Helpful Information
 
 
Category: Antivirus Protection
IE hijacked spyware

MY IE browser has been hijacked. I set the home page and when I reboot, the home page is reset to www.youfindall.net

It is very annoying. PLEASE HELP. I ran HIjackThis on my machine and here are the log results:

Logfile of HijackThis v1.95.0
Scan saved at 12:38:10 AM, on 7/16/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\msrexe.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Shivani\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e%63%67%69?%33%34%34%30%31%32
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.nytimes.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%33%34%34%30%31%32
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%33%34%34%30%31%32
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com/"); (C:\Documents and Settings\Shivani\Application Data\Mozilla\Profiles\default\tgzvg7yn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CNetscape%207.1%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Shivani\Application Data\Mozilla\Profiles\default\tgzvg7yn.slt\prefs.js)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O19 - User stylesheet: C:\WINDOWS\default.css

What should I do?
Thanks

I found a softwarethat is made specificallly to kill this spyware. Here's the site:

http://www.spywareinfo.com/articles/cws/

You need to download CWShredder

Shiv

and run AdAware by Lavasoft, its the best. http://www.lavasoft.de/software/adaware/

Also to add to what echolalia posted

e. Don't install programs like Kazaa, Grokster, MusicMatch, etc. These 'ad supported' programs normally come with a heap of spyware.
f. Don't install fake programs like Bozai Buddy and eAnthology.

Ahhh spyware, what fun, a.koepke is right use adaware, it will clean that crap off.

The really fun thing about spyware is after awhile and enough combinations of spyware it will completely hose up your internet connection and possibly your network stack.

Fixed two of those today.

Stop installing crap on your computer that you don't specifically know about.

Thanks for all the help guys. What is the browser offering best security? What do you guys use?

Originally posted by Shiv
Thanks for all the help guys. What is the browser offering best security? What do you guys use?

Mozilla (http://www.mozilla.org)

Get the "Firebird" v0.6 release. You'll never go back to MSIE.

Download it here:
http://ftp.mozilla.org/pub/firebird/releases/0.6/MozillaFirebird-0.6-win32.zip

I use Mozilla too :D... but the Seamonkey App Suite release. 1.4 is the last milestone build of it though :(

"Mozilla all the way!" screams Ctb as he posts from his company-mandated Internet Explorer browser.

"Of course", he continues, "it's only fair to point out that on this company-mandated browser I have to browse with images off or risk hosing IE's page-rendering."

I'd like to not for the record, however, that Mozilla is by no means an absolute fortress. It has it's share of bugs and exploits (though, probably not nearly as many as IE), it's just that:

1) They're usually not as serious a risk to privacy / security as IE exploitz are.
2) They're fixed very quickly. Patches are often available in less than half the time it takes Microsoft to post a bulletin telling people that the problem isn't serious (even if that problem can cause the deletion of arbitrary files on your PC just by clicking a link on a webpage).

I'm an Opera 7 fan. I haven't the foggiest what its security situation is, all I know is adware is too stupid to use it. I have GAIN installed with the shareware of DivX5Pro, and it never pops anything up, never bothers me in the least. If I don't use a browser it understands, it can't gather information on me, either.










privacy (GDPR)