Resolved Browser hijack?

Hi all,

I've been asked to open this thread, was in Malware & Virus section

Problem:
I always set my homepage to About:blank, helps detect browser hijacks as about:blank is a local file and does not require internet access.
3 days ago Ad-Aware told me that I had a trojan in Wininet.dll, and promptly quarantined the file. Explorer.exe uses this file, so all I could get was my background screen and no programme access, not even in safe mode.
Re-installed XP and all service packs.
When I open IE6 or IE7, Zone Alarm tells me IE is asking for internet access through the loop-back adaptor 127.0.0.1 port 5152.
This has not happened for the previous 3 years on XP, and I believe that 5152 is a UDP port ie no handshake protocols
Is this a Trojan??, Google Chrome opens to the blank page without asking for access to the internet.
We cannot find any sign of an infection, but IE still asks for internet access when opening About:blank

any ideas???

many thanks

Dave:

 

Broni also told me to post here!, so where do you suggest I post it (clean answers only please)

 

Couldn't agree more, Arie. ZA were great until Checkpoint got them, used to run ZA Pro until I got fed up with the system crashes.
At the risk of running way off topic, I'm now also getting a message that Wndows BBS is trying to open activeX controls, have seny a message to Admin(you perhaps?)
I know that 127 adresses are reserved for local hosts, but if I don't allow internet access blank will not open, and despite being unable to find any infections, something is going on that is not quite right.

Dave

 

The brief (and resolved) discussion in this link implicates Java Quick Starter (JQS) as the culprit. I think JQS is a fairly recent "enhancement" for Java (because I recall seeing references to it only recently). I have not researched to determine when JQS was first pushed by Sun.

I looked at your ComboFix log and found the following.

My guess is the O2 BHO (browser helper object) entry (jqs_plugin.dll) may be causing your localhost (127.0.0.1) port 5152 connection attempts whenever you open IE.

I bet Broni can tell you whether it's safe to have HijackThis "fix" the O2 BHO entry or not (or whether there's a better method for disabling/removing the BHO or not).

I currently do not have Java installed so I cannot easily check the Java in my Control Panel to see if there's a simple setting (to turn off Java Quick Starter). I bet you can though.


EDIT: I read that "resolved" thread more carefully and looked at your Malware & Virus Removal thread again. I also found the following "Running Process" in your computer.

 

Bingo!!
Problem resolved. For information, and for any other possible readers, I also disabled Jusched through msconfig, another java file to slow down the system & cause major page fault problems.
If you are running Avast on access scanner, this will listen on port 12080 whenever IE is opened.

many thanks

Dave

 

You're very welcome, Dave. I'm glad I could assist. Thank you for following up to let us know and tagging the thread as "Resolved ".

Thank you, Broni.


BTW, in ZoneAlarm's defense, ...

I think ZA was properly doing its job. Now that you know the alert was about a non-malicious action, you could alternatively configure ZA to always allow that event and then leave the JQS running. However, it seems that might open up your computer to potential (undiscovered) vulnerabilities in JQS. Probably safest to simply disable JQS.

The first firewall I used was ZA and then later I used ZAPro for years. I also use Norton SystemWorks (NSW). I know I'm going "against the grain" regarding the opinions of several other people around here. If I recall correctly, I switched from ZAPro to Comodo for two reasons.

• My ZAPro license was near expiration.
• I suspected conflicts between ZAPro and NSW because the events in my firewall log did not seem to correspond to the applications that should be involved.

If I recall correctly, ZA seems to be a good free firewall to install for computer novices: not much configuration needed to make ZA do its job (and do it silently in most cases).