PDA

View Full Version : IE7 – Hijacked & “Open in New Tab” function disabled



jonjet
06-02-2007, 02:13 PM
I am operating XP-Pro SP2 with IE7 installed and have recently installed a Bit Torrent program that has hijacked my system despite having NORTON'S Internet Security 2007, AdawareSE and SpyBot Search & Destroy installed.

Every time I opened IE several other windows would open advertising dating services and or online casinos. Furthermore the “Open in New Tab” function of IE7 has been disabled.

I know I have brought this problem upon myself for by not being more circumspect about the Bit Torrent program I chose to install but I had faith in the inbuilt security in IE7 together with NORTON Internet Security, Adaware and SpyBot S&D. This faith was obviously unfounded and I have been caught out be a rather annoying problem.

I have un-installed the offending Bit Torrent program and have installed XsoftSpySE which has found and removed a large number of malicious items seemingly related to this problem, which Adaware or SpyBot S&D did not find. This has cured the problem with the pop-up windows, but even after un-installing and re-installing IE7 I have not been able to remedy the problem with the “Open in New Tab” function.

I have searched the Microsoft Knowledge base and have not found anything related to this issue. Microsoft seems to make it very difficult to access support for this level of problem despite it being one that may well affect a large number of users. I am unable to access Microsoft email support as despite IE7 being a recent install the support for my MS products has expired.

I would appreciate any advice as to how I can resolve this issue.

Regards,
Jon

Speedy Gonzales
06-02-2007, 02:26 PM
Get the file in my sig below. Remember to unzip it first

stu161204
06-02-2007, 02:48 PM
Welcome to PressF1 jonjet :D

jonjet
06-02-2007, 05:10 PM
Thnx Speedy - I spoke to soon about my system being cured of the pesky popup windows as they have returned.

I've downloaded and installed the Hijackthis program and run it but the log it produced does not appear to have anything nasty on it that I should remove - it all appeared legitimate to me but of course I'm no expert.

jonjet
06-02-2007, 05:12 PM
Hi Stu - thnx for the welcome!

Speedy Gonzales
06-02-2007, 05:18 PM
So what happens when u press Ctrl-T? Does a tab appear?

Or try re-setting IE's options to their defaults.

Well IE 7 isn't that secure. Nor is Nortons for that matter. Or any firewall, if Windows isn't up to date.

A lot of people were / or used to use Nortons found that even tho it was installed and running, you still got malware / or something nasty.

Well not only that but Nortons is also a memory/resource hog, they've replaced it with something like Avast/AVG/Nod32.

jonjet
06-02-2007, 06:55 PM
Thnx Speedy - if I Ctrl-T I do get a new tab but resettin the options to default has not fixed the problem

Jen
06-02-2007, 08:55 PM
I've downloaded and installed the Hijackthis program and run it but the log it produced does not appear to have anything nasty on it that I should remove - it all appeared legitimate to me but of course I'm no expert.Seeing as you still have problems, it would pay to post the HJT log here and let others take a look at it just to make sure. :)

jonjet
07-02-2007, 08:16 AM
Here is the HJT log;

Logfile of HijackThis v1.99.1
Scan saved at 8:07:05 a.m., on 7/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\Privacy Control\ccEmFlSv.exe
C:\Documents and Settings\John R Gray\Desktop\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [VGASOFTWARE] C:\DOCUME~1\JOHNRG~1\APPLIC~1\POKEBO~1\FiveDumb.ex e
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - https://myairnz.airnz.co.nz/downloads/authorware_players/awswaxd.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165299278000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165299456968
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Speedy Gonzales
07-02-2007, 10:12 AM
Unzip the HJT file FIRST and put it in its own folder. Close browser/s.

Then run it again then tick these entries and tick fix checked.

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

O4 - HKCU\..\Run: [VGASOFTWARE] C:\DOCUME~1\JOHNRG~1\APPLIC~1\POKEBO~1\FiveDumb.ex e - I don't know what this is, it shouldn't be running from this folder anyway.

I don't think you've got a firewall installed either

Also try Trojan remover (http://www.simplysup.com/tremover/download.html) download it install it run it, then click on scan, then select the 3rd to 7th option under utilities.

kjaada
07-02-2007, 11:37 AM
Speedy please,
Are the hjt logs getting longer all the time or is my screen shrinking?

Speedy Gonzales
07-02-2007, 12:03 PM
Yer some can be long, it depends on whats installed and whats running.

jonjet
07-02-2007, 09:41 PM
Thanks Speedy - I'll give it a go. I do have Nortons Internet Security 2007 which has a firewall and it appear to be all installed and turned on. Do you think I should re-install NIS 2007??

Speedy Gonzales
07-02-2007, 09:53 PM
Thanks Speedy - I'll give it a go. I do have Nortons Internet Security 2007 which has a firewall and it appear to be all installed and turned on. Do you think I should re-install NIS 2007??

Well u can if u want, but most of the ppl here use something else NIS is too resource / memory hungry. And slows a system down. It doesnt really matter what version is installed.

Pancake
08-02-2007, 01:04 PM
You will need to dig this one right out.Its a Lop infection.

O4 - HKCU\..\Run: [VGASOFTWARE] C:\DOCUME~1\JOHNRG~1\APPLIC~1\POKEBO~1\FiveDumb.ex e

jonjet
16-02-2007, 12:03 AM
Hi everyone - I've tried everything that has been suggested and I still have the disabled open in new tab function and the annoying popups continue.
What ever is in my computer has evaded Trojan remove, regcure, HJT, Trojan Remover, SpyEraser, SbyBot, Adaware, XspyXE - it even disabled my firewall and phishing filter so now I am really worried!

Do I have to do a format and re-install? to clean up the problem and secure my system again?

bob_doe_nz
16-02-2007, 12:46 AM
Personally I would be inclined to do so.

But that would depend on how much data you have stored on it.
Doesn't Microsoft do their own anti-spyware software?

motorbyclist
16-02-2007, 01:02 AM
Hi everyone - I've tried everything that has been suggested and I still have the disabled open in new tab function and the annoying popups continue.
What ever is in my computer has evaded Trojan remove, regcure, HJT, Trojan Remover, SpyEraser, SbyBot, Adaware, XspyXE - it even disabled my firewall and phishing filter so now I am really worried!

Do I have to do a format and re-install? to clean up the problem and secure my system again?

if i was you i would. i would also be cautious about backing up files (as infection may spread to new machine via that medium).

as speedy said, norton is pretty useless. the only reason it is widely distributed is because they bundle it for free. it is common, not the same as being good.

both AVG and avast free editions will do better jobs. i have found spybot and adaware combined with either of those antivirus programs effective, avast seems to be more so as my current system is yet to be ruined (yet my family members still manage it by doing as you have done).

perhaps making the move to firefox couldn't hurt either...

zqwerty
16-02-2007, 01:04 AM
Have a look at this:

http://pages.citebite.com/w1i0b8b4w1nan

Go to the bottom of the page.

Trev
16-02-2007, 09:01 AM
Download and run Vundofix from here.

http://www.atribune.org/ccount/click.php?id=4

Trevor :)