IE Browser Hijacked

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Tom5pts, Sep 26, 2006.

  1. Tom5pts

    Tom5pts Private E-2

    Hi, I've been having a variety of problems with IE (attempts to change home page), redirection of Google searches from within IE, and computer crashes. I know that Cool Web Search was found, was deleted and then reappeared, so I ran Spybot and Adaware to get rid of the secondary files, then started using Firefox till I could try your recommendations.

    I ran through your "Read and Run Me First" list. Then I tried IE again. There was still an attempt to redirect my home page, though Google seems to be working okay (for the moment). Also Panda ActiveScan found some things that I don't know how to get rid of.

    Computer Specs:
    HP Pavilion a750e
    OS - Windows XP
    Ram - 512
    CPU - AMD Athlon 64 3200+
    Hard Drive IDE WDC

    Spybot found and fixed Pipas A in HKEYLOCAL-MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins

    Microsoft Windows Defender found nothing

    Bitdefender would not run (I tried downloading the recent JAVA version)

    The Panda ActiveScan report is attached

    The GetRunKey report is attached

    The ShowNew report is attached

    I'll attach the HijackThis report to the next post

    Thanks for whatever help you can give!

    Tom
     

    Attached Files:

  2. Tom5pts

    Tom5pts Private E-2

    Not sure this is the right way to post my HijackThis log, but it's attached.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You now need to run this: WareOut Removal and attach the requested log.

    After running the above, also attach a new HJT log.
     
  4. Tom5pts

    Tom5pts Private E-2

    I've run WareOut Removal and HJT. The logs are attached.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0B6690A6-A750-476F-B833-DC68DD8A090E}: NameServer = 85.255.115.21,85.255.112.91
    O17 - HKLM\System\CCS\Services\Tcpip\..\{114FBAE0-3C0A-453E-AEE0-092BD213445A}: NameServer = 85.255.115.21,85.255.112.91
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6B8979C9-0B29-4231-AC41-4326F9970DB2}: NameServer = 85.255.115.21,85.255.112.91
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8E029FFA-4377-497A-B1B6-06F2B4096BA9}: NameServer = 85.255.115.21,85.255.112.91
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9D6999EA-E76A-4459-A87B-DB7289CA5E25}: NameServer = 85.255.115.21,85.255.112.91
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.91
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0B6690A6-A750-476F-B833-DC68DD8A090E}: NameServer = 85.255.115.21,85.255.112.91
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.91
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (if found):
    C:\WINDOWS\SYSTEM32\CSJOM.EXE
    C:\WINDOWS\SYSTEM32\DMPEM.EXE

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  6. Tom5pts

    Tom5pts Private E-2

    Back again.

    In my first attempt to delete processes with Task Manager, my computer froze and I had to reboot. My second attempt was successful.

    HJT found and fixed the lines you listed.

    I was able to find and delete the two system32 .exe files. (How do you know all this stuff?)

    I emptied Prefetch folder and ran Ccleaner.

    IE seems to be working okay now. I also shut down and rebooted a couple of times and no more crashes (before my computer would often get stuck in the boot process and never fully boot).

    Attached is the HJT log.

    What say ye -- am I pronounced clean?
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
  8. Tom5pts

    Tom5pts Private E-2

    Thanks so much for your help! You're amazing.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds