Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

browser hijack problem


  • Please log in to reply
4 replies to this topic

#1 Guest_pcdunx_*

Guest_pcdunx_*

  • Guests
  • OFFLINE
  •  

Posted 05 November 2004 - 05:51 PM

I am trying to fix a mates pc that has a browser hijacker.

Have run Sophos, AVG, Spybot 1.3, Adaware SE 1.05, CWShredder 2.0, Trojan Hunter - all with latest updates.

Spybot & Adaware find various things and remove them, but they come straight back again.

eg - CoolWWWSearch.Aff.Winshow

Home page is constantly changed back to http://195.255.176.14

Have run HiJack this and removed all the R1, R0, 013 lines that aren't Yahoo

but again they keep coming back, so there must be something I have missed.

Would really appreciate your help please..

Windows2000 SP4, IE6 SP1 - all with latest updates from MS

Log file is:-

Logfile of HijackThis v1.98.2
Scan saved at 22:50:49, on 05/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\htpatch.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\internat.exe
C:\WINNT\monitor.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\AnalogX\POW\pow.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\system32\MDM.EXE
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://195.225.176.14/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.14/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/
F2 - REG:system.ini: Shell=Explorer.exe monitor.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [monitor] monitor.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - Startup: POW!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O13 - DefaultPrefix:
O13 - WWW Prefix: http://195.225.176.14/pre.pl?
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{88A1CC25-6B73-4C02-8ABE-7C173D31B7D2}: NameServer = 192.168.1.10


Best Regards

Dunx

BC AdBot (Login to Remove)

 


#2 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.

Posted 06 November 2004 - 12:34 AM

pcdunx, welcome.

Please print this out and follow ALL these directions carefully.

This is a new CoolWebSearch (CWS) hijack infection and is hard to remove and may take a few runs at it to completely remove it.

The system might have W32.HLLW.Shower.J worm by the presence of monitor.exe
http://securityresponse.symantec.com/avcen...w.shower.j.html

Make sure 'show all files' is enabled:
http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=

Boot into Safe Mode by tapping F8 key repeatedly at bootup.
More detailed instructions here:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Find and delete if still present:
monitor.exe <== file

Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked" if still present.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.14/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://195.225.176.14/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.14/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.14/
F2 - REG:system.ini: Shell=Explorer.exe monitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O13 - DefaultPrefix:
O13 - WWW Prefix: http://195.225.176.14/pre.pl?
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/


Reboot and Install the prevention protection below and help your friends from being infected on the Internet.

Empty the Recycle Bin frequently.

Run CleanUp! as the Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
http://cleanup.stevengould.org/
Then reboot to let it clean out what it found.

By the way, in order to improve Internet Explorer (IE) performance the Temporary(TIF)should be cleaned out periodically.
Also, it is a good idea to limit the size of the TIF to 200MB for performance sake.
In IE go to Tools then Internet Options then Settings and move the slider down to 200MB.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html

#3 Guest_pcdunx_*

Guest_pcdunx_*

  • Guests
  • OFFLINE
  •  

Posted 06 November 2004 - 03:39 AM

Many thanks for help.

monitor.exe was there & process was running, so stopped it and deleted file. Ran HJT, removed your suggested entries, rebooted ran HJT again - all ok.

Ran CleanUp & SpyWare Blaster

Ran SpyBot & cleaned one entry.

Rebooted, ran all search / clean / AV programs - system looks pretty damn clean.

Another big learning day and another day of more software downloads!!

Cheers

Dunx

#4 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:02:10 PM

Posted 06 November 2004 - 04:45 AM

pcdunx, my pleasure.

I hope you had a good Guy Fawkes Day.
http://dmoz.org/Society/Holidays/Guy_Fawkes_Day/

#5 daveog

daveog

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 29 November 2004 - 08:46 AM

Many, many thanks Calamity Ken. This has also solved my problem, very, very helpful! Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users