Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Internet Explorer


  • Please log in to reply
3 replies to this topic

#1 C0deman

C0deman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 04 April 2005 - 10:25 AM

Hi
I have been working on a friends machine for the last several days. I have stopped all programs from starting that I know how to start and searched the registry for anything out of the norm but I can not find anything causing IE to be redirected to http://e-finder.cc/hp/p/g1.jpg, or http://www.webcruiser.cc/%68%70/, or http://eager-search.cc/img/p.gif. IE has been hijacked and I am out of ideas can someone please help. Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:21:14 AM, on 4/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

*************
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ATDP Class - {E3D3AFEE-2172-4ef5-8509-1638AFFF0374} - C:\WINDOWS\atlassw.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4631A48D-D6AD-4F04-A539-93D3F68E1EE1}: NameServer = 207.218.192.38 207.218.192.39
********************

The 2 things that seem to be coming back are Start Page = http://default.home
and NameServer = 207.218.192.38 207.218.192.39

I have deleted both of these while in Safe Mode but they keep returning.

Any help would be greatly appreciated.


Mod Edit: This will be moved to a more appropriate Forum.

Edited by scarlett, 04 April 2005 - 10:28 AM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:16 AM

Posted 04 April 2005 - 05:32 PM

Those O17 entries are for your dns servers. They belong to :

Everyones Internet, Inc.

Is that your isp?

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: ATDP Class - {E3D3AFEE-2172-4ef5-8509-1638AFFF0374} - C:\WINDOWS\atlassw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4631A48D-D6AD-4F04-A539-93D3F68E1EE1}: NameServer = 207.218.192.38 207.218.192.39

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\atlassw.dll

Reboot your computer to go back to normal mode and post a new log.

#3 C0deman

C0deman
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 04 April 2005 - 08:14 PM

Thank you Grinler that did the trick.

Actually there are four entries under HKLM\System\CCS\Services\Tcpip....
Why did HJT just pull out the one set of addresses?

I also notice that there is a file "C:\Windows\ATLASSUI.exe" with a 16 bit program icon next to where ATLASSW.dll was. The date it was created is the same date as the system was hijacked. Should I go ahead and delete this file?

If you have the time, can you explain how Internet Explorer was calling ATLASSW.dll? I searched the entire Registry looking for an entry that would connect IE to that file and was unable to find it. Just a short explanation will do.

Thank you again I probably was about to wipe out the hard drive and reload you saved me quite a bit of time.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:16 AM

Posted 05 April 2005 - 09:42 AM

Yes you can delete C:\Windows\ATLASSUI.exe.

As for the dll, it was a BHO that started the dll every time internet explorer started. You prob could not find it in the registry because HJT removed the entry when we fixed it




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users