1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

(Solved) Internet Explorer Hijack

Discussion in 'All Other Software' started by Slade979, Oct 1, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Slade979

    Slade979 Thread Starter

    Joined:
    May 25, 2003
    Messages:
    6
    Hi... I recently had my Internet explorer hijacked. I had all kinds of things added to my browser (new home page, sleazy search

    page,sleazy favorites among lots of other things...it even made my home page a bogus warning about having my privacy completely

    compromised) I went offline and did the following ... virus check, hijack this, and spybot(after a long overdue update). I had hijack this

    correct the most obvious sex related entries. Spybot located several entries for "coolwwwsearch" (all were related to Internet Explorer).

    I had it correct these entries. The corrections didn't do anything. When I went online I was still hijacked. I decided to do a system

    restore and this solved my problem. All signs of a hijacking disappeared. After this I downloaded all the appropriate patches from

    Microsoft. I ran hijack this and the log seems to be normal (see below). However I decided to run Spybot again and it found the entries

    for coolwwwsearch again (see below). Are these entries still valid? They say "registry change, nothing done". Is that a reference to the

    previous state changes made by system restore. My system is working fine. Should I have Spybot correct them again. Is spybot making

    an error related to system restore? Should I uninstall Spybot and reinstall? Please help I want to make sure my system is virus and

    hijack free. I haven't had any problems for a whole year. One foul click ruined my run! Any info is appreciated.


    SPYBOT SEARCH RESULTS RECORDED AFTER SYSTEM RESTORE WHEN MY INTERNET EXPLORER WAS RUNNING NORMAL AGAIN:


    Alexa Related: What's related link (Replace file, nothing done)
    C:\WINDOWS\Web\RELATED.HTM

    CoolWWWSearch: IE Customized search (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch=about:blank

    CoolWWWSearch: IE Default page (Registry change, nothing done)
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

    CoolWWWSearch: IE Default page (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

    CoolWWWSearch: IE Default search page (Registry change, nothing done)
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL=about:blank

    CoolWWWSearch: IE Default search page (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL=about:blank

    CoolWWWSearch: IE Search assistent (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant=about:blank

    CoolWWWSearch: IE Search page (Registry change, nothing done)
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page=http://www.google.com

    CoolWWWSearch: IE Search page (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page=http://www.google.com

    CoolWWWSearch: IE Start page (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page=about:blank

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-375612493-2704883870-4021508746-1006\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    MS Works: Autorun settings (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Works Update Detection

    MS Works: Program file (File, nothing done)
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe


    --- Spybot-S&D version: 1.2 ---
    2003-09-05 Includes\Cookies.sbi
    2003-09-09 Includes\Dialer.sbi
    2003-09-08 Includes\Hijackers.sbi
    2003-09-05 Includes\Keyloggers.sbi
    2003-09-08 Includes\Malware.sbi
    2003-03-16 Includes\plugin-ignore.ini
    2003-09-05 Includes\Security.sbi
    2003-09-09 Includes\Spybots.sbi
    2003-08-28 Includes\Temporary.sbi
    2003-09-05 Includes\Tracks.uti
    2003-09-05 Includes\Trojans.sbi


    HIJACK THIS LOG RECORDED AFTER SYSTEM RESTORE WHEN MY INTERNET EXPLORER WAS RUNNING NORMAL AGAIN:

    Logfile of HijackThis v1.95.0
    Scan saved at 7:10:19 AM, on 10/1/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\America Online 8.0\aoltray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Eric\My Documents\Hijack This-All Info\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.kazaa-lite.ws/results.php?show=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://dellnet.msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.kazaa-lite.ws/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.kazaa-lite.ws/results.php?show=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.kazaa-lite.ws/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.kazaa-lite.ws/results.php?show=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.kazaa-lite.ws/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.kazaa-lite.ws/results.php?show=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.kazaa-lite.ws/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.kazaa-lite.ws/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.kazaa-lite.ws/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =

    C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

    http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37895.0203587963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab




    THIS IS MY STARTUP LIST:

    AOL Companion c:\progra~1\aolcom~1\compan~1.exe /s All Users Common Startup
    AdaptecDirectCD "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" All Users

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    America Online 8.0 Tray Icon c:\progra~1\americ~3.0\aoltray.exe -check All Users Common Startup
    DESKTOP desktop.ini NT AUTHORITY\SYSTEM Startup
    DESKTOP desktop.ini GROWLS\Eric Startup
    DESKTOP desktop.ini .DEFAULT Startup
    DESKTOP desktop.ini All Users Common Startup
    Dell|Alert c:\program files\dell\support\alert\bin\damon.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Digital Line Detect c:\progra~1\digita~1\dlg.exe All Users Common Startup
    EPSON Status Monitor 3 Environment Check 2 c:\windows\system32\spool\drivers\w32x86\3\e_srcv02.exe All Users

    Common Startup
    EPSON Stylus C80 Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /a "c:\windows\system32\e_s11.tmp"

    GROWLS\Eric HKU\S-1-5-21-375612493-2704883870-4021508746-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HotSync Manager c:\progra~1\sonyha~1\hotsync.exe All Users Common Startup
    Ink Monitor c:\program files\epson\ink monitor\inkmonitor.exe All Users

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    MSMSGS "c:\program files\messenger\msmsgs.exe" /background GROWLS\Eric

    HKU\S-1-5-21-375612493-2704883870-4021508746-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Microsoft Works Calendar Reminders c:\progra~1\common~1\micros~1\workss~1\wkcalrem.exe All Users Common Startup
    Microsoft Works Update Detection c:\program files\common files\microsoft shared\works shared\wkufind.exe All Users

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    MoneyAgent "c:\program files\microsoft money\system\money express.exe" GROWLS\Eric

    HKU\S-1-5-21-375612493-2704883870-4021508746-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NAV Agent c:\progra~1\norton~1\navapw32.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NvCplDaemon rundll32.exe nvqtwk,nvcpldaemon initialize All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Omnipage c:\program files\scansoft\omnipagese\opware32.exe All Users

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    RealTray c:\program files\real\realplayer\realplay.exe systemboothideplayer All Users

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    mmtask c:\program files\musicmatch\musicmatch jukebox\mmtask.exe All Users

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,149
    First Name:
    Derek
  3. Slade979

    Slade979 Thread Starter

    Joined:
    May 25, 2003
    Messages:
    6
    Thanks for the help... that little program ran as smooth as silk and seems to have removed all remnants of that malevolent pest. All of my scans with Spybot, Adaware,Norton and Hijack this are coming up pretty clean. I'm very grateful for the one line of help considering my bloated post. I only have two followup questions. After a reboot I decided to look for the MS patch that is mentioned in the how to prevent reinfection section of cwshredder since it told me I was missing the patch. I found and installed this critical patch (816093)and after a reboot I ran cwshredder again but it again informed me that it didn't find the patch. I was just wondering if I have the right patch or not. I'm pretty sure I do but this seems to be a glitch in an otherwise great program. Also if coolwwwsearch is designated as a trojan why did my fully updated Norton fail to detect it? Anyway thanks for the help...I'm running quick and steady again...cheers...
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,149
    First Name:
    Derek
    It always asays didn't find the patch, because there isn't actually a patch, it's a new complete download of M$ java VM but I have the same problem with Cwshredder and the message, but I use sun JAva so it won't find it

    CWshredder works to clear the system, just keep it on the computer an run it everyweek to be sure
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - (Solved) Internet Explorer
  1. Dukane
    Replies:
    3
    Views:
    231
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168761

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice