PDA

View Full Version : HIJACKED BROWSER



Kiniwe
08-03-2004, 12:46 PM
Hi, I have a hijacked browser window and have reviewed earlier posts and FAQ#8b. I have done all the suggested remedies (including ad-aware, spybot and spysweeper) except step 5 onwards in FAQ#8b as looks too complicated and still get on booting up the hijacked browser home page.

I have a screen capture in jpeg form of the browser window and wonder if I can send that or post it here in some way so that anyone who has had a similar attack can advise me how they removed it?

Many thanks

Fire-and-Ice
08-03-2004, 01:04 PM
Which FAQ 8b did you follow? There are two #8b FAQs. If it wasn't the Spyware one try that. You will probably have to run either HijackThis or CWShredder.

To post a screenshot here upload your image to here (http://sal.neoburn.net/imagef1/?mode=home) and post the link back in this thread and we will see what we can do. ;-)

Peter H
08-03-2004, 01:15 PM
Once you are back to normal, go here http://www.wilderssecurity & install "browser hijack blaster" Make sure that you add it to your start-up items. Good luck.
Bye

Kiniwe
08-03-2004, 02:25 PM
Many thanks
have uploaded the picture of the hijacked browser page for advice and I am running through some additional checks

tommy
08-03-2004, 04:59 PM
It looks like you need CWShredder. Download from here (http://www.majorgeeks.com/download4086.html). You may also need the other tool listed on that page. Post back here with your results.

Kiniwe
08-03-2004, 07:17 PM
Thanks for that.
Have downloaded CWshredder and CoolWWWSearch.SmartKiller and run both as suggested. Rebooted and amended default homepage details through Control Panel/internet options before opening IE.

Rebooted again but the hijacker remains.
Running CWShredder again I note that the following two items that were removed previously were still there and removed again. This makes me think that there is a programme that automatically loads these up again after every restart:
cws.svchost32
cws.xmlmimefilter

Any ideas?

Kiniwe
08-03-2004, 07:21 PM
Also the link to the uploaded screen shot of the hijacking browser home page is: http://sal.neoburn.net/imagef1/files/hijacked_home_page.jpg

Pheonix
08-03-2004, 07:25 PM
If you make you go to www.google.com and then make that your home-page, does it get hijacked also?

Just wondering whether your about:blank is what has been hijacked.

If using Xp or ME, turn off your restore. Then run CWShredder, then Spybot. Restart PC and turn on restore.

Pheonix
08-03-2004, 07:32 PM
If you are not familiar with turning the restore function on/off, have a read here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam)

Kiniwe
08-03-2004, 07:34 PM
I can set a new default home page but it attempts to change it back to the hijacking page later on. I am running Spysweeper and this programme prevents it from doing this. However, whenever I restart the computer the default home page once again becomes this hijacker page.
I am running Windows 2000 Pro and Internet Explorer as the browser.

Peter H
08-03-2004, 07:49 PM
About.blank made itself my home page yesterday (just reformatted & hadn't installed browser blaster) Just made my home page Paradise.net.nz, clicked on apply, and all was well. Not sure how it got there as my son was on the comp at the time. From memory he had only gone to Hotmail.
Bye

Kiniwe
08-03-2004, 08:02 PM
Okay.
Have now seemed to got my default home page (www.arai.co.nz) working whenever I start IE. However, it never quite gets there as it slows right down and a message comes up "Connecting to 66.79.170.10". This page never quite loads either and the IE "page not available" page comes up.
Any ideas out there please?
I ran HijackThis and got the following:

Logfile of HijackThis v1.97.5
Scan saved at 7:27:59 p.m., on 8/03/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\WINNT\SYSTEM32\Brmfrmps.exe
C:\WINNT\system32\BrmfRsmg.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINNT\SYSTEM32\SW.EXE
C:\WINNT\System32\dpmw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Scansoft\PaperPort\PPLinks.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Administrator\My Documents\Computer Stuff\downloads\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.inf/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aifind.inf/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aifind.inf/?id=54
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arai.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aifind.inf/?id=54
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arai.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/1409/bl8.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = webproxy.twoa.ac.nz:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 172.26.*.*;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.arai.co.nz/
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [PP8 SE Reminder] "C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" -r "C:\Program Files\Scansoft\PaperPort\WebEreg\navLoad.ini"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [acromedM] C:\WINNT\System32\acromedM.exe
O4 - HKLM\..\Run: [Scanreg] C:\WINNT\SYSTEM32\SW.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38053.8324305556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

Pheonix
08-03-2004, 08:07 PM
First time that I know of that CWShredder couldn't demolish it.

You may have to download hijackthis (http://www.spywareinfo.com/~merijn/files/HijackThis.exe) and see if there are instances of coolweb listed. You can post your list here (http://www.spywareinfo.com/forums/index.php?showforum=30) where they will tell you what to mark for removal. It lists everything, good or bad, if unsure..leave it. It may be vital.

Pheonix
08-03-2004, 08:18 PM
Yes well you can tick (to fix) those items with http://aifind.inf/?id=54 for a start.

Kiniwe
08-03-2004, 08:39 PM
Problem seems to be fixed although not clear what did this (fixed before the removal of the "aifind" items) ao this thread can end.
Sorry for not providing a clear pathway to fix the problem for others searching answers.
Thanks to all the above posters who provided answers so promptly. Really appreciate your help.

Kiniwe

Kiniwe
08-03-2004, 08:42 PM
Problem seems to be fixed although not clear what did this (fixed before the removal of the "aifind" items) ao this thread can end.
Sorry for not providing a clear pathway to fix the problem for others searching answers.
Thanks to all the above posters who provided answers so promptly. Really appreciate your help.

Kiniwe