Custom Search
Join the PC homebuilding revolution! Read the all-new, FREE 200-page online guide: How to Build Your Own PC!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
Results 1 to 15 of 15

Thread: My Web pages are not mine anymore ?

  1. #1
    Join Date
    Mar 2001
    Location
    Nevada
    Posts
    141

    My Web pages are not mine anymore ?

    I'm using Front Page 2000 for my Web pages. (been using it for about three years now) Today I went to my Web pages and they are pages of advertising different searches and so on. Does anyone know what may have happened ? Is this a type of High Jacking ?

    Please help,
    thanks,

    -------------------
    Jenn...

  2. #2
    Join Date
    Jun 2004
    Location
    To The Right Of The Left Coast
    Posts
    2,491
    I am not a programmer nor a webmaster, however, I would definitely suspect that your web pages have been hacked. Basically, someone has set up shop in your house and is making money at your expense. I would guess that some of the people here who run and maintain web pages can give you some insight. Sorry to hear about it. We spend so much time and effort here protecting our individual PC's, I would think there are ways to protect web pages.
    Pop Pop
    ===========
    "Anyone who has never made a mistake has never tried anything new."
    Albert Einstein

  3. #3
    Join Date
    Feb 2002
    Location
    Nor'East USA
    Posts
    5,505
    Post a link to one of your pages. Let's see if the same page opens for us as it does for you.

  4. #4
    Join Date
    Mar 2001
    Location
    Nevada
    Posts
    141
    Ok, after running Search and Destroy I found out that I had the "DSO Exploit". After some intense research I found out how to get rid of it by editing parts of my registry. Here's a link that some of you might find helpful.

    How do I Remove DSO Exploit

    Thanks to those that were willing to help me out.
    ---------
    Jenn...

  5. #5
    Join Date
    Jun 2004
    Location
    To The Right Of The Left Coast
    Posts
    2,491
    You are the first case of "real" DSO Exploit I've heard of. I have a couple of questions: What OS are you running? What version of SpyBot S&D? There are two reasons I ask. First, S&D versions previous to 1.31 would always detect DSO, whether real or not. It was a bug in the program that was fixed in v1.31. Second, assuming you are running XP up to date with all patches, you should not have been vulnerable to DSO anyway. Have the adverts now disappeared?

    This exploit is a bug in Internet Explorer that under certain circumstances would allow untrusted software to run on the computer. In other words, its a hole in Internet Explorer that hackers could use to gain access to your system.

    However, if you are running the latest version of Internet Explorer and have all your Windows Updates installed, the bug has been patched and is not a threat to your computer system. Even though Spybot may still show it as a threat.
    Pop Pop
    ===========
    "Anyone who has never made a mistake has never tried anything new."
    Albert Einstein

  6. #6
    Join Date
    Mar 2001
    Location
    Nevada
    Posts
    141
    Ok perhaps I spoke to soon. I did get rid of the DSO Exploit, but I still don't have control of my webpage’s. I'm running the latest Version of S&D 1.3 with Windows XP Pro and all the updates. Search and Destroy is still showing two entries of DyFuCa, so I'm assuming that this is my problem. I can't find anyway to get rid of this like I did with the DSO without having to pay for a software program. Any ideas ?

    -----------
    thanks,
    Jenn...

  7. #7
    Join Date
    Feb 2002
    Location
    Somerset, England
    Posts
    2,762
    Please post a link to one of your pages, so we can see if they are wrong for us as well as you.
    It could still be malware on your computer, so please download Hijack this . Unzip it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
    be wary of strong drink - it may make you shoot at tax collectors, and miss!

  8. #8
    Join Date
    Mar 2001
    Location
    Nevada
    Posts
    141
    Here's a link to one of the home pages: http://www.windyvista.com

    Here's my hijack log:
    Logfile of HijackThis v1.98.2
    Scan saved at 2:41:55 PM, on 11/30/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\King David\Wusage8\wusages.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijack\hijackthis\HijackThis.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windyvista.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
    O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101789999854
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
    O17 - HKLM\System\CCS\Services\Tcpip\..\{323CD308-B7A2-46B3-9A36-0292BB73A477}: NameServer = 207.228.35.42 207.228.37.195

  9. #9
    Join Date
    Feb 2002
    Location
    Somerset, England
    Posts
    2,762
    Your Hijack this log is clean. That's the good news! The bad news is that your webpages have been hijacked.
    I suggest that you contact the hosting company as a first step.
    I would also suggest that clicking on any of the links on that page would not be a good idea! They all seem to be very suspicious, and I'm almost sure I recognised a couple of Coolweb domains in there.
    be wary of strong drink - it may make you shoot at tax collectors, and miss!

  10. #10
    Join Date
    Mar 2001
    Location
    Nevada
    Posts
    141
    Thank you for the quick response. I will start with my hosting company as you suggest, and I will post back when the problem is resolved.

    --------
    thanks,
    Jenn...

  11. #11
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,431
    Jennifer,
    Also see this post today by Yoda74 that includes Dy Fu Ca as one of the infectors:
    http://www.pcguide.com/vb/showthread...150#post207150

  12. #12
    Join Date
    Sep 2000
    Location
    Third rock from the Sun
    Posts
    6,828
    Blog Entries
    1
    Here's a screenshot of what I see at that page, using Linux. The url is a redirect,

    rcom._seek2._c om/index.php?domain=windyvista.com

    I put a couple of underscores and a space in so it won't work as a link. Definitely a hijack, and the above advice is the best I can think of, contact the hosting domain. IT might originate on their servers, probably not on your machine.

    EDIT: Never mind the screenshot, way too big...oh well...
    Why do I drive way out here to see the wildlife when all the animals live in town?

    Note: Please post your questions on the forums, not in my email. Otherwise I may sic my armed bear on you!

    My Photography

  13. #13
    Join Date
    Mar 2001
    Location
    Nevada
    Posts
    141
    Well here's an update: I just spoke with my hosting company (CI HOST). They didn't tell me what was wrong exactly, but they said they would have it up and working on my end in twelve hours. I'll keep my fingers crossed and post back. In the mean time I'll be trying to figure out how to get rid of that DyFuCa crap off my computer.

    ---------
    thanks for all the feedback,
    Jenn...

  14. #14
    Join Date
    Mar 2001
    Location
    Nevada
    Posts
    141
    In less then four hours I had my webpages back after contacting my host. I also got rid of DyFuCa !!!!!!!!!!!

    ----------------
    Jenn... a happy camper

  15. #15
    Join Date
    Feb 2002
    Location
    Somerset, England
    Posts
    2,762
    Glad you got it fixed. Good work by the hosting company too.
    Thanks for letting us know what happened.
    be wary of strong drink - it may make you shoot at tax collectors, and miss!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •