Jump to content


Photo

browser hijack attempt+ malware


  • Please log in to reply
6 replies to this topic

#1 tzevi

tzevi

    Member

  • New Member
  • Pip
  • 3 posts

Posted 13 July 2004 - 02:42 AM

Hi

1. Ad watch identified 4 Registry values. All of them Type: Reg data. Category: Data Miner.

Object 1: Hkey_Users: Default/software/Microsoft/internet explorer/main "start page" (about blank)

Object 2:Hkey_Users: Default/software/Microsoft/internet explorer/main "Search page"

Object 3:Hkey_Users:Default/Software/Microsoft/internet explorer/main "Search bar"

Object 4: Hkey_Users: Default/Software/Microsoft/Internet explorer/main "Search assistant"



Comment: Possible Browser Hijack



2. I removed all four, using Ad- aware, (and also sometime by using CWShredder which identified and removed CWS. Search) but problem reoccurs.



3. how can I avoid reinfection and remove problem permanently?

#2 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 14 July 2004 - 08:38 AM

Please download HijackThis v1.98 here.
Unzip to a convenient permanent folder, for example: C:/HiJackThis/HiJackThis.exe
Double click HijackThis.exe, and hit "Scan". The scan button will turn into "Save Log" copy and paste the fresh log here...

Please do not attempt to "Fix" anything yet as we need to see the entire log and most of it will be harmless and even essential to the running of your computer. You can't guarantee ever to be reinfected again other than cutting your internet/phone cable :rofl: - but we can reduce the chances - we'll check you're clean first....
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#3 tzevi

tzevi

    Member

  • New Member
  • Pip
  • 3 posts

Posted 15 July 2004 - 06:54 AM

Scoff

Here is logfile. thanks


Logfile of HijackThis v1.98.0
Scan saved at 13:45:43, on 15/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\sistray.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\Program Files\NetEx\netex.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\hppapml0.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Oded\LOCALS~1\Temp\Rar$EX00.359\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: FiltURL Class - {5038FED1-CEFE-11D2-9E74-00A0C945A948} - C:\PROGRA~1\netex\URLSEA~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - Startup: netex.LNK = C:\Program Files\NetEx\netex.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1987107-9308-4393-9748-B84EC035BFAC}: NameServer = 194.90.1.5 212.143.212.143

#4 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 18 July 2004 - 04:34 AM

tzevi

I can only apologise for the delay. I didn't recieve an email notification that you'd replied. I'll get back to you as soon as I can.

Again, sorry.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#5 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 18 July 2004 - 04:10 PM

Hello Tzevi

Your log is clean. As promised here are some tips to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications, everything listed below is also free:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severly impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. In windows explorer go to C:\WINDOWS\System32\Drivers\Etc, locate the file called hosts (no file extension) and rename it to hosts.old. Then download MVPS hosts file and extract it to the exact same location.
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
To protect yourself further:
  • It would be worth reading How did I get infected in the first place?
  • Microsoft no longer supports its Java Virtual Machine. This is constantly targeted by spyware because of its security weaknesses. Uninstall Microsoft Java VM and replace it with Sun Java. Instructions on how to do this are here.
  • I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recyle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#6 tzevi

tzevi

    Member

  • New Member
  • Pip
  • 3 posts

Posted 19 July 2004 - 03:04 PM

Hi Scoff,

Thanks for help. I'll try to use all tips and hopefully manage to get out of this messy situation. thanks again. Tzevi

#7 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 19 July 2004 - 05:11 PM

You're in too bad a situation as nothing got through your defences that you couldn't clean up. There'll always be nasties trying to do harm, but hopefully this will reduce the risk of any of them being able to.

Regards
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button