IE Browser Hijacked

Tom5pts · Sep 26, 2006

Hi, I've been having a variety of problems with IE (attempts to change home page), redirection of Google searches from within IE, and computer crashes. I know that Cool Web Search was found, was deleted and then reappeared, so I ran Spybot and Adaware to get rid of the secondary files, then started using Firefox till I could try your recommendations.

I ran through your "Read and Run Me First" list. Then I tried IE again. There was still an attempt to redirect my home page, though Google seems to be working okay (for the moment). Also Panda ActiveScan found some things that I don't know how to get rid of.

Computer Specs:
HP Pavilion a750e
OS - Windows XP
Ram - 512
CPU - AMD Athlon 64 3200+
Hard Drive IDE WDC

Spybot found and fixed Pipas A in HKEYLOCAL-MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins

Microsoft Windows Defender found nothing

Bitdefender would not run (I tried downloading the recent JAVA version)

The Panda ActiveScan report is attached

The GetRunKey report is attached

The ShowNew report is attached

I'll attach the HijackThis report to the next post

Thanks for whatever help you can give!

Tom

Tom5pts · Sep 26, 2006

Not sure this is the right way to post my HijackThis log, but it's attached.

chaslang · Sep 26, 2006

You now need to run this: WareOut Removal and attach the requested log.

After running the above, also attach a new HJT log.

Tom5pts · Sep 27, 2006

I've run WareOut Removal and HJT. The logs are attached.

chaslang · Sep 27, 2006

Make sure viewing of hidden files is enabled (per the tutorial).
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B6690A6-A750-476F-B833-DC68DD8A090E}: NameServer = 85.255.115.21,85.255.112.91
O17 - HKLM\System\CCS\Services\Tcpip\..\{114FBAE0-3C0A-453E-AEE0-092BD213445A}: NameServer = 85.255.115.21,85.255.112.91
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B8979C9-0B29-4231-AC41-4326F9970DB2}: NameServer = 85.255.115.21,85.255.112.91
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E029FFA-4377-497A-B1B6-06F2B4096BA9}: NameServer = 85.255.115.21,85.255.112.91
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D6999EA-E76A-4459-A87B-DB7289CA5E25}: NameServer = 85.255.115.21,85.255.112.91
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.91
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B6690A6-A750-476F-B833-DC68DD8A090E}: NameServer = 85.255.115.21,85.255.112.91
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.91
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\WINDOWS\SYSTEM32\CSJOM.EXE
C:\WINDOWS\SYSTEM32\DMPEM.EXE

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

Tom5pts · Sep 27, 2006

Back again.

In my first attempt to delete processes with Task Manager, my computer froze and I had to reboot. My second attempt was successful.

HJT found and fixed the lines you listed.

I was able to find and delete the two system32 .exe files. (How do you know all this stuff?)

I emptied Prefetch folder and ran Ccleaner.

IE seems to be working okay now. I also shut down and rebooted a couple of times and no more crashes (before my computer would often get stuck in the boot process and never fully boot).

Attached is the HJT log.

What say ye -- am I pronounced clean?

chaslang · Sep 28, 2006

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

Tom5pts · Sep 28, 2006

Thanks so much for your help! You're amazing.

chaslang · Sep 30, 2006

You're welcome. Surf safely!

Log in or Sign up

IE Browser Hijacked

Tom5pts Private E-2

Attached Files:

Activescan.txt

newfiles.txt

runkeys.txt

Tom5pts Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Tom5pts Private E-2

Attached Files:

report.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Tom5pts Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Tom5pts Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

IE Browser Hijacked

Tom5pts Private E-2

Attached Files:

Tom5pts Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Tom5pts Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Tom5pts Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Tom5pts Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches