click here

Microsoft Office (osa.exe) - depends on how often you use and switch between Office applications. Quite a big resource hogger, but up to you. I always turn it off.

Visit the Startup Control Panel regularly to check for rogue (or unnecessary) startup items.

Update your virus definitions. If you don't mind, install a firewall such as the free ZoneAlarm. May not stop all further attacks but should help.

Many thanks to everyone who replied, this has now been resolved, big thank you to temp 003 for your concise and easy to follow instructions made all the difference.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

AMD Radeon Adrenalin release date, new features, compatible graphics cards

Artist Pete Oswald on creating relatable characters & his new book

New iMac Pro release date, UK price & specs rumours

Idées cadeaux pour geeks et tech addicts