I have a computer that appears to have been infected with a browser hijacker. My OE home page is now set to hotwebsearch.com and there is a new porn related toolbar. I cannot change the home page or remove the toolbar. There is a spot in the toolbar list for this new toolbar but there is no description. All of my favorites have been erased and replaced with links to porn related web sites.

I have run updated versions of adaware and spybot as well as various other programs all to no avail. Nothing will find it or delete it.

What is worse is that about the same time as the browser hijack I started getting all sorts of popups. When I go into the XP firewall settings I notice an ever growing list of open TCP and UDP ports. Close the ports and they open again and even more.

I have a hardware firewall and use the cheesy XP firewall, NAV, and regularly use adaware.

Does anybody have any idea on what this is or how to eleminate it????

Thanks
:mad:

Hijack this

http://www.spywareinfo.com/~merijn/downloads.html

Download that, its far down on the page. Run it, click scan, then save log (same button as scan) And post the results here. We can tell you which ones are safe to delete.

Actually, Soda_Popinsky, he seems to have the varient of coolweb search and although Hijackthis will will tell him the registries that have been changed, it won't clean them. But, on the same page/link you will find CWShredder that has been made to clean this malware from your computer.
There are some websites that install this varient without your knowledge, but usually you actually aggree to download it, as a bundled package within some thing else, or as a popup window on a site that you have visited.
A hardware firewall, and even a good (the XP firewall I don't consider good) will not prevent you from getting this malware, and AV software does not detect this type of hijacker.
The link Soda gave you <http://www.spywareinfo.com/~merijn/downloads.html> will take you to Merijn.org, where you can get CWShredder and Hijackthis......both great programs.

excellent advice Soda_Popinsky!!

I still have something in the background opening up the TCP/UDP ports in the XP firewall though.

I acutally ran the CWShredder and that did not help me any

arledgetv, the XP built in firewall does not control any out going data. It just filters incoming. There are multiple free 3rd party firewalls available for download that will filter both incoming and out going data, and monitor your ports. I would suggest either ZoneAlarm or Kerio for this.
A good guide to firewalls is <http://www.securityfocus.com/infocus/1750>. This artical will explain the hows and whys of a good firewall, and list some of the best out there.

Hijack this does remove registry entries that will start CW on bootup, If I'm correct. I'm pretty sure you could use Hijack this to remove CW, but It's not a very friendly uninstall. Thats why CWShredder exists, more friendly uninstall of that Hijack....Right?

Corrections Welcome
Soda

What could be opening the ports on the firewall? I have no services added, but more and more of these msmsgs xxxxTCP and msmsgs xxxxUDP ports are opening.

Moxnix provided you with some firewall names... I suggest you follow through on downloading one. Then you can configure the firewall to allow only what services you wish to have access the internet.

I will probably use the Zonealarm. I have that on some other PC's and I think it works great. Is it possible I still have some type of malicious program opening up the XP firewall that I have not deleted yet?

Advice has been great. As the administrator of a small ISP that uses cable modems in retirement buildings and apartment vuildings I think I will be spending more time here and learning, learning, learning.

Well, how about you post your hijack this log? It will tell us what processes you have running and what is starting up with your computer, then we can see what looks suspicious.

It is possible....have you ran any spyware removale tools recently? They can tell you if you have picked up alot of things. Also updating your AV and running it in safe mode will be benificial.
There are several really good tutorials that cover securing your system:
http://www.antionline.com/showthread.php?s=&threadid=255684
http://www.antionline.com/showthread.php?s=&threadid=255353
http://www.antionline.com/showthread.php?s=&threadid=255443
Are the 3 latest.

Here is the log.

Logfile of HijackThis v1.97.7
Scan saved at 4:47:12 PM, on 3/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aeitv.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus7.hpwis.com/
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\aal4fohw.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [sysme] C:\WINDOWS\System32\sysme.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {5D68B82D-C79F-4FFC-83C0-8D0FC794CEF2} (alaWeb.clsGetStats) - file://C:\WIN2000\CONTENT\cabs\alaWeb.CAB
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mfr.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://C:\WIN2000\CONTENT\cabs\alaGrid.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {ED29A481-CD46-43D9-85AA-E6E869DF2214} (MercStats.cStats) - file://C:\Program Files\Mercury\Content\cabs\MercStats.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD1A0F6B-A512-49DD-AF83-A629A5EB4517}: NameServer = 24.95.227.36,24.95.227.37

04 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

This isn't a big deal, but I think most people on AO would rather have this disabled. Search the site for "Disable msmsgs". If your firewall doesn't block it, I think you can receive messenger SPAM.

Are these sites what you would like them to be? Or are these pages that are set from the hijack?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aeitv.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus7.hpwis.com/

Other than that, everything looks ok to me, nothing obvious.

excuse me but isnt this Radmin? "C:\WINDOWS\System32\r_server.exe" Have you installed radmin on your computer for remote administration? if not your severly owned

also "C:\WINDOWS\System32\sysme.exe" gotta go

The urls were good. Zone alarm will take good care of me from now on. I do use the radmin for remote administraiton.

Thanks for all of the great advice. I will be sure to pass it on.

just my 2 rupees...

If I remember correctly, renaming the Messenger folder to something like Messenger_Backup or Messenger_Old seems to work...

Is it possible/probable that the Real Updater or Moneyside application is downloading junk in the background?

Also -- just a humble observation -- but why do you have both Money and Quicken installed?

Use adware.
It might be spyware on your pc.

As for money and quicken, those probably have safe uninstalls in the add/remove function of the windows control panel. It's probably safer than hacking away at it with Hijack this. If you actually use it, don't freak out about it because it probably doesn't download anything huge.

WarTux:
I have run updated versions of adaware and spybot as well as various other programs all to no avail. Nothing will find it or delete it.

LOL.. soda.. I pointed out the exact same thing to WarTux in this thread (http://www.antionline.com/showthread.php?s=&threadid=255674).
it seems he doesn't read very well and thinks adaware is the catch all..

Just some thoughts:

1) You need to put HijackThis into its own folder . To do so:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

2) O4 - HKLM\..\Run: [sysme] C:\WINDOWS\System32\sysme.exe
This one is a baddie... virus/trojan related. Here is how I have seen the experts fix it:
Click here (http://download.broadbandmedic.com/VbStuff/TheKillBox.zip) to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste this entry:

C:\WINDOWS\System32\sysme.exe

Click 'Exit' when done.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacoolsoftware.net/downloa...setup.exe. Then try TheKillbox again.

Make sure that you have no other browsers or windows open as this could prevent the fix from working properly.

If you want to read the actual post that I took this from you can view it here (http://www.computercops.biz/postp104274.html)

3) Here are some things that should be fixed with HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

4) These are things that you don't need running on startup- they hog system resources:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
To fix this: 1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
This is a DLL to enable multiple display monitors on a single computer. It can be a cause of numerous problems on some computers

It's always good to see meeeeeee in hijackthis threads.. :D

make sure yo ugo to the adaware website
and download the new REF file

you cant dl from the prog itself
you have to go to the website

i think the latest one is

ref 01R267 12.03.2004

also always make sure you update your AV everyday or w/e
i usually update my norton av everyday...and it has new files everyday!

update everything
then you run it

Thanks for the heads up on adaware. I usually update the reference file and run it but because of your advice i went to the site and found all of the new plug ins that were available for me to use.

yo man
i suggest that anyone who uses any kind of av, or adaware or any kind of firewall
to please update it first than run it..than come ask questions!!!!!!!

http://www.lavasoftusa.com/
adware has a new REFLIST like every week....Latest reference file : 01R269 16.03.2004
Please Note Build 181 is now available! This download is for use with build 181 and higher only. Support is no longer available for previous builds and reference files.
Download this new ref list to your adaware and they will find more

I use norton...they have a live update feature on the prog...or u can go to their website!!
they usually have a update...EVERYDAY!!!!

MOST PROGS have their own live update please use them before coming here

i don tknow why ppl use old programs on new viruses and complain that they cant find the any viruses they have...............plz make sure u update your arsenal...run it and fix it
than report the problems that were left behind

like STARSKY said.........................DO IT!!! DO IT NOW!!


P.S. thanks for the negs...........i dont understand why ppl are hating!
i dont recall sayin anything negative on this forum

I have no services added, but more and more of these msmsgs xxxxTCP and msmsgs xxxxUDP ports are opening.

Are you sure it isnt msmsgr xxxxTCP etc? This is what msn messenger does on my pc do you use this?

It could just be similar but i thought id say just in case it is just messenger opening the ports.

P.S it seems to open a good few ports on all computers ive seen.

to disable messenger :
start - run : type in services.msc
click OK, window opens.
scroll down to messenger
r/click, go to properties
startup type : hi-light DISABLED
click apply, make sure that the start button disables,
click OK, exit to desktop.
( W2K Pro )
just in case it wasn't done, and Soda's link was missed. :)