• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 370
  • Last Modified:

Internet Explorer Attack

Hi,

One day I started internet explorer and opened google.com. When I clicked a link for an item I was search for it automatically loaded another web site. Everytime I use internet explorer and try putting a URL it takes me to that web page or another page that I have not requested automatically.

I have tried running a pest patrol cleaner, anti-virus scanners, manually tried removing anything from the registry that has to do with those sites that automatically load and have also uninstalled Internet Explorer and re-installed it but nothing seems to work.

Any help would be appreciated.

Thank you.

Sergio
0
serg2626
Asked:
serg2626
  • 4
  • 2
  • 2
  • +5
1 Solution
 
mr_egyptianCommented:
If you haven't already, hijackthis would be a good place to start:

http://www.spywareinfo.com/~merijn/downloads.html

If you're not sure what's what, post your log here.
0
 
samb39Commented:
It sounds like a browser hijacker.  I have had good luck with Stinger removing those.

http://vil.nai.com/vil/stinger/

0
 
rpggamergirlCommented:
Please, let us look at your hijackthis log, that would be really helpful to diagnose the problem.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
masnrockCommented:
Sergio,

Did you try doing your any of your cleaning with the computer started up in Safe Mode and with System Restore disabled? If not, you'll usually run into problems.

In the meantime, follow rpg's advice.... she's usually pretty good in the spyware category. :)
0
 
renillCommented:
there is a software by the name spysweeper, you can try thi at
http://www.download.com/3000-8022_4-10192729.html
do go for a cleen sweep and this will fix up your problem.

renill
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
I would recommend going to www.download.com and getting Spybot Search and Destroy and Adaware SE Personal. Use these programs to remove the Browser Hijacker. Before you perform a system scan make sure that you update the programs first.


Hope this helps

=D
0
 
serg2626Author Commented:
Will try some of the options later this week, you can keep posting suggestions though. Thank you.
0
 
Perico De Los PalotesCommented:
The very first thing you need to do is check for BHO installed.

BHO are Programs that interface with internet explorer for control the behavior of your navigation.

There are benigns and maligns BHO,

Use BHO Demon they has a good database.
you can download it from here:
http://www.definitivesolutions.com/bhodemon.htm

If there is any as unknown disable it too.

If every thing is ok, you need to look at to your dns servers. Some Spyware/Malware change the dns servers by one at they own.

in order to doing that right click on the "my network places" icon under start menu and select properties.

then right click on your internet connection and select properties again

now highligth the TCP/IP protocol, and click on the properties button.

Usually if you got IP automatically your DNS servers should be automatic too please contact your Internet Service Provider before doing that to have the right configuration.

Once you got the right settings right click on my computer icon and select properties, then Network Name tab hit the "Change" button and then the "more..." button DNS suffix should be blank if don't just delete that.

I hope this helps,

If not then you have a malware program installed and try www.panda.com/activescan/ to see

Good luck.

Stan.
0
 
Perico De Los PalotesCommented:
The very first thing you need to do is check for BHO installed.

BHO are Programs that interface with internet explorer for control the behavior of your navigation.

There are benigns and maligns BHO,

Use BHO Demon they has a good database.
you can download it from here:
http://www.definitivesolutions.com/bhodemon.htm

If there is any as unknown disable it too.

If every thing is ok, you need to look at to your dns servers. Some Spyware/Malware change the dns servers by one at they own.

in order to doing that right click on the "my network places" icon under start menu and select properties.

then right click on your internet connection and select properties again

now highligth the TCP/IP protocol, and click on the properties button.

Usually if you got IP automatically your DNS servers should be automatic too please contact your Internet Service Provider before doing that to have the right configuration.

Once you got the right settings right click on my computer icon and select properties, then Network Name tab hit the "Change" button and then the "more..." button DNS suffix should be blank if don't just delete that.

I hope this helps,

If not then you have a malware program installed and try www.panda.com/activescan/ to see

Good luck.

Stan.
0
 
rpggamergirlCommented:
sergio,
We can help you better if we can look at your Hijackthis log, it will show there if indeed it is a DNS hijack(which what it sounds like). Hijackthis is like a diagnostic tool that can also tell us what infections your system have and find the right tool to use if it's the case.
It will save you the time of installing and trying so many different scanners to see which one works.
Not all malware shows up in Hijackthis log but of them do.Bad BHO's show up in Hijackthis log too.

masnrock, thanks for the kind words :)
0
 
serg2626Author Commented:
Hi, here is the log file generated by Hijackthis from a laptop that the samething is happening.  Thank you...

Logfile of HijackThis v1.99.1
Scan saved at 8:49:56 PM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Remote Desktop Control\apc_host.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\system32\awvtu.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F2FA09FB-EE7A-46d8-9145-A1EEF7850052} - C:\WINDOWS\system32\pmkjg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://rd.digilinkdirect.com/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\SYSTEM32\pmkjg.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: RDC-Host - ABF software, Inc. - C:\Program Files\Remote Desktop Control\apc_host.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

0
 
samb39Commented:
You appear to be infected by WinFixer, because of the presence of pmkjg.dll.

Winfixer removal instructions

   1. This guide fits for Windows 2000 and XP versions. Firstly you have to create Hijackthis log (how to create hijackthis log).
   2. The www.spyware-removal-guideline.com crew is not responsible if the following actions are performed incorrectly.
   3. Locate O2 - BHO: MSEvents Object line in the log. If such line is not found terminate reading this paragraph and jump to Manual winfixer removal on the bottom of the page.
   4. O2 - BHO: MSEvents Object is the line where Winfixer is hiding. Whole line should look like this O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\qwert.dll, but the {827DC836-DD9F-4A68-A602-5812EB50A834} and C:\WINDOWS\system32\qwert.dll parts can be different from the lines you can see on your log file. All you have to do is write the second part (C:\WINDOWS\system32\qwert.dll) down and use it INSTEAD of C:\WINDOWS\system32\qwert.dll in the future
   5. Download VundoFix.exe from
      http://www.atribune.org/downloads/VundoFix.exe
      on desktop and run the file to extract VundoFix. All extracted files will be located on the desktop.
   6. Reboot the computer into safe mode by choosing "Restart" option and pressing F8 key until menu appears. Choose "Safe Mode" and hit "Enter".
   7. After computer is booted up, go to VundoFix folder and run KillVundo.bat file. First a caution window will appear - press "Enter". Further you will be asked to enter the line that you have written down in the third step. After the line is entered press "Enter". A message "Please type in the second filepath as instructed by the forum staff" should appear.
   8. Now type the same line as you did before, but the "qwert" part (you have to use your own discussed in third step) writing in reverse order - "trewq" and replacing "dll" extension with *. So the final line will look like C:\WINDOWS\system32\trewq.* Press "Enter".
   9. Finally HijackThis will be launched automatically (if not - start it manually). After scan if you can locate lines
      O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\qwert.dll
      O20 - Winlogon Notify: C:\WINDOWS\system32\qwert.dll
      Check them and press "fix checked".
      ATTENTION! the C:\WINDOWS\system32\qwert.dll part on the both lines has to be the same as you have written down in the third step.
  10. Reboot the computer

From

http://www.winfixer.spyware-removal-guideline.com/
0
 
rpggamergirlCommented:
Hi,
I just got back from vacation. You do have vundo infection showing in your HJT log.

Please download VundoFix.exe to your desktop.(It has to be from this location below, to match with the canned speech that goes with it)
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the "Scan for Vundo" button.
Once it's done scanning, click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.

Fix these entries if still present after running the tool: (normally they should be gone after running the tool, but in your case you have vundo twins running, so if they're still present then fix them)
Hijackthis can not remove these entries on its own, you need to run the tool first because vundo runs before windows loads.

O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\system32\awvtu.dll
O2 - BHO: (no name) - {F2FA09FB-EE7A-46d8-9145-A1EEF7850052} - C:\WINDOWS\system32\pmkjg.dll
O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\SYSTEM32\pmkjg.dll
0
 
rpggamergirlCommented:
Thanks for the points with an "A" grade, :)

You might like to think of updating or getting rid of your current java and installing the newer version(jre1.5.0_06).
If you keep your current version, you are very likely to be re-infected with Vundo again.
This version --> (j2re1.4.2_05) is vulnerable to vundo infection. All vundo infections that I've seen(I've seen lots) has this version with Vundo re-occuring while having that same version.


Download and install the newest version:(jre1.5.0_06)
http://www.java.com/en/download/manual.jsp

Best wishes!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now