|
|
|
|
11-11-2004, 04:19 PM
|
#1 |
browser hijack
I've got a broswer hijack trojan that is re-setting my home page currently
to blank  age, but at first it was home search. I've run Spybot Search &Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still haven't been able to clean this hijacker off my PC. Everytime I re-boot it re-sets my home page and if I do searches it will popup another search page. I've had a browser hijacker before and never had this much trouble removing it. Normally, Spybot or CWShredder took care of it. I'm guessing I need to do this manually, but not sure on how to tackle this? Can anyone offer any help? I would be greatly appreciative. I'm running Win2000 Professional. I'm comfortable using the registry and the command shell. Not an expert, but I'm comfortable using both. Thanks in advance for any help. -D- -D- |
|
|
|
11-11-2004, 06:23 PM
|
#2 |
|
Posts: n/a
|
Re: browser hijack
Thanks for the information. The files were different due to a different
version of the hijack, but the information in the thread helped me track down the files and wipe them out. This trojan was the wrost one I've encountered. I really appreciate your help. Thank you, Dwayne "Mark Mandell" <> wrote in message news  9Nkd.12032$ link.net...> > "-D-" <> wrote in message > news:6pOdna9x_KzSCA7cRVn-... > > I've got a broswer hijack trojan that is re-setting my home page currently > > to blank age, but at first it was home search. I've run Spybot Search& > > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still > > haven't been able to clean this hijacker off my PC. Everytime I re-boot > > it > > re-sets my home page and if I do searches it will popup another search > > page. > > > > I've had a browser hijacker before and never had this much trouble > > removing > > it. Normally, Spybot or CWShredder took care of it. > > > > I'm guessing I need to do this manually, but not sure on how to tackle > > this? > > Can anyone offer any help? I would be greatly appreciative. > > > > I'm running Win2000 Professional. I'm comfortable using the registry and > > the command shell. Not an expert, but I'm comfortable using both. > > > > Thanks in advance for any help. > > -D- > > Check out this site: > http://www.securiteam.com/securityre...RP0L0UD5U.html > > > > > > -D- |
|
|
|
11-11-2004, 08:41 PM
|
#3 |
|
Posts: n/a
|
Re: browser hijack
Well, I thought I had it, but I was wrong. I can HijackThis and this is the
information in the log file: Logfile of HijackThis v1.98.2 Scan saved at 2:23:04 PM, on 11/11/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\sysnc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\wuauclt.exe C:\WINNT\ipxy.exe C:\Documents and Settings\deppswork\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\uyfjd.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\uyfjd.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\uyfjd.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\uyfjd.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\uyfjd.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\uyfjd.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\uyfjd.dll/sp.html#28129 R3 - Default URLSearchHook is missing N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Deppswork\Application Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.j s) N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Deppswork\Application Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.j s) O2 - BHO: (no name) - {B5AE643E-99E3-0314-D6A4-8C5C1CBB4CDD} - C:\WINNT\netbj32.dll O4 - HKLM\..\Run: [ipxy.exe] C:\WINNT\ipxy.exe Any help on how to get rid of this would be appreciated. I've tried everything I can think of. -D- "-D-" <> wrote in message news 9GdnfV1gNUQLw7cRVn-...> Thanks for the information. The files were different due to a different > version of the hijack, but the information in the thread helped me track > down the files and wipe them out. > > This trojan was the wrost one I've encountered. I really appreciate your > help. > > Thank you, > Dwayne > > > "Mark Mandell" <> wrote in message > news 9Nkd.12032$ link.net...> > > > "-D-" <> wrote in message > > news:6pOdna9x_KzSCA7cRVn-... > > > I've got a broswer hijack trojan that is re-setting my home page > currently > > > to blank age, but at first it was home search. I've run SpybotSearch > & > > > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still > > > haven't been able to clean this hijacker off my PC. Everytime I re-boot > > > it > > > re-sets my home page and if I do searches it will popup another search > > > page. > > > > > > I've had a browser hijacker before and never had this much trouble > > > removing > > > it. Normally, Spybot or CWShredder took care of it. > > > > > > I'm guessing I need to do this manually, but not sure on how to tackle > > > this? > > > Can anyone offer any help? I would be greatly appreciative. > > > > > > I'm running Win2000 Professional. I'm comfortable using the registry > and > > > the command shell. Not an expert, but I'm comfortable using both. > > > > > > Thanks in advance for any help. > > > -D- > > > > Check out this site: > > http://www.securiteam.com/securityre...RP0L0UD5U.html > > > > > > > > > > > > -D- |
|
|
|
11-11-2004, 08:42 PM
|
#4 |
|
Posts: n/a
|
Re: browser hijack
Well, I thought I had it, but I was wrong. I can HijackThis and this is the
information in the log file: Logfile of HijackThis v1.98.2 Scan saved at 2:23:04 PM, on 11/11/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\sysnc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\wuauclt.exe C:\WINNT\ipxy.exe C:\Documents and Settings\deppswork\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\uyfjd.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\uyfjd.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\uyfjd.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\uyfjd.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\uyfjd.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\uyfjd.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\uyfjd.dll/sp.html#28129 R3 - Default URLSearchHook is missing N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Deppswork\Application Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.j s) N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Deppswork\Application Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.j s) O2 - BHO: (no name) - {B5AE643E-99E3-0314-D6A4-8C5C1CBB4CDD} - C:\WINNT\netbj32.dll O4 - HKLM\..\Run: [ipxy.exe] C:\WINNT\ipxy.exe Any help on how to get rid of this would be appreciated. I've tried everything I can think of. -D- "-D-" <> wrote in message news 9GdnfV1gNUQLw7cRVn-...> Thanks for the information. The files were different due to a different > version of the hijack, but the information in the thread helped me track > down the files and wipe them out. > > This trojan was the wrost one I've encountered. I really appreciate your > help. > > Thank you, > Dwayne > > > "Mark Mandell" <> wrote in message > news 9Nkd.12032$ link.net...> > > > "-D-" <> wrote in message > > news:6pOdna9x_KzSCA7cRVn-... > > > I've got a broswer hijack trojan that is re-setting my home page > currently > > > to blank age, but at first it was home search. I've run SpybotSearch > & > > > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still > > > haven't been able to clean this hijacker off my PC. Everytime I re-boot > > > it > > > re-sets my home page and if I do searches it will popup another search > > > page. > > > > > > I've had a browser hijacker before and never had this much trouble > > > removing > > > it. Normally, Spybot or CWShredder took care of it. > > > > > > I'm guessing I need to do this manually, but not sure on how to tackle > > > this? > > > Can anyone offer any help? I would be greatly appreciative. > > > > > > I'm running Win2000 Professional. I'm comfortable using the registry > and > > > the command shell. Not an expert, but I'm comfortable using both. > > > > > > Thanks in advance for any help. > > > -D- > > > > Check out this site: > > http://www.securiteam.com/securityre...RP0L0UD5U.html > > > > > > > > > > > > -D- |
|
|
|
11-11-2004, 09:06 PM
|
#5 |
|
Posts: n/a
|
Re: browser hijack
"-D-" <> wrote in message news:6pOdna9x_KzSCA7cRVn-... > I've got a broswer hijack trojan that is re-setting my home page currently > to blank age, but at first it was home search. I've run Spybot Search &> Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still > haven't been able to clean this hijacker off my PC. Everytime I re-boot > it > re-sets my home page and if I do searches it will popup another search > page. > > I've had a browser hijacker before and never had this much trouble > removing > it. Normally, Spybot or CWShredder took care of it. > > I'm guessing I need to do this manually, but not sure on how to tackle > this? > Can anyone offer any help? I would be greatly appreciative. > > I'm running Win2000 Professional. I'm comfortable using the registry and > the command shell. Not an expert, but I'm comfortable using both. > > Thanks in advance for any help. Did you try running HijackThis! and the other utilities in Safe Mode? I'd be shocked if doing so still didn't get rid of it. Patrick Michael |
|
|
|
11-11-2004, 09:30 PM
|
#6 |
|
Posts: n/a
|
Re: browser hijack
I ran the utilities from safe mode and it didn't make a difference either?
"Patrick Michael" <> wrote in message news:UuQkd.53369$_g6.33951@okepread03... > > "-D-" <> wrote in message > news:6pOdna9x_KzSCA7cRVn-... > > I've got a broswer hijack trojan that is re-setting my home page currently > > to blank age, but at first it was home search. I've run Spybot Search& > > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still > > haven't been able to clean this hijacker off my PC. Everytime I re-boot > > it > > re-sets my home page and if I do searches it will popup another search > > page. > > > > I've had a browser hijacker before and never had this much trouble > > removing > > it. Normally, Spybot or CWShredder took care of it. > > > > I'm guessing I need to do this manually, but not sure on how to tackle > > this? > > Can anyone offer any help? I would be greatly appreciative. > > > > I'm running Win2000 Professional. I'm comfortable using the registry and > > the command shell. Not an expert, but I'm comfortable using both. > > > > Thanks in advance for any help. > > Did you try running HijackThis! and the other utilities in Safe Mode? I'd > be shocked if doing so still didn't get rid of it. > > -D- |
|
|
|
11-11-2004, 10:08 PM
|
#7 |
|
Posts: n/a
|
Re: browser hijack
"-D-" <> wrote in message news:nLGdnS6QYsOgQw7cRVn-... >I ran the utilities from safe mode and it didn't make a difference either? > Wow, count me as me shocked.  I've never had a browser hijack/spyware that I wasn't able to get rid of between the combination of Ad-Aware, Spybot, and HijackThis! That must have been some particularly nasty malware. Patrick Michael |
|
|
|
11-11-2004, 11:55 PM
|
#8 |
|
Posts: n/a
|
Re: browser hijack
"Patrick Michael" <> wrote in message news:ipRkd.53375$_g6.38309@okepread03... > > "-D-" <> wrote in message > news:nLGdnS6QYsOgQw7cRVn-... >>I ran the utilities from safe mode and it didn't make a difference either? >> > > Wow, count me as me shocked. I've never had a browser hijack/spyware > that I wasn't able to get rid of between the combination of Ad-Aware, > Spybot, and HijackThis! That must have been some particularly nasty > malware. I know this sounds stupid but I have had similar things in the past ,and I found some installer programs in my Add/Remove software program that were installed without my knowledge, so I ran removal on the renegade programs and found all references in the registry and deleted them. Now I check Add/Remove on a regular basis GWB |
|
|
|
11-12-2004, 12:27 AM
|
#9 |
|
Posts: n/a
|
Re: browser hijack
"GWB" <> wrote in message news:QZSkd.87460$R05.13394@attbi_s53... > > "Patrick Michael" <> wrote in message > news:ipRkd.53375$_g6.38309@okepread03... > > > > "-D-" <> wrote in message > > news:nLGdnS6QYsOgQw7cRVn-... > >>I ran the utilities from safe mode and it didn't make a difference either? > >> > > > > Wow, count me as me shocked. I've never had a browser hijack/spyware> > that I wasn't able to get rid of between the combination of Ad-Aware, > > Spybot, and HijackThis! That must have been some particularly nasty > > malware. > > I know this sounds stupid but I have had similar things in the past ,and I > found some installer programs in my Add/Remove software program that were > installed without my knowledge, so I ran removal on the renegade programs > and found all references in the registry and deleted them. > Now I check Add/Remove on a regular basis > get the trial of Giant Antispy and the trial of Spysweeper... I worked on a Win98 PC with a similiar trojan last week and eventually just reinstalled windows (not much stuff on the PC so it was the easier path)... I never did figure out what was enabling the trojan... it kept respawning under different names, it put all sorts of files in the windows system folder... I used every trick in the book and it still had a presence...I scanned the drive on another machine and found all sorts of junk... but it still came back... sifted the registry too... major PITA... good luck... -- <B0N3H3@D> "I have no special talent. I am only passionately curious." Albert Einstein «bonehead;\) |
|
|
|
11-12-2004, 08:27 PM
|
#10 |
|
Posts: n/a
|
Re: browser hijack
Remove -
R3 Default URLSearchHook is missing that one is definetly bad suspect ones are C:\WINNT\system32\sysnc.exe C:\WINNT\ipxy.exe O2 - BHO: (no name) - {B5AE643E-99E3-0314-D6A4-8C5C1CBB4CDD} - O4 - HKLM\..\Run: [ipxy.exe] C:\WINNT\ipxy.exe These last four entries can be removed one at a time if the problem doesn't clear up by removing R3 Default URLSearchHook is missing. Do not remove if you recognise the process that is running. "«bonehead  " <> wrote in message news:hsTkd.21763$. com... > > "GWB" <> wrote in message > news:QZSkd.87460$R05.13394@attbi_s53... >> >> "Patrick Michael" <> wrote in message >> news:ipRkd.53375$_g6.38309@okepread03... >> > >> > "-D-" <> wrote in message >> > news:nLGdnS6QYsOgQw7cRVn-... >> >>I ran the utilities from safe mode and it didn't make a difference > either? >> >> >> > >> > Wow, count me as me shocked. I've never had a browser >> > hijack/spyware >> > that I wasn't able to get rid of between the combination of Ad-Aware, >> > Spybot, and HijackThis! That must have been some particularly nasty >> > malware. >> >> I know this sounds stupid but I have had similar things in the past ,and >> I >> found some installer programs in my Add/Remove software program that were >> installed without my knowledge, so I ran removal on the renegade >> programs >> and found all references in the registry and deleted them. >> Now I check Add/Remove on a regular basis >> > > get the trial of Giant Antispy and the trial of Spysweeper... > I worked on a Win98 PC with a similiar trojan last week > and eventually just reinstalled windows (not much stuff on the PC > so it was the easier path)... > > I never did figure out what was enabling the trojan... it kept > respawning under different names, it put all sorts of files in the > windows system folder... I used every trick in the book and it still > had a presence...I scanned the drive on another machine and found all > sorts > of junk... but it still came back... sifted the registry too... major > PITA... > > good luck... > > -- > <B0N3H3@D> > "I have no special talent. I am only passionately curious." Albert > Einstein > > > > Dave |
|
|
 |
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Browser Close onUserExit.js | KumarHarsh | Software | 0 | 09-04-2009 12:14 PM |
| How do I delete Yahoo browser services | peterleg | Software | 0 | 05-14-2007 12:45 PM |
| posting hijack this? | russfraz | General Help Related Topics | 2 | 09-05-2006 06:12 PM |
| Java servlets: Hi All! I want to display xml file in browser using servlets | datta.saru | Software | 0 | 05-15-2006 04:30 PM |
| browser hijacked | me | A+ Certification | 18 | 03-02-2006 12:17 PM |
