New Browser Hijacker

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mymonkey, Apr 10, 2004.

  1. mymonkey

    mymonkey Private E-2

    Hi Geeks

    Today my browser was hijacked in a way I have not seen mentioned here before. When I click on a link the browser goes to the correct URL but a second layer loads on top of the page displaying a search portal.

    I ran CWSHredder which helped somewhat. Now it trys to load the new layer but can't quite pull in the search page
     
  2. ArchAngel

    ArchAngel Sergeant

    Welcome to MajorGeeks!

    Did you happen to catch the name of the search engine that pops up?

    You can find out what is running by hitting CTL-Alt-delete. Then click the far left tab ( I can't remember exactly what it says, as I'm using Linux at the moment). It will list all the running programs. Is it Lop.com or something similar?

    Then you can do an internet search on that and maybe find the cure.

    Otherwise post it here, and one of the lurking computer genuises will help you out. :)
     
  3. mymonkey

    mymonkey Private E-2

    More info

    it tries to load the page at nkvd.us but since running CWShredder it doesn't succeed, it just continues to try to load it. It also tries to hit ad.doubleclick.net


    It's really frunstrating.

    Thanks for the help : )
     
  4. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    I would follow the links posted by Robo and maybe try Hijack This and see if you can spot anything untoward
     
  5. mymonkey

    mymonkey Private E-2

    Hijack This results

    Hi fellow Geeks
    I ran Hijack This and here are the results. Does anyone smell anything?

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\CFusionMX\runtime\bin\jrunsvc.exe
    C:\CFusionMX\db\slserver52\bin\swagent.exe
    C:\CFusionMX\runtime\bin\jrun.exe
    C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    C:\CFusionMX\db\slserver52\bin\swsoc.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
    C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Jesse Mitchell\Desktop\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = I Love Robin, Zoƫ & Mia
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Trace (HKLM)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
    O9 - Extra button: All (HKLM)
    O9 - Extra 'Tools' menuitem: Close ALL IEx's (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Others (HKLM)
    O9 - Extra 'Tools' menuitem: Close OTHER IEx's (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  6. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Ok mmonkey
    theres nothing lurking there that could be causing this behaviour

    My opinion is that these lines are causing the problem
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    now generally they would have an address there such as a search engine,so what i think has happened is CW Shredder has killed the address but left the prefix which would cause the behaviour you described in your first post
    So close all browser windows, check the boxes next to those two lines and select fix
    reboot and try your browser again, let us know how it goes
     
  7. JSDK

    JSDK Private E-2

    C:\Program Files\Expertcity\ smell funny - see what www.pestpatrol.com has to say. Search "gotomypc"
     
  8. mymonkey

    mymonkey Private E-2

    Wow this is a pain.

    I tried both the suggestions (thanks :)) but still no end to the problem. It still tries to load to an ad.doubleclick.net page

    Any more ideas ladies or gents?

    Thanks, mymonkey
     
  9. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Could be worth a shot Robo, ive just been trawling through that list and cant find anything that would point to ad doubleclick :confused:

    Which cleaner do you reccomend im not too sure how comfortable Mymonkey is with this kind of stuff and im trying to organize dinner back here at the moment
     
  10. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Thanks for stepping Robo im having a right day of it here, im looking after the kids today giving the wife a day of rest
    Wont bother going into details, but needless to say ill be glad to get back to work tomorrow ;)

    Anyway agreed Regsupreme is a good choice, only a thirty day trial but that would hopefully be enough and if you choose to use this i wouldnt be surprised if you didnt want to pay the 12 dollars to keep it
    Also dont be surprised if it finds 100s of bad entries thats perfectly normal, and it makes a back-up of anything removed so you can make a repair if something does go bad

    Ive also used Reg scrub XP and Regcleaner both very good although perhaps not as thorough as Regsupreme
     
  11. JSDK

    JSDK Private E-2

    Try search internet for "nkvd.us" you are not alone.

    http://www.spywareinfo.com/forums/index.php?act=idx and http://forums.maddoktor2.com/index.php?act=Search&f=17 should be of help and you will need it. Not so easy to fix but it seems LATEST versions of CWshredder, Ad-aware, Spybot with updated data-files will do that job. But you might have to boot up in safe mode. Some speak of virus file which morph itself etc. Did not read it all, many hits - hard to test. Just be sure to download latest versions of those programs, and your Antivirus programs also of course.

    You could clean up a little once you are free. You have pop-up blocker but latest Google bar will do that just fine.

    Also be sure you set up Spybot in Advanced mode and tick some boxes in Ad-aware - then they work the best. Try let Spybot give Hijacktype log.

    You now nkvd.us is a problem but that dont mean it is only problem ;)

    Install Spywareblaster http://www.javacoolsoftware.com/index.html that might have prevented you getting problems in the first place.
     
  12. mymonkey

    mymonkey Private E-2

    Thanks a lot General and Robo

    Thanks a lot General and Robo - I'm running XP Home Ed

    I will give 'er a shot

    Good luck with dinner and the kids. I've got two myself and it's quite an adventure when the wife's off duty : )
     
  13. JSDK

    JSDK Private E-2

    Well now I read those 2 linked MG articles Im sure you will find solution right there - if you follow them. Forget about regcleaning, that wont help much.
     
  14. JSDK

    JSDK Private E-2

    Getting more mysterious. I went to Spyblaster forum and http://www.wilderssecurity.com/showthread.php?t=27560&highlight=nkvd.us check last post! That popup blocker you use might be enemy :) But there is more as you can see. If CWshredder etc. cant do the job try that manual cleanup. He say it is only way right now - fits your problem like a glove. If you are afraid to delete files, which are spyware/virus but still.. then rename them, back them up. Just be sure those 2 mentioned are gone from system folder/registry or hell will start all over. They probably "update" registry and the evil management of browser etc. so you must get out of that loop.
     
  15. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Well the reason myself and Robo leaned towards a registry clean is the fact that CW Shredder attempted to fix this problem yet theres obviously some remnants leftover

    On numerous occasions in the past a good reg clean will kill all the leftover bits and pieces, do you see anything in that log relating to this?
    So dont knock it until youve tried it ;)

    Now thats some pretty random advice, hey just tick a few boxes and away you go :rolleyes: if you want to give advice like that please give details and explain exactly which boxes you suggest Mymonkey uses
    The Advanced mode in Spybot is exactly that, probably why they give the warning about wether you are really sure you want to do this, so just sending an inexperienced user in without proper guidance is not a good idea ;)

    Also most Spyware programs can be found right here at Majorgeeks
    such as Spyware blaster :)
    http://www.majorgeeks.com/download2859.html

    Appreciate the help, as its all about teamwork here but please dont knock other peoples advice and then just throw in random remarks which can just confuse the issue
     
  16. JSDK

    JSDK Private E-2

    Lets hope it helps.

    btw, one of those security posters said NOT to run hijackthis from desktop folder. Dont know why, guess it will be limited by OS or something? He said "NOT" not "not" :cool:
     
  17. JSDK

    JSDK Private E-2

    Also for "inexperienced" users? If setting up Spybot/Ad-aware better is risky I dont know...

    But nm that, latest CWshredder have this

    "CWShredder 1.56.0002
    * Updated for CWS.Smartfinder.2, which was indeed being reinstalled by a fake BHO pretending to be the 'Osborn Popup Blocker'."
     
  18. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Hey man i was just responding to this
    Like i said, its fine to reccomend tips and tricks to improve the use of software, but if youre going to do that at least explain yourself rather than "just tick some boxes" :rolleyes:

    Anyway like i said its all about teamwork here, so well done thats a good find i guess we need to wait and see if this resolves Mymonkeys problems
     
  19. NonSuch

    NonSuch Private E-2

    HijackThis needs to be placed in its own folder (such as C:\HJT\ or C:\HijackThis\) so that it can create back-ups, which it will do automatically, when you "fix" things. It needs to have its own folder in order to do this correctly. Back-ups are good to have in case you need to restore something that was previously "fixed."

    Absolutely correct about the pop-up blocker, this is a varmint rather than a good pop-up blocker. It needs to be terminated!

    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

    CoolWebSearch parasite variant (MSHELPER.DLL)






     
  20. JSDK

    JSDK Private E-2

    Hopefully...

    Well General, I think your love for Regcleaners hides the fact some have so much respect for them they would not recommend them to unexperienced users. So as you say about locating "preferences" "options" "just sending an inexperienced user in without proper guidance is not a good idea" - which I did not say but will now ;) Where is your userfriendly slideshow of "bad entires" in registry? - does he have any idea what that program does? do you know how he will use it? Probably great one but potentially risky no matter you might use it daily.

    What I suggested was to improve setup what he, and just about everyone else, allready have. It is new to me there is risk about Spybot in adv. mode. Isnt the warning about possible malfunctioning AD-aware allready installed? Not a big deal, ppl should know what is on hd. Anyway, one of the links show exactly how to enable those modes, also in Ad-aware.

    Actually I hope he suffers wiith regedit.exe/manual removal but come out on top in the end. Then he is better prepared next time, as much as is possible - will have run Spywareblaster, done updates etc. Killing spyware and that type of crap doesnt have to be pleasure cruise or problem will just repeat itself sooner than later. Not easy to deal with fresh spyware though, not yet detected by ie. Ad-aware. But that will soon change.
     
  21. mymonkey

    mymonkey Private E-2

    General, Robo, JSDK & NonSuch

    You gents (ladies?) are remarkable. It seems to be fixed. OsborneTech removed and problem has not returned.

    The other suggestions have also helped. The ol' girl's running smoother than she has in a long time thanks to the house cleaning.

    I'm sticking with this board and I can't wait to be able to help someone else in the future.

    Keep up the good work.

    Best regards,
    mymonkey

    "Everybody's Got Something to Hide Except Me and My Monkey"
    Lennon/McCartney - White Album
     
  22. JSDK

    JSDK Private E-2

    Nice, in other thread someone mentioned Spywareguard. May be a good one for you. Is resident opposite Spywareblaster. I have not used the Guard but like the rest of http://www.javacoolsoftware.com/spywareguard.html Btw, I allways run MRU-blaster before regcleaner, makes it easier to check "real" bad entries :) 100s of hits can be confusing but probably normal rate. MRUblaster will also take care of index.dat - see plug-ins.

    Also http://www.winpatrol.com/ is quite good. The little doggy go vooof warning everytime new stuff is added to startup, BHOs in browsers. Also picks up new services. Does not have to be resident but can be run when you feel like it. Most need reminders to do those regular checkup.

    I only use Spywareblaster, Ad-aware, Spybot and AVG - but is changing browser to Mozilla. With IE Blaster is a must, perhaps with Spywareguard until you feel confident you are in charge ;) If computer can handle Norton it should have room for 1 more taskbar icon I guess.
     
    Last edited: Apr 12, 2004
  23. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    OK JSDK
    I'm thinking your trying to wind me up now, and to be totally honest Ive got better things to do :rolleyes:
    If you got a problem i suggest you PM me

    Just a FYI, all the programs you are listing are available to download right here at Majorgeeks as i advised you earlier.
    Its not good netiquette to keep posting links elsewhere while you are on this board ;)

    Also instead of bugging me, it might pay you to gain some Knowledge yourself instead of randomly Quoting stuff you've found on the internet :rolleyes:
     
  24. JSDK

    JSDK Private E-2

    No Im not, just want you to know what you are saying - and keep saying! I knock programs down, I lead him on risky path, I randomly quote stuff from internet. I dont think I do that, would prefer to shut up if that was the case. However I did not agree with you at all - big mistake perhaps but not bugging you! You tell him to run regcleaner... to fix a hijacker problem. No advice how-to, no warnings. Thats about it really. From a userfriendly point of view I think you are very wrong and should remind yourself of "teamwork" General. I said regcleaner will not help - and then im knoicking them down. Nope, it will not help with THIS problem, get it? THIS problem is/was of interest not yours or mine ideas/suggestions right?

    Well I could link to MG downloads and may be I will but 1. I might have web-url ready in head and 2. There can be good info on websites hosting software 3. I dont think this forum necessarily must feed MG downloads - Im not aware of that anyway. I would like ADM to tell me that is not good netiquette. I have no problems following any rule - as long as it make sense.
     
  25. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Firstly the Regcleaning advice originally came from a very knowledgable source in Robo, and i tended to agree with him
    There has been several cases here and elsewhere, that after using a spyware cleaning tool the problem has been 90% solved but still the niggling 10% hangs behind, and having advised a regcleaning the 10% has been solved as well, so yes it was good advice and i stand by that

    As posted earlier in this thread, A regcleaning can help with any version of Windows for any particular problem ;)

    As for the regcleaning itself, admittedly i was in a rush yesterday but using Regsupreme is so simple even you could use it straight off the bat, and i warned about the possibiility of 100s of bad entries, and mentioned that everything is backed up in case of possible problems
    Certainly a lot more than your " just tick a few boxes"

    Read this thread through its full of you Quoting stuff you found on the net ;)


    Lastly i suggest you speak to Major Attitude about linking elsewhere, you are taking traffic away from this site which is what MA relys on to earn a living
    Not just the downloads in which he can earn money if someone upgrades a shareware version to the full product, but revenues generated by ppl looking through geekshopping, or clicking on ads while they are here ;)
     
  26. JSDK

    JSDK Private E-2

    If Im quoting or linking to the big internet it is NOT randomly or to make myself interesting. And Im not misguiding anyone. You have a strange mix of personal and MG-Ego? which kinda limits what I can post, say, suggest etc. You prefer to stay indoor with ppl in full agreement with you so to speak, well I dont care and think you should cool down a little. Personally I dont care who I agree or disagree with, Im looking to help and to learn that is all.

    About the linking there should be a post about that, may be I missed it? Im not aware of MG download policy vs. forum posts but have no problem linking to MG download. Not thought of it as major issue. Can link to both if it matters...
     
  27. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Ok dude well if you dont care i certainly dont,
    I dont agree with all the advise posted however, but its all about tact ;)

    If you dont agree with something fine, but to just crap on advice posted
    You could of maybe said
    or something similar

    Then maybe you wouldnt piss people off

    Dude i aint got no ego, and im perfectly cool already :cool:
     
  28. JSDK

    JSDK Private E-2

    You most certainly have ego, even an extra on behalf of a website :rolleyes:

    We can talk as much as you want about software/hardware but you should not question my motives or advice unless you have facts. Think you have own idea of what facts are when you compare regcleaner with options button but nm. I would be happy to get better input from you or whoever, wizer next time. That is not your goal obviously. Who say what to whom is important - childish and based on ego, big time. I should think poster no.1 main interest is to get crap out not who is telling him to do what. Its all in your head...

    I can agree with your quotes this time. Yes I should have explained better but still dont see how that can set you off so much. I believe there is difference between being too direct and then trying to crap on someone. If you noticed I said "I will now" as to now comment on your attacks and questioning my posts (I have thick skin but you are aggressive) cause you left issue from post 1, found other goals and purposes which I dont understand or care about. Problem is solved that was reason for this thread.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds