| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 45595 | 2004-05-27 06:35:00 | Browser Hijacker | sarel (2490) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 239693 | 2004-05-27 06:35:00 | Hi guys I'm stumped. I'm running WinME (all patches dowloaded and installed). Since about two weeks ago a Hijacker is trying to take over my Browser - Spysweeper stops him cold but I can't delete the hijacker. I found the name - CWS.Msconfig - and Google don't say much. I've tried everything for example (with lates signatures): Run Adaware - only identify the browser: Started deep registry scan ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank Possible Browser Hijack attempt Object recognized! Type : RegData Data : "about:blank" Rootkey : HKEY_CURRENT_USER Object : Software\Microsoft\Internet Explorer\Main Value : Start Page Data : "about:blank" Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank Possible Browser Hijack attempt Object recognized! Type : RegData Data : "about:blank" Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Internet Explorer\Main Value : Start Page Data : "about:blank" Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank 2020Search Object recognized! Type : RegData Data : "about:blank" Rootkey : HKEY_CURRENT_USER Object : Software\Microsoft\Internet Explorer\Main Value : Start Page Data : "about:blank" Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank 2020Search Object recognized! Type : RegData Data : "about:blank" Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Internet Explorer\Main Value : Start Page Data : "about:blank" 17:08:14 Scan stopped by user. Summary of this scan ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Total scanning time :00:04:33:360 Objects scanned :45031 Objects identified :4 Objects ignored :0 New objects :4 Run Spysweeper - identify hijacker but freezes when trying to delete it Run CWShredder - says I'm clean Run Spybot - found some cookies (dataminers) Run SpywareBlaster - found nothing Run Hijackthis - got the following: Logfile of HijackThis v1.97.7 Scan saved at 5:21:17 p.m., on 27/05/2004 Platform: Windows ME (Win9x 4.90.3000A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\CWSHREDDER\HIJACKTHIS.EXE O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [VoodooBanshee] rundll32.exe 3DfxVBps.dll,BansheeLoadSettings O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - v4.windowsupdate.microsoft.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - download.macromedia.com O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - download.macromedia.com O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - download.zonelabs.com I even tried removing it manually as suggested on websites like PestPatrol, Annoyances.org, Spyany.com, etc - nothing, it just bounces back. I've also did everything you guys suggested in FAQ 8 - no luck. The IS guys at my work suggested that this is possibly a new variant of some hijacker, and that I have to reinstall Windows. Is there anybody out there that can help please? Thanks Sarel |
sarel (2490) | ||
| 239694 | 2004-05-27 07:17:00 | You might need to do some registry hacking to remove it, but lets see what other suggestion other Press F1 users have Good luck removing this thing! :) |
stu120404 (268) | ||
| 239695 | 2004-05-27 07:22:00 | CWS = CoolWebSearch. Get CWShredder - mirror here (ftp.actrix.co.nz) |
whiskeytangofoxtrot (438) | ||
| 239696 | 2004-05-27 07:26:00 | As mentioned in my post, I did run CWShredder - found nothing | sarel (2490) | ||
| 239697 | 2004-05-27 07:35:00 | If your worried about that "possible hijack attempt" listed above, don't. You can easily check by making your browser homepage ,say, www,google.co.nz. Then do another scan. Should have disappeared. There is a hijacker out there that uses the blank.html page, but it is most likely just picking up the windows legit blank page. | Pheonix (280) | ||
| 239698 | 2004-05-27 07:38:00 | Also, turn off your restore function , restart PC, do scan/clean and then turn restore back on. | Pheonix (280) | ||
| 239699 | 2004-05-27 07:44:00 | Yeah Pheonix, but why do I get the "attempts" consistently - every 30 seconds or so? And when I run my Spyware proggies, the same files and registry items are found (and deleted every time) - even immediately after I deleted some files with say Spysweeper, and I run it aggain I will get the same 4 files being recognised - this tells me the flippen hijacker self propagates - and this is confirmed by some of the websites like PestPatrol who says CWS.Msconfig will autoexecute every 5 seconds. My PC is really sloooooooooow these days Sarel |
sarel (2490) | ||
| 239700 | 2004-05-27 07:57:00 | Damn, the hijackthis log looks OK at a browse. I had something different, which nothing would kill, but maybe worth a look. Look under your root and program files directories and see if there are ny there that are suspect. The one I did had something about money and files with casino in them. It didn't help that it was someone elses PC, so don't know what they run. If it tries to repropergate every so often, chances are that it may be running as a service. Could be worth a look through there as well. Close suspect ones down and see if the attempts stop. |
Pheonix (280) | ||
| 239701 | 2004-05-27 08:14:00 | CWShredder is regularly updated, have you got the latest version. It may be worth posting on the Hijackthis forum especially if this is a new varient of the nasty. Link (www.net-integration.net) Try this fix posted here (forums.techguy.org) Cheers Murray P |
Murray P (44) | ||
| 239702 | 2004-05-27 08:47:00 | Murray P I actually updated all my signatures daily (where I used to do it weekly) so yes - the updates are current. Also ran all proggies in Safemode - no luck Sarel |
sarel (2490) | ||
| 1 2 3 4 | |||||