#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Posts
    3
    Rep Power
    0

    Angry IE hijacked spyware


    MY IE browser has been hijacked. I set the home page and when I reboot, the home page is reset to www.youfindall.net

    It is very annoying. PLEASE HELP. I ran HIjackThis on my machine and here are the log results:

    Logfile of HijackThis v1.95.0
    Scan saved at 12:38:10 AM, on 7/16/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\System32\msrexe.exe
    C:\Program Files\Optimum Online\Netsurf.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Shivani\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e%63%67%69?%33%34%34%30%31%32
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.nytimes.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%33%34%34%30%31%32
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com/"); (C:\Documents and Settings\Shivani\Application Data\Mozilla\Profiles\default\tgzvg7yn.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CNetscape%207.1%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Shivani\Application Data\Mozilla\Profiles\default\tgzvg7yn.slt\prefs.js)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
    O19 - User stylesheet: C:\WINDOWS\default.css

    What should I do?
    Thanks
  2. #2
  3. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Posts
    3
    Rep Power
    0

    Cool found the solution


    I found a softwarethat is made specificallly to kill this spyware. Here's the site:

    http://www.spywareinfo.com/articles/cws/

    You need to download CWShredder

    Shiv
  4. #3
  5. Second highest poster :p
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2001
    Posts
    7,322
    Rep Power
    32
    and run AdAware by Lavasoft, its the best. http://www.lavasoft.de/software/adaware/

    Also to add to what echolalia posted

    e. Don't install programs like Kazaa, Grokster, MusicMatch, etc. These 'ad supported' programs normally come with a heap of spyware.
    f. Don't install fake programs like Bozai Buddy and eAnthology.
  6. #4
  7. No Profile Picture
    The Dude Abides
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Feb 2000
    Location
    grass valley,ca
    Posts
    1,062
    Rep Power
    16
    Ahhh spyware, what fun, a.koepke is right use adaware, it will clean that crap off.

    The really fun thing about spyware is after awhile and enough combinations of spyware it will completely hose up your internet connection and possibly your network stack.

    Fixed two of those today.

    Stop installing crap on your computer that you don't specifically know about.
    The Dude
    I'm the Dude. So that's what you call me.
    That, or Duder, His Dudeness, Or El Duderino.
    If, you know, you're not into the whole brevity thing
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Posts
    3
    Rep Power
    0
    Thanks for all the help guys. What is the browser offering best security? What do you guys use?
  10. #6
  11. Moderator Emeritus
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2002
    Location
    Austin, TX
    Posts
    7,184
    Rep Power
    2220
    Originally posted by Shiv
    Thanks for all the help guys. What is the browser offering best security? What do you guys use?
    Mozilla

    Get the "Firebird" v0.6 release. You'll never go back to MSIE.

    Download it here:
    http://ftp.mozilla.org/pub/firebird/...-0.6-win32.zip
    DrGroove, Devshed Moderator | New to Devshed? Read the User Guide | Connect with me on LinkedIn
  12. #7
  13. Second highest poster :p
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2001
    Posts
    7,322
    Rep Power
    32
    I use Mozilla too ... but the Seamonkey App Suite release. 1.4 is the last milestone build of it though
  14. #8
  15. An Ominous Coward
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jan 2002
    Posts
    4,425
    Rep Power
    0
    "Mozilla all the way!" screams Ctb as he posts from his company-mandated Internet Explorer browser.

    "Of course", he continues, "it's only fair to point out that on this company-mandated browser I have to browse with images off or risk hosing IE's page-rendering."

    I'd like to not for the record, however, that Mozilla is by no means an absolute fortress. It has it's share of bugs and exploits (though, probably not nearly as many as IE), it's just that:

    1) They're usually not as serious a risk to privacy / security as IE exploitz are.
    2) They're fixed very quickly. Patches are often available in less than half the time it takes Microsoft to post a bulletin telling people that the problem isn't serious (even if that problem can cause the deletion of arbitrary files on your PC just by clicking a link on a webpage).
  16. #9
  17. Perl Monkey
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    May 2003
    Location
    the far end of town where the Grickle-grass grows
    Posts
    1,860
    Rep Power
    108
    I'm an Opera 7 fan. I haven't the foggiest what its security situation is, all I know is adware is too stupid to use it. I have GAIN installed with the shareware of DivX5Pro, and it never pops anything up, never bothers me in the least. If I don't use a browser it understands, it can't gather information on me, either.

IMN logo majestic logo threadwatch logo seochat tools logo