Browser Hijacker ???

Topic

New Reply

I seem to have acquired a browser hijacker yesterday, when I installed a screensaver program. It seemed harmless at first, the screensaver was not what I expected and I deleted it. Then today when I went to my homepage (Webshots) I was grabbed and redirected to a blank page site with a porn popup and a security warning on an underlying page about spyware and porn popups with a link to a spyware removal tool to “fix” my “problem”. It also activated ZoneAlarm wanting to let Microsoft HTML Application Host access the internet. I said no and don’t ask again and then ZA asked if http://ftp.exe could access the internet. Again I said no. I then closed down all open windows, noting that my new default homepage seemed to be http://default-homepage-network.com/start.cgi?new-hkcu. I shortened that to http://default-homepage-network.com/ and got to a page telling me that due to problems with their “business model” they were voluntarily ceasing operations at the end of June 2004. I went to Google and checked their cached page for that address and it seems like a straight up spyware firm trying to put on a legit face. Either way, I ran Task Manager and found 2 running processes that were new 0Pwh.exe (in the C:WINDOWSprefetch folder) and wowexce.exe (no location given, but I found it later in the registry). These two seem to be the visible cause of the trouble (renaming them stopped some of the activity, but not all.), but I’m not sure if I should delete them and edit them out of the registry or if I should install and run Hijack This to get rid of all traces of the nasties. Also, the 0Pwh file attempted to access the internet when I rebooted the system from an entry in the registry. ZA stopped it, but that was what told me it was something I needed to be careful with. I pretty certain that I’ve identified the problem, I just need to know the best course of action to resolve the issue without any harm to my system.

All thoughts are welcome.

Reply | Quote

Replies

You may want to download one the many anti-trackware programs and perform a scan. Some of the popular ones are Ad-aware 6, Spy Sweeper, Spybot, Pest Patrol

Reply | Quote

Sorry, forgot to mention that I ran AdAware 6 and Spybot S&D after updating both. Turned up a few tracking cookies, but nothing important. Also ran a scan with Norton AV (definitions current) and came up clean. This is definitly a browser hijack as my homepage keeps changing. I’ve isolated it down to a few files and running processes. Just need to know if HijackThis is the way to go or just wing it and manually edit the registry.

Reply | Quote

Have you tried in Internet Explorer going to Tools | Internet Options | General and resetting your home page to the desired location? If something is indeed lurking in the background it could / would reset this setting but maybe it’s worth a try. If it happens again then perhaps your solution is getting a hijacker program.

Cheers, Bob

Reply | Quote

Bob,

Been there (several times) and done that. There’s something in the registry or Startup folder that’s resetting it whenever I set it right. I’ve stopped most of the benaviors by renaming the files in question, but still, all is not right.

Thanks for the input. I’ve got a copy of HijackThis and am almost ready to install it. First I want to go to their forum and see if I can do it manually or need to install the program to clean house completely.

Reply | Quote

Hi Doc,

I wasn’t 100% sure whether you had tried the Internet Options route and that’s why I suggested it. It appears that you have a real tough lurker on your hands. Good Luck in getting rid of the beast. Let me know about your experience with HiJackThis as I might want to add it to my library.

Cheers, Bob

Reply | Quote

Hi Doc,

I wasn’t 100% sure whether you had tried the Internet Options route and that’s why I suggested it. It appears that you have a real tough lurker on your hands. Good Luck in getting rid of the beast. Let me know about your experience with HiJackThis as I might want to add it to my library.

Cheers, Bob

Reply | Quote

Doc,

If HijackThis doesn’t do it for you, you could always go to the files in question in the reg and and export a copy one at a time and then delete them. That way you can put them back in if needed.
I do think you found the trouble makers though and can dump them safely. ( particularly the one in the prefetch folder which should be cleaned out periodically anyway )

Reply | Quote

I think so too. I’m just waiting to see if I get any response in that security forum I mentioned in my last post. From the instructions for using HijackThis, it doesn’t appear to install anything on your system. Does it just do a scan and create a log file ??

Reply | Quote

Which screen saver did you install that probably caused all your problems?

Reply | Quote

Something called “Rippling Water”. 3 backgrounds (A fishing trawler @ sunset, an island & a castle on a lake) with water in the picture, animated to look as though the water is moving. About as interesting as the fake waterfall screensaver. Should have realized when it wanted to install to it’s own directory in C:Program Files that something was up and checked the main directory name, “Control-Zed-Group” !!! Just when I thought I was too old to be stupid anymore, too !!!

Reply | Quote

Hijackthis is a very good program howver, the log files need someone with knowledge to discern which entries need to be removed. Remove the wrong entires and serious problems may result. It checks only slevtive areas of the Windows registry. It does not check your hard drive per se for targets. It cannot detect some targets as they have desgined themselves in such a way as to not use the registry HJT scans or re-establish their prescence on machines in a new manner such as Coolwebsearch, Adtomi, Peper.A (sandbox), Vx2.betterinternet and other transponders. Other tools are being developed bu individuals to combat this plague

Reply | Quote

I seem to know enough, to know when I don’t know enough………. if you know what I mean. And I do know not to delete things from the registry or a HijackThis log unless you know what they are. If they could only develop a tool that would eradicate the plague of miscreants who create this garbage, that they then foist on the rest of us for their amusement……… now that would be a TOOL !!!

After I determined that HijackThis would only scan my machine and not install anything, I went ahead and ran it. It did turn up that 0Pwh.exe file but nothing eles that I would call strange. I’m still waiting for a reply from that SWI security forum requesting that I post my log (they don’t want it posted unless they ask for it).

Reply | Quote

I seem to know enough, to know when I don’t know enough………. if you know what I mean. And I do know not to delete things from the registry or a HijackThis log unless you know what they are. If they could only develop a tool that would eradicate the plague of miscreants who create this garbage, that they then foist on the rest of us for their amusement……… now that would be a TOOL !!!

After I determined that HijackThis would only scan my machine and not install anything, I went ahead and ran it. It did turn up that 0Pwh.exe file but nothing eles that I would call strange. I’m still waiting for a reply from that SWI security forum requesting that I post my log (they don’t want it posted unless they ask for it).

Reply | Quote

Hijackthis is a very good program howver, the log files need someone with knowledge to discern which entries need to be removed. Remove the wrong entires and serious problems may result. It checks only slevtive areas of the Windows registry. It does not check your hard drive per se for targets. It cannot detect some targets as they have desgined themselves in such a way as to not use the registry HJT scans or re-establish their prescence on machines in a new manner such as Coolwebsearch, Adtomi, Peper.A (sandbox), Vx2.betterinternet and other transponders. Other tools are being developed bu individuals to combat this plague

Reply | Quote

I was checking out a screensaver by the name of Water Illusion and when I went to install it, there was a blurp in the license agreement about their partners – something about SAVE ONE – anyway, I figured out that it was spyware and adware and said NO to the installation of the partnering software. The screensaver wasn’t worth a darn and I uninstalled it. But I would imagine most people would not read the license agreement carefully enough to catch the info about their partner software. I wonder if that isn’t what happened to you – they just snuck it in on you. Bummer.

Reply | Quote

I was checking out a screensaver by the name of Water Illusion and when I went to install it, there was a blurp in the license agreement about their partners – something about SAVE ONE – anyway, I figured out that it was spyware and adware and said NO to the installation of the partnering software. The screensaver wasn’t worth a darn and I uninstalled it. But I would imagine most people would not read the license agreement carefully enough to catch the info about their partner software. I wonder if that isn’t what happened to you – they just snuck it in on you. Bummer.

Reply | Quote

Nah………. Wish I could blame somebody other than myself. I just wasn’t payin’ attention !!!

Reply | Quote

Doc. I think you are being a little too conservative about those two files. I would have gotten rid of them long ago. ( thank you, True Image )
I did notice an unusual thing. I googled both of those file names as you had typed them and Google corrected both with: wowexec.exe & Opw.exe?
Was that typo or were they the actual file names?

Reply | Quote

Hey Bob !!

I agree, I’m being rather conservative on this. But when I Googled up CGI (a file extension at the end of the new homepage address) and found it was a script file that can give remote access to your PC if whatever you downloaded or installed gets out and makes contact, I kinda took a cautious approach.

I also did a Google for those file names and came up empty (no typos, those were the actual file names). I did some Googling around for the company behind “default-homepage-network.com” and found it to have a storied and checkered past as a portal for browser hijacks. There’s also some mention of a Trojan virus related to these guys.

I just installed True Image and made my first image on the first of the month. Not familiar enough with the program yet to attempt to fix something, that at first seemed so minor, by restoring an entire disk image. I know there is a way to pick and choose what you restore, but I just don’t know the program yet. But I’ve gathered enough information in my searches and my system has been behaving normally since I renamed all the files associated with this thing. If it doesn’t act up again, I’ll skip the reply from the HijackThis log folks and just delete the files and registry entries that I know to be a problem.

Reply | Quote

Hey Bob !!

I agree, I’m being rather conservative on this. But when I Googled up CGI (a file extension at the end of the new homepage address) and found it was a script file that can give remote access to your PC if whatever you downloaded or installed gets out and makes contact, I kinda took a cautious approach.

I also did a Google for those file names and came up empty (no typos, those were the actual file names). I did some Googling around for the company behind “default-homepage-network.com” and found it to have a storied and checkered past as a portal for browser hijacks. There’s also some mention of a Trojan virus related to these guys.

I just installed True Image and made my first image on the first of the month. Not familiar enough with the program yet to attempt to fix something, that at first seemed so minor, by restoring an entire disk image. I know there is a way to pick and choose what you restore, but I just don’t know the program yet. But I’ve gathered enough information in my searches and my system has been behaving normally since I renamed all the files associated with this thing. If it doesn’t act up again, I’ll skip the reply from the HijackThis log folks and just delete the files and registry entries that I know to be a problem.

Reply | Quote

All fixed !!!

No thanks to the nice folks at SpywareInfo, who have yet to respond to my posts. I deleted those files, that I knew were problems, from Windows, and then ran Hijack This and removed the registry entries that I knew were related to the hijack, shutdown and rebooted. All seems fine and my homepage doesn’t change anymore It hadn’t since I renamed the files 2 days ago, this is just more permanent and thorough. I still have some suspicious entries and will wait and see if SpywareInfo responds and what they say. I’ll post back with that info…….. when and if.

Meantime………….. Let’s go fishin’ !!!

Reply | Quote

Good to hear that, Doc.
When you get more into True Image, you will see some good code writing there. I’ve used it a number of times for Imaging and a few time to restore individual files. Works great.

Fishing? OK. I’ve got the boat you bring the brewski’s!

Reply | Quote

What’s your brand, Captin ??

I’ll need to go find my sea-legs first. It’s been awhile.

Reply | Quote

What’s your brand, Captin ??

I’ll need to go find my sea-legs first. It’s been awhile.

Reply | Quote

Good to hear that, Doc.
When you get more into True Image, you will see some good code writing there. I’ve used it a number of times for Imaging and a few time to restore individual files. Works great.

Fishing? OK. I’ve got the boat you bring the brewski’s!

Reply | Quote

All fixed !!!

No thanks to the nice folks at SpywareInfo, who have yet to respond to my posts. I deleted those files, that I knew were problems, from Windows, and then ran Hijack This and removed the registry entries that I knew were related to the hijack, shutdown and rebooted. All seems fine and my homepage doesn’t change anymore It hadn’t since I renamed the files 2 days ago, this is just more permanent and thorough. I still have some suspicious entries and will wait and see if SpywareInfo responds and what they say. I’ll post back with that info…….. when and if.

Meantime………….. Let’s go fishin’ !!!

Reply | Quote

Doc. I think you are being a little too conservative about those two files. I would have gotten rid of them long ago. ( thank you, True Image )
I did notice an unusual thing. I googled both of those file names as you had typed them and Google corrected both with: wowexec.exe & Opw.exe?
Was that typo or were they the actual file names?

Reply | Quote

Nah………. Wish I could blame somebody other than myself. I just wasn’t payin’ attention !!!

Reply | Quote

Hi Doc

I’d run HijackThis and post the log on Net-Integration’s HijackThis Forum. You can find a link to the forum in this post.

Have a Great day!!!
Ken

Reply | Quote

Thanks Ken.

I’ve already posted in the SpywareInfo Forum, and that seems to be crossreferenced or moderated by the same folks that handle the site you linked me to. A post in the SpywareInfo forum was locked because it was posted in the Net-Integration’s forum. I’m just waiting for them to request my log file.

Reply | Quote

Thanks Ken.

I’ve already posted in the SpywareInfo Forum, and that seems to be crossreferenced or moderated by the same folks that handle the site you linked me to. A post in the SpywareInfo forum was locked because it was posted in the Net-Integration’s forum. I’m just waiting for them to request my log file.

Reply | Quote

Hi Doc

I’d run HijackThis and post the log on Net-Integration’s HijackThis Forum. You can find a link to the forum in this post.

Have a Great day!!!
Ken

Reply | Quote

Something called “Rippling Water”. 3 backgrounds (A fishing trawler @ sunset, an island & a castle on a lake) with water in the picture, animated to look as though the water is moving. About as interesting as the fake waterfall screensaver. Should have realized when it wanted to install to it’s own directory in C:Program Files that something was up and checked the main directory name, “Control-Zed-Group” !!! Just when I thought I was too old to be stupid anymore, too !!!

Reply | Quote

Which screen saver did you install that probably caused all your problems?

Reply | Quote

I think so too. I’m just waiting to see if I get any response in that security forum I mentioned in my last post. From the instructions for using HijackThis, it doesn’t appear to install anything on your system. Does it just do a scan and create a log file ??

Reply | Quote

Doc,

If HijackThis doesn’t do it for you, you could always go to the files in question in the reg and and export a copy one at a time and then delete them. That way you can put them back in if needed.
I do think you found the trouble makers though and can dump them safely. ( particularly the one in the prefetch folder which should be cleaned out periodically anyway )

Reply | Quote

Bob,

Been there (several times) and done that. There’s something in the registry or Startup folder that’s resetting it whenever I set it right. I’ve stopped most of the benaviors by renaming the files in question, but still, all is not right.

Thanks for the input. I’ve got a copy of HijackThis and am almost ready to install it. First I want to go to their forum and see if I can do it manually or need to install the program to clean house completely.

Reply | Quote

Have you tried in Internet Explorer going to Tools | Internet Options | General and resetting your home page to the desired location? If something is indeed lurking in the background it could / would reset this setting but maybe it’s worth a try. If it happens again then perhaps your solution is getting a hijacker program.

Cheers, Bob

Reply | Quote

I’d try HighjackThis . It’s solved my problems twice.

Reply | Quote

I’m contemplating that. Posted to SWI forum (one recommeded by Hijack This) to see if I can do it manually and just get rid of the files I suspect or use the software to identify the problems first.

Reply | Quote

I’m contemplating that. Posted to SWI forum (one recommeded by Hijack This) to see if I can do it manually and just get rid of the files I suspect or use the software to identify the problems first.

Reply | Quote

I’d try HighjackThis . It’s solved my problems twice.

Reply | Quote

Sorry, forgot to mention that I ran AdAware 6 and Spybot S&D after updating both. Turned up a few tracking cookies, but nothing important. Also ran a scan with Norton AV (definitions current) and came up clean. This is definitly a browser hijack as my homepage keeps changing. I’ve isolated it down to a few files and running processes. Just need to know if HijackThis is the way to go or just wing it and manually edit the registry.

Reply | Quote

You may want to download one the many anti-trackware programs and perform a scan. Some of the popular ones are Ad-aware 6, Spy Sweeper, Spybot, Pest Patrol

Reply | Quote