(Solved) Internet Explorer Hijack

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Slade979

Thread Starter
Joined
May 25, 2003
Messages
6
Hi... I recently had my Internet explorer hijacked. I had all kinds of things added to my browser (new home page, sleazy search

page,sleazy favorites among lots of other things...it even made my home page a bogus warning about having my privacy completely

compromised) I went offline and did the following ... virus check, hijack this, and spybot(after a long overdue update). I had hijack this

correct the most obvious sex related entries. Spybot located several entries for "coolwwwsearch" (all were related to Internet Explorer).

I had it correct these entries. The corrections didn't do anything. When I went online I was still hijacked. I decided to do a system

restore and this solved my problem. All signs of a hijacking disappeared. After this I downloaded all the appropriate patches from

Microsoft. I ran hijack this and the log seems to be normal (see below). However I decided to run Spybot again and it found the entries

for coolwwwsearch again (see below). Are these entries still valid? They say "registry change, nothing done". Is that a reference to the

previous state changes made by system restore. My system is working fine. Should I have Spybot correct them again. Is spybot making

an error related to system restore? Should I uninstall Spybot and reinstall? Please help I want to make sure my system is virus and

hijack free. I haven't had any problems for a whole year. One foul click ruined my run! Any info is appreciated.


SPYBOT SEARCH RESULTS RECORDED AFTER SYSTEM RESTORE WHEN MY INTERNET EXPLORER WAS RUNNING NORMAL AGAIN:


Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\RELATED.HTM

CoolWWWSearch: IE Customized search (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch=about:blank

CoolWWWSearch: IE Default page (Registry change, nothing done)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

CoolWWWSearch: IE Default page (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

CoolWWWSearch: IE Default search page (Registry change, nothing done)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL=about:blank

CoolWWWSearch: IE Default search page (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL=about:blank

CoolWWWSearch: IE Search assistent (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant=about:blank

CoolWWWSearch: IE Search page (Registry change, nothing done)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page=http://www.google.com

CoolWWWSearch: IE Search page (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page=http://www.google.com

CoolWWWSearch: IE Start page (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page=about:blank

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-375612493-2704883870-4021508746-1006\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

MS Works: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Works Update Detection

MS Works: Program file (File, nothing done)
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe


--- Spybot-S&D version: 1.2 ---
2003-09-05 Includes\Cookies.sbi
2003-09-09 Includes\Dialer.sbi
2003-09-08 Includes\Hijackers.sbi
2003-09-05 Includes\Keyloggers.sbi
2003-09-08 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-09-05 Includes\Security.sbi
2003-09-09 Includes\Spybots.sbi
2003-08-28 Includes\Temporary.sbi
2003-09-05 Includes\Tracks.uti
2003-09-05 Includes\Trojans.sbi


HIJACK THIS LOG RECORDED AFTER SYSTEM RESTORE WHEN MY INTERNET EXPLORER WAS RUNNING NORMAL AGAIN:

Logfile of HijackThis v1.95.0
Scan saved at 7:10:19 AM, on 10/1/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Eric\My Documents\Hijack This-All Info\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.kazaa-lite.ws/results.php?show=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://dellnet.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.kazaa-lite.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.kazaa-lite.ws/results.php?show=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.kazaa-lite.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.kazaa-lite.ws/results.php?show=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.kazaa-lite.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.kazaa-lite.ws/results.php?show=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.kazaa-lite.ws/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.kazaa-lite.ws/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.kazaa-lite.ws/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37895.0203587963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab




THIS IS MY STARTUP LIST:

AOL Companion c:\progra~1\aolcom~1\compan~1.exe /s All Users Common Startup
AdaptecDirectCD "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" All Users

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
America Online 8.0 Tray Icon c:\progra~1\americ~3.0\aoltray.exe -check All Users Common Startup
DESKTOP desktop.ini NT AUTHORITY\SYSTEM Startup
DESKTOP desktop.ini GROWLS\Eric Startup
DESKTOP desktop.ini .DEFAULT Startup
DESKTOP desktop.ini All Users Common Startup
Dell|Alert c:\program files\dell\support\alert\bin\damon.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Digital Line Detect c:\progra~1\digita~1\dlg.exe All Users Common Startup
EPSON Status Monitor 3 Environment Check 2 c:\windows\system32\spool\drivers\w32x86\3\e_srcv02.exe All Users

Common Startup
EPSON Stylus C80 Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /a "c:\windows\system32\e_s11.tmp"

GROWLS\Eric HKU\S-1-5-21-375612493-2704883870-4021508746-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotSync Manager c:\progra~1\sonyha~1\hotsync.exe All Users Common Startup
Ink Monitor c:\program files\epson\ink monitor\inkmonitor.exe All Users

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS "c:\program files\messenger\msmsgs.exe" /background GROWLS\Eric

HKU\S-1-5-21-375612493-2704883870-4021508746-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Works Calendar Reminders c:\progra~1\common~1\micros~1\workss~1\wkcalrem.exe All Users Common Startup
Microsoft Works Update Detection c:\program files\common files\microsoft shared\works shared\wkufind.exe All Users

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MoneyAgent "c:\program files\microsoft money\system\money express.exe" GROWLS\Eric

HKU\S-1-5-21-375612493-2704883870-4021508746-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAV Agent c:\progra~1\norton~1\navapw32.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon rundll32.exe nvqtwk,nvcpldaemon initialize All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Omnipage c:\program files\scansoft\omnipagese\opware32.exe All Users

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RealTray c:\program files\real\realplayer\realplay.exe systemboothideplayer All Users

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mmtask c:\program files\musicmatch\musicmatch jukebox\mmtask.exe All Users

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 

Slade979

Thread Starter
Joined
May 25, 2003
Messages
6
Thanks for the help... that little program ran as smooth as silk and seems to have removed all remnants of that malevolent pest. All of my scans with Spybot, Adaware,Norton and Hijack this are coming up pretty clean. I'm very grateful for the one line of help considering my bloated post. I only have two followup questions. After a reboot I decided to look for the MS patch that is mentioned in the how to prevent reinfection section of cwshredder since it told me I was missing the patch. I found and installed this critical patch (816093)and after a reboot I ran cwshredder again but it again informed me that it didn't find the patch. I was just wondering if I have the right patch or not. I'm pretty sure I do but this seems to be a glitch in an otherwise great program. Also if coolwwwsearch is designated as a trojan why did my fully updated Norton fail to detect it? Anyway thanks for the help...I'm running quick and steady again...cheers...
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
It always asays didn't find the patch, because there isn't actually a patch, it's a new complete download of M$ java VM but I have the same problem with Cwshredder and the message, but I use sun JAva so it won't find it

CWshredder works to clear the system, just keep it on the computer an run it everyweek to be sure
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top