My Web pages are not mine anymore ?

[Jennifer]

I'm using Front Page 2000 for my Web pages. (been using it for about three years now) Today I went to my Web pages and they are pages of advertising different searches and so on. Does anyone know what may have happened ? Is this a type of High Jacking ?

Please help,
thanks,

-------------------
Jenn...

[pop pop]

I am not a programmer nor a webmaster, however, I would definitely suspect that your web pages have been hacked. Basically, someone has set up shop in your house and is making money at your expense. I would guess that some of the people here who run and maintain web pages can give you some insight. Sorry to hear about it. We spend so much time and effort here protecting our individual PC's, I would think there are ways to protect web pages.

[Fruss Tray Ted]

Post a link to one of your pages. Let's see if the same page opens for us as it does for you.

[Jennifer]

Ok, after running Search and Destroy I found out that I had the "DSO Exploit". After some intense research I found out how to get rid of it by editing parts of my registry. Here's a link that some of you might find helpful.

How do I Remove DSO Exploit

Thanks to those that were willing to help me out.
---------
Jenn...

[pop pop]

You are the first case of "real" DSO Exploit I've heard of. I have a couple of questions: What OS are you running? What version of SpyBot S&D? There are two reasons I ask. First, S&D versions previous to 1.31 would always detect DSO, whether real or not. It was a bug in the program that was fixed in v1.31. Second, assuming you are running XP up to date with all patches, you should not have been vulnerable to DSO anyway. Have the adverts now disappeared?

This exploit is a bug in Internet Explorer that under certain circumstances would allow untrusted software to run on the computer. In other words, its a hole in Internet Explorer that hackers could use to gain access to your system.

However, if you are running the latest version of Internet Explorer and have all your Windows Updates installed, the bug has been patched and is not a threat to your computer system. Even though Spybot may still show it as a threat.

[Jennifer]

Ok perhaps I spoke to soon. I did get rid of the DSO Exploit, but I still don't have control of my webpage’s. I'm running the latest Version of S&D 1.3 with Windows XP Pro and all the updates. Search and Destroy is still showing two entries of DyFuCa, so I'm assuming that this is my problem. I can't find anyway to get rid of this like I did with the DSO without having to pay for a software program. Any ideas ?

-----------
thanks,
Jenn...

[david eaton]

Please post a link to one of your pages, so we can see if they are wrong for us as well as you.
It could still be malware on your computer, so please download Hijack this . Unzip it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

[Jennifer]

Here's a link to one of the home pages: http://www.windyvista.com

Here's my hijack log:
Logfile of HijackThis v1.98.2
Scan saved at 2:41:55 PM, on 11/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\King David\Wusage8\wusages.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\hijackthis\HijackThis.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windyvista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101789999854
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
O17 - HKLM\System\CCS\Services\Tcpip\..\{323CD308-B7A2-46B3-9A36-0292BB73A477}: NameServer = 207.228.35.42 207.228.37.195

[david eaton]

Your Hijack this log is clean. That's the good news! The bad news is that your webpages have been hijacked.
I suggest that you contact the hosting company as a first step.
I would also suggest that clicking on any of the links on that page would not be a good idea! They all seem to be very suspicious, and I'm almost sure I recognised a couple of Coolweb domains in there.

[Jennifer]

Thank you for the quick response. I will start with my hosting company as you suggest, and I will post back when the problem is resolved.

--------
thanks,
Jenn...

[PrntRhd]

Jennifer,
Also see this post today by Yoda74 that includes Dy Fu Ca as one of the infectors:
http://www.pcguide.com/vb/showthread...150#post207150

[Paleo Pete]

Here's a screenshot of what I see at that page, using Linux. The url is a redirect,

rcom._seek2._c om/index.php?domain=windyvista.com

I put a couple of underscores and a space in so it won't work as a link. Definitely a hijack, and the above advice is the best I can think of, contact the hosting domain. IT might originate on their servers, probably not on your machine.

EDIT: Never mind the screenshot, way too big...oh well...

[Jennifer]

Well here's an update: I just spoke with my hosting company (CI HOST). They didn't tell me what was wrong exactly, but they said they would have it up and working on my end in twelve hours. I'll keep my fingers crossed and post back. In the mean time I'll be trying to figure out how to get rid of that DyFuCa crap off my computer.

---------
thanks for all the feedback,
Jenn...

[Jennifer]

In less then four hours I had my webpages back after contacting my host. I also got rid of DyFuCa !!!!!!!!!!!

----------------
Jenn... a happy camper

[david eaton]

Glad you got it fixed. Good work by the hosting company too.
Thanks for letting us know what happened.