Page 1 of 2 12 LastLast
Results 1 to 15 of 23
  1. #1
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Browser Hijacker ???

    I seem to have acquired a browser hijacker yesterday, when I installed a screensaver program. It seemed harmless at first, the screensaver was not what I expected and I deleted it. Then today when I went to my homepage (Webshots) I was grabbed and redirected to a blank page site with a porn popup and a security warning on an underlying page about spyware and porn popups with a link to a spyware removal tool to "fix" my "problem". It also activated ZoneAlarm wanting to let Microsoft HTML Application Host access the internet. I said no and don't ask again and then ZA asked if ftp.exe could access the internet. Again I said no. I then closed down all open windows, noting that my new default homepage seemed to be http://default-homepage-network.com/start.cgi?new-hkcu. I shortened that to http://default-homepage-network.com/ and got to a page telling me that due to problems with their "business model" they were voluntarily ceasing operations at the end of June 2004. I went to Google and checked their cached page for that address and it seems like a straight up spyware firm trying to put on a legit face. Either way, I ran Task Manager and found 2 running processes that were new 0Pwh.exe (in the C:WINDOWSprefetch folder) and wowexce.exe (no location given, but I found it later in the registry). These two seem to be the visible cause of the trouble (renaming them stopped some of the activity, but not all.), but I'm not sure if I should delete them and edit them out of the registry or if I should install and run Hijack This to get rid of all traces of the nasties. Also, the 0Pwh file attempted to access the internet when I rebooted the system from an entry in the registry. ZA stopped it, but that was what told me it was something I needed to be careful with. I pretty certain that I've identified the problem, I just need to know the best course of action to resolve the issue without any harm to my system.

    All thoughts are welcome.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  2. #2
    Star Lounger
    Join Date
    Jun 2001
    Location
    Ontario, Canada
    Posts
    79
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Browser Hijacker ???

    You may want to download one the many anti-trackware programs and perform a scan. Some of the popular ones are Ad-aware 6, Spy Sweeper, Spybot, Pest Patrol

  3. #3
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Browser Hijacker ???

    Sorry, forgot to mention that I ran AdAware 6 and Spybot S&D after updating both. Turned up a few tracking cookies, but nothing important. Also ran a scan with Norton AV (definitions current) and came up clean. This is definitly a browser hijack as my homepage keeps changing. I've isolated it down to a few files and running processes. Just need to know if HijackThis is the way to go or just wing it and manually edit the registry.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  4. #4
    5 Star Lounger
    Join Date
    Mar 2001
    Location
    Pickering, Ontario
    Posts
    642
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Browser Hijacker ???

    Have you tried in Internet Explorer going to Tools | Internet Options | General and resetting your home page to the desired location? If something is indeed lurking in the background it could / would reset this setting but maybe it's worth a try. If it happens again then perhaps your solution is getting a hijacker program.

    Cheers, Bob
    Regards,
    Bob

  5. #5
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Browser Hijacker ???

    Bob,

    Been there (several times) and done that. There's something in the registry or Startup folder that's resetting it whenever I set it right. I've stopped most of the benaviors by renaming the files in question, but still, all is not right.

    Thanks for the input. I've got a copy of HijackThis and am almost ready to install it. First I want to go to their forum and see if I can do it manually or need to install the program to clean house completely.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  6. #6
    5 Star Lounger
    Join Date
    Jan 2001
    Location
    Cumberland, Maryland, USA
    Posts
    880
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Browser Hijacker ???

    I'd try HighjackThis . It's solved my problems twice.

  7. #7
    5 Star Lounger
    Join Date
    Mar 2001
    Location
    Pickering, Ontario
    Posts
    642
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Browser Hijacker ???

    Hi Doc,

    I wasn't 100% sure whether you had tried the Internet Options route and that's why I suggested it. It appears that you have a real tough lurker on your hands. Good Luck in getting rid of the beast. Let me know about your experience with HiJackThis as I might want to add it to my library.

    Cheers, Bob
    Regards,
    Bob

  8. #8
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Browser Hijacker ???

    Doc,

    If HijackThis doesn't do it for you, you could always go to the files in question in the reg and and export a copy one at a time and then delete them. That way you can put them back in if needed.
    I do think you found the trouble makers though and can dump them safely. ( particularly the one in the prefetch folder which should be cleaned out periodically anyway )
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  9. #9
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Browser Hijacker ???

    I'm contemplating that. Posted to SWI forum (one recommeded by Hijack This) to see if I can do it manually and just get rid of the files I suspect or use the software to identify the problems first.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  10. #10
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Browser Hijacker ???

    I think so too. <img src=/S/smile.gif border=0 alt=smile width=15 height=15> I'm just waiting to see if I get any response in that security forum I mentioned in my last post. From the instructions for using HijackThis, it doesn't appear to install anything on your system. Does it just do a scan and create a log file ??
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  11. #11
    5 Star Lounger
    Join Date
    Jan 2001
    Location
    Arkansas
    Posts
    952
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Browser Hijacker ???

    Which screen saver did you install that probably caused all your problems?

  12. #12
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Browser Hijacker ???

    Something called "Rippling Water". 3 backgrounds (A fishing trawler @ sunset, an island & a castle on a lake) with water in the picture, animated to look as though the water is moving. About as interesting as the fake waterfall screensaver. Should have realized when it wanted to install to it's own directory in C:Program Files that something was up and checked the main directory name, "Control-Zed-Group" !!! <img src=/S/bingo.gif border=0 alt=bingo width=15 height=22> Just when I thought I was too old to be stupid anymore, too !!!
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  13. #13
    Star Lounger
    Join Date
    Jun 2001
    Location
    Ontario, Canada
    Posts
    79
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Browser Hijacker ???

    Hijackthis is a very good program howver, the log files need someone with knowledge to discern which entries need to be removed. Remove the wrong entires and serious problems may result. It checks only slevtive areas of the Windows registry. It does not check your hard drive per se for targets. It cannot detect some targets as they have desgined themselves in such a way as to not use the registry HJT scans or re-establish their prescence on machines in a new manner such as Coolwebsearch, Adtomi, Peper.A (sandbox), Vx2.betterinternet and other transponders. Other tools are being developed bu individuals to combat this plague

  14. #14
    5 Star Lounger
    Join Date
    Jan 2001
    Location
    Arkansas
    Posts
    952
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Browser Hijacker ???

    I was checking out a screensaver by the name of Water Illusion and when I went to install it, there was a blurp in the license agreement about their partners - something about SAVE ONE - anyway, I figured out that it was spyware and adware and said NO to the installation of the partnering software. The screensaver wasn't worth a darn and I uninstalled it. But I would imagine most people would not read the license agreement carefully enough to catch the info about their partner software. I wonder if that isn't what happened to you - they just snuck it in on you. Bummer.

  15. #15
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Browser Hijacker ???

    I seem to know enough, to know when I don't know enough.......... if you know what I mean. <img src=/S/grin.gif border=0 alt=grin width=15 height=15> And I do know not to delete things from the registry or a HijackThis log unless you know what they are. If they could only develop a tool that would eradicate the plague of miscreants who create this garbage, that they then foist on the rest of us for their amusement......... now that would be a TOOL !!! <img src=/S/yep.gif border=0 alt=yep width=15 height=15>

    After I determined that HijackThis would only scan my machine and not install anything, I went ahead and ran it. It did turn up that 0Pwh.exe file but nothing eles that I would call strange. I'm still waiting for a reply from that SWI security forum requesting that I post my log (they don't want it posted unless they ask for it).
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •