Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computer Certification > A+ Certification > browser hijack

Reply
Thread Tools

browser hijack

 
 
-D-
Guest
Posts: n/a
 
      11-11-2004
I've got a broswer hijack trojan that is re-setting my home page currently
to blankage, but at first it was home search. I've run Spybot Search &
Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
haven't been able to clean this hijacker off my PC. Everytime I re-boot it
re-sets my home page and if I do searches it will popup another search page.

I've had a browser hijacker before and never had this much trouble removing
it. Normally, Spybot or CWShredder took care of it.

I'm guessing I need to do this manually, but not sure on how to tackle this?
Can anyone offer any help? I would be greatly appreciative.

I'm running Win2000 Professional. I'm comfortable using the registry and
the command shell. Not an expert, but I'm comfortable using both.

Thanks in advance for any help.
-D-


 
Reply With Quote
 
 
 
 
-D-
Guest
Posts: n/a
 
      11-11-2004
Thanks for the information. The files were different due to a different
version of the hijack, but the information in the thread helped me track
down the files and wipe them out.

This trojan was the wrost one I've encountered. I really appreciate your
help.

Thank you,
Dwayne


"Mark Mandell" <(E-Mail Removed)> wrote in message
news9Nkd.12032$(E-Mail Removed) link.net...
>
> "-D-" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I've got a broswer hijack trojan that is re-setting my home page

currently
> > to blankage, but at first it was home search. I've run Spybot Search

&
> > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
> > haven't been able to clean this hijacker off my PC. Everytime I re-boot
> > it
> > re-sets my home page and if I do searches it will popup another search
> > page.
> >
> > I've had a browser hijacker before and never had this much trouble
> > removing
> > it. Normally, Spybot or CWShredder took care of it.
> >
> > I'm guessing I need to do this manually, but not sure on how to tackle
> > this?
> > Can anyone offer any help? I would be greatly appreciative.
> >
> > I'm running Win2000 Professional. I'm comfortable using the registry

and
> > the command shell. Not an expert, but I'm comfortable using both.
> >
> > Thanks in advance for any help.
> > -D-

>
> Check out this site:
> http://www.securiteam.com/securityre...RP0L0UD5U.html
> >
> >

>
>



 
Reply With Quote
 
 
 
 
-D-
Guest
Posts: n/a
 
      11-11-2004
Well, I thought I had it, but I was wrong. I can HijackThis and this is the
information in the log file:
Logfile of HijackThis v1.98.2
Scan saved at 2:23:04 PM, on 11/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\sysnc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\ipxy.exe
C:\Documents and Settings\deppswork\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and
Settings\Deppswork\Application
Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"http://www.google.com/"); (C:\Documents and Settings\Deppswork\Application
Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.j s)
O2 - BHO: (no name) - {B5AE643E-99E3-0314-D6A4-8C5C1CBB4CDD} -
C:\WINNT\netbj32.dll
O4 - HKLM\..\Run: [ipxy.exe] C:\WINNT\ipxy.exe

Any help on how to get rid of this would be appreciated. I've tried
everything I can think of.
-D-





"-D-" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> Thanks for the information. The files were different due to a different
> version of the hijack, but the information in the thread helped me track
> down the files and wipe them out.
>
> This trojan was the wrost one I've encountered. I really appreciate your
> help.
>
> Thank you,
> Dwayne
>
>
> "Mark Mandell" <(E-Mail Removed)> wrote in message
> news9Nkd.12032$(E-Mail Removed) link.net...
> >
> > "-D-" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > I've got a broswer hijack trojan that is re-setting my home page

> currently
> > > to blankage, but at first it was home search. I've run Spybot

Search
> &
> > > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
> > > haven't been able to clean this hijacker off my PC. Everytime I

re-boot
> > > it
> > > re-sets my home page and if I do searches it will popup another search
> > > page.
> > >
> > > I've had a browser hijacker before and never had this much trouble
> > > removing
> > > it. Normally, Spybot or CWShredder took care of it.
> > >
> > > I'm guessing I need to do this manually, but not sure on how to tackle
> > > this?
> > > Can anyone offer any help? I would be greatly appreciative.
> > >
> > > I'm running Win2000 Professional. I'm comfortable using the registry

> and
> > > the command shell. Not an expert, but I'm comfortable using both.
> > >
> > > Thanks in advance for any help.
> > > -D-

> >
> > Check out this site:
> > http://www.securiteam.com/securityre...RP0L0UD5U.html
> > >
> > >

> >
> >

>
>



 
Reply With Quote
 
-D-
Guest
Posts: n/a
 
      11-11-2004
Well, I thought I had it, but I was wrong. I can HijackThis and this is the
information in the log file:
Logfile of HijackThis v1.98.2
Scan saved at 2:23:04 PM, on 11/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\sysnc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\ipxy.exe
C:\Documents and Settings\deppswork\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\uyfjd.dll/sp.html#28129
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and
Settings\Deppswork\Application
Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"http://www.google.com/"); (C:\Documents and Settings\Deppswork\Application
Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.j s)
O2 - BHO: (no name) - {B5AE643E-99E3-0314-D6A4-8C5C1CBB4CDD} -
C:\WINNT\netbj32.dll
O4 - HKLM\..\Run: [ipxy.exe] C:\WINNT\ipxy.exe

Any help on how to get rid of this would be appreciated. I've tried
everything I can think of.
-D-




"-D-" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> Thanks for the information. The files were different due to a different
> version of the hijack, but the information in the thread helped me track
> down the files and wipe them out.
>
> This trojan was the wrost one I've encountered. I really appreciate your
> help.
>
> Thank you,
> Dwayne
>
>
> "Mark Mandell" <(E-Mail Removed)> wrote in message
> news9Nkd.12032$(E-Mail Removed) link.net...
> >
> > "-D-" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > I've got a broswer hijack trojan that is re-setting my home page

> currently
> > > to blankage, but at first it was home search. I've run Spybot

Search
> &
> > > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
> > > haven't been able to clean this hijacker off my PC. Everytime I

re-boot
> > > it
> > > re-sets my home page and if I do searches it will popup another search
> > > page.
> > >
> > > I've had a browser hijacker before and never had this much trouble
> > > removing
> > > it. Normally, Spybot or CWShredder took care of it.
> > >
> > > I'm guessing I need to do this manually, but not sure on how to tackle
> > > this?
> > > Can anyone offer any help? I would be greatly appreciative.
> > >
> > > I'm running Win2000 Professional. I'm comfortable using the registry

> and
> > > the command shell. Not an expert, but I'm comfortable using both.
> > >
> > > Thanks in advance for any help.
> > > -D-

> >
> > Check out this site:
> > http://www.securiteam.com/securityre...RP0L0UD5U.html
> > >
> > >

> >
> >

>
>



 
Reply With Quote
 
Patrick Michael
Guest
Posts: n/a
 
      11-11-2004

"-D-" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I've got a broswer hijack trojan that is re-setting my home page currently
> to blankage, but at first it was home search. I've run Spybot Search &
> Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
> haven't been able to clean this hijacker off my PC. Everytime I re-boot
> it
> re-sets my home page and if I do searches it will popup another search
> page.
>
> I've had a browser hijacker before and never had this much trouble
> removing
> it. Normally, Spybot or CWShredder took care of it.
>
> I'm guessing I need to do this manually, but not sure on how to tackle
> this?
> Can anyone offer any help? I would be greatly appreciative.
>
> I'm running Win2000 Professional. I'm comfortable using the registry and
> the command shell. Not an expert, but I'm comfortable using both.
>
> Thanks in advance for any help.


Did you try running HijackThis! and the other utilities in Safe Mode? I'd
be shocked if doing so still didn't get rid of it.


 
Reply With Quote
 
-D-
Guest
Posts: n/a
 
      11-11-2004
I ran the utilities from safe mode and it didn't make a difference either?


"Patrick Michael" <(E-Mail Removed)> wrote in message
news:UuQkd.53369$_g6.33951@okepread03...
>
> "-D-" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I've got a broswer hijack trojan that is re-setting my home page

currently
> > to blankage, but at first it was home search. I've run Spybot Search

&
> > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
> > haven't been able to clean this hijacker off my PC. Everytime I re-boot
> > it
> > re-sets my home page and if I do searches it will popup another search
> > page.
> >
> > I've had a browser hijacker before and never had this much trouble
> > removing
> > it. Normally, Spybot or CWShredder took care of it.
> >
> > I'm guessing I need to do this manually, but not sure on how to tackle
> > this?
> > Can anyone offer any help? I would be greatly appreciative.
> >
> > I'm running Win2000 Professional. I'm comfortable using the registry

and
> > the command shell. Not an expert, but I'm comfortable using both.
> >
> > Thanks in advance for any help.

>
> Did you try running HijackThis! and the other utilities in Safe Mode? I'd
> be shocked if doing so still didn't get rid of it.
>
>



 
Reply With Quote
 
Patrick Michael
Guest
Posts: n/a
 
      11-11-2004

"-D-" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I ran the utilities from safe mode and it didn't make a difference either?
>


Wow, count me as me shocked. I've never had a browser hijack/spyware
that I wasn't able to get rid of between the combination of Ad-Aware,
Spybot, and HijackThis! That must have been some particularly nasty
malware.


 
Reply With Quote
 
GWB
Guest
Posts: n/a
 
      11-11-2004

"Patrick Michael" <(E-Mail Removed)> wrote in message
news:ipRkd.53375$_g6.38309@okepread03...
>
> "-D-" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I ran the utilities from safe mode and it didn't make a difference either?
>>

>
> Wow, count me as me shocked. I've never had a browser hijack/spyware
> that I wasn't able to get rid of between the combination of Ad-Aware,
> Spybot, and HijackThis! That must have been some particularly nasty
> malware.


I know this sounds stupid but I have had similar things in the past ,and I
found some installer programs in my Add/Remove software program that were
installed without my knowledge, so I ran removal on the renegade programs
and found all references in the registry and deleted them.
Now I check Add/Remove on a regular basis


 
Reply With Quote
 
«bonehead;\)
Guest
Posts: n/a
 
      11-12-2004

"GWB" <(E-Mail Removed)> wrote in message
news:QZSkd.87460$R05.13394@attbi_s53...
>
> "Patrick Michael" <(E-Mail Removed)> wrote in message
> news:ipRkd.53375$_g6.38309@okepread03...
> >
> > "-D-" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >>I ran the utilities from safe mode and it didn't make a difference

either?
> >>

> >
> > Wow, count me as me shocked. I've never had a browser hijack/spyware
> > that I wasn't able to get rid of between the combination of Ad-Aware,
> > Spybot, and HijackThis! That must have been some particularly nasty
> > malware.

>
> I know this sounds stupid but I have had similar things in the past ,and I
> found some installer programs in my Add/Remove software program that were
> installed without my knowledge, so I ran removal on the renegade programs
> and found all references in the registry and deleted them.
> Now I check Add/Remove on a regular basis
>


get the trial of Giant Antispy and the trial of Spysweeper...
I worked on a Win98 PC with a similiar trojan last week
and eventually just reinstalled windows (not much stuff on the PC
so it was the easier path)...

I never did figure out what was enabling the trojan... it kept
respawning under different names, it put all sorts of files in the
windows system folder... I used every trick in the book and it still
had a presence...I scanned the drive on another machine and found all sorts
of junk... but it still came back... sifted the registry too... major
PITA...

good luck...

--
<B0N3H3@D>
"I have no special talent. I am only passionately curious." Albert Einstein




 
Reply With Quote
 
Dave
Guest
Posts: n/a
 
      11-12-2004
Remove -
R3 Default URLSearchHook is missing
that one is definetly bad
suspect ones are
C:\WINNT\system32\sysnc.exe
C:\WINNT\ipxy.exe
O2 - BHO: (no name) - {B5AE643E-99E3-0314-D6A4-8C5C1CBB4CDD} -
O4 - HKLM\..\Run: [ipxy.exe] C:\WINNT\ipxy.exe

These last four entries can be removed one at a time if the problem doesn't
clear up by removing R3 Default URLSearchHook is missing. Do not remove if
you recognise the process that is running.


"«bonehead" <(E-Mail Removed)> wrote in message
news:hsTkd.21763$(E-Mail Removed). com...
>
> "GWB" <(E-Mail Removed)> wrote in message
> news:QZSkd.87460$R05.13394@attbi_s53...
>>
>> "Patrick Michael" <(E-Mail Removed)> wrote in message
>> news:ipRkd.53375$_g6.38309@okepread03...
>> >
>> > "-D-" <(E-Mail Removed)> wrote in message
>> > news:(E-Mail Removed)...
>> >>I ran the utilities from safe mode and it didn't make a difference

> either?
>> >>
>> >
>> > Wow, count me as me shocked. I've never had a browser
>> > hijack/spyware
>> > that I wasn't able to get rid of between the combination of Ad-Aware,
>> > Spybot, and HijackThis! That must have been some particularly nasty
>> > malware.

>>
>> I know this sounds stupid but I have had similar things in the past ,and
>> I
>> found some installer programs in my Add/Remove software program that were
>> installed without my knowledge, so I ran removal on the renegade
>> programs
>> and found all references in the registry and deleted them.
>> Now I check Add/Remove on a regular basis
>>

>
> get the trial of Giant Antispy and the trial of Spysweeper...
> I worked on a Win98 PC with a similiar trojan last week
> and eventually just reinstalled windows (not much stuff on the PC
> so it was the easier path)...
>
> I never did figure out what was enabling the trojan... it kept
> respawning under different names, it put all sorts of files in the
> windows system folder... I used every trick in the book and it still
> had a presence...I scanned the drive on another machine and found all
> sorts
> of junk... but it still came back... sifted the registry too... major
> PITA...
>
> good luck...
>
> --
> <B0N3H3@D>
> "I have no special talent. I am only passionately curious." Albert
> Einstein
>
>
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Browser Hijack... Help Please!! Watcher111 Computer Support 14 05-06-2005 07:12 PM
Browser hijack johndoe Computer Support 7 01-22-2005 05:52 PM
Browser Hijack Badger Computer Support 12 07-02-2004 02:29 AM
Browser Hijack Dan Computer Support 6 04-06-2004 03:20 PM
Browser Hijack Babba Computer Security 6 02-06-2004 11:11 AM



Advertisments