browser hijack

Discussion in 'A+ Certification' started by -D-, Nov 11, 2004.

  1. -D-

    -D- Guest

    I've got a broswer hijack trojan that is re-setting my home page currently
    to blank:page, but at first it was home search. I've run Spybot Search &
    Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
    haven't been able to clean this hijacker off my PC. Everytime I re-boot it
    re-sets my home page and if I do searches it will popup another search page.

    I've had a browser hijacker before and never had this much trouble removing
    it. Normally, Spybot or CWShredder took care of it.

    I'm guessing I need to do this manually, but not sure on how to tackle this?
    Can anyone offer any help? I would be greatly appreciative.

    I'm running Win2000 Professional. I'm comfortable using the registry and
    the command shell. Not an expert, but I'm comfortable using both.

    Thanks in advance for any help.
    -D-
     
    -D-, Nov 11, 2004
    #1
    1. Advertising

  2. -D-

    -D- Guest

    Thanks for the information. The files were different due to a different
    version of the hijack, but the information in the thread helped me track
    down the files and wipe them out.

    This trojan was the wrost one I've encountered. I really appreciate your
    help.

    Thank you,
    Dwayne


    "Mark Mandell" <> wrote in message
    news:D9Nkd.12032$...
    >
    > "-D-" <> wrote in message
    > news:...
    > > I've got a broswer hijack trojan that is re-setting my home page

    currently
    > > to blank:page, but at first it was home search. I've run Spybot Search

    &
    > > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
    > > haven't been able to clean this hijacker off my PC. Everytime I re-boot
    > > it
    > > re-sets my home page and if I do searches it will popup another search
    > > page.
    > >
    > > I've had a browser hijacker before and never had this much trouble
    > > removing
    > > it. Normally, Spybot or CWShredder took care of it.
    > >
    > > I'm guessing I need to do this manually, but not sure on how to tackle
    > > this?
    > > Can anyone offer any help? I would be greatly appreciative.
    > >
    > > I'm running Win2000 Professional. I'm comfortable using the registry

    and
    > > the command shell. Not an expert, but I'm comfortable using both.
    > >
    > > Thanks in advance for any help.
    > > -D-

    >
    > Check out this site:
    > http://www.securiteam.com/securityreviews/5RP0L0UD5U.html
    > >
    > >

    >
    >
     
    -D-, Nov 11, 2004
    #2
    1. Advertising

  3. -D-

    -D- Guest

    Well, I thought I had it, but I was wrong. I can HijackThis and this is the
    information in the log file:
    Logfile of HijackThis v1.98.2
    Scan saved at 2:23:04 PM, on 11/11/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\sysnc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\ipxy.exe
    C:\Documents and Settings\deppswork\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage",
    "http://home.netscape.com/"); (C:\Documents and
    Settings\Deppswork\Application
    Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine",
    "http://www.google.com/"); (C:\Documents and Settings\Deppswork\Application
    Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.js)
    O2 - BHO: (no name) - {B5AE643E-99E3-0314-D6A4-8C5C1CBB4CDD} -
    C:\WINNT\netbj32.dll
    O4 - HKLM\..\Run: [ipxy.exe] C:\WINNT\ipxy.exe

    Any help on how to get rid of this would be appreciated. I've tried
    everything I can think of.
    -D-





    "-D-" <> wrote in message
    news:D...
    > Thanks for the information. The files were different due to a different
    > version of the hijack, but the information in the thread helped me track
    > down the files and wipe them out.
    >
    > This trojan was the wrost one I've encountered. I really appreciate your
    > help.
    >
    > Thank you,
    > Dwayne
    >
    >
    > "Mark Mandell" <> wrote in message
    > news:D9Nkd.12032$...
    > >
    > > "-D-" <> wrote in message
    > > news:...
    > > > I've got a broswer hijack trojan that is re-setting my home page

    > currently
    > > > to blank:page, but at first it was home search. I've run Spybot

    Search
    > &
    > > > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
    > > > haven't been able to clean this hijacker off my PC. Everytime I

    re-boot
    > > > it
    > > > re-sets my home page and if I do searches it will popup another search
    > > > page.
    > > >
    > > > I've had a browser hijacker before and never had this much trouble
    > > > removing
    > > > it. Normally, Spybot or CWShredder took care of it.
    > > >
    > > > I'm guessing I need to do this manually, but not sure on how to tackle
    > > > this?
    > > > Can anyone offer any help? I would be greatly appreciative.
    > > >
    > > > I'm running Win2000 Professional. I'm comfortable using the registry

    > and
    > > > the command shell. Not an expert, but I'm comfortable using both.
    > > >
    > > > Thanks in advance for any help.
    > > > -D-

    > >
    > > Check out this site:
    > > http://www.securiteam.com/securityreviews/5RP0L0UD5U.html
    > > >
    > > >

    > >
    > >

    >
    >
     
    -D-, Nov 11, 2004
    #3
  4. -D-

    -D- Guest

    Well, I thought I had it, but I was wrong. I can HijackThis and this is the
    information in the log file:
    Logfile of HijackThis v1.98.2
    Scan saved at 2:23:04 PM, on 11/11/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\sysnc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\ipxy.exe
    C:\Documents and Settings\deppswork\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINNT\uyfjd.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage",
    "http://home.netscape.com/"); (C:\Documents and
    Settings\Deppswork\Application
    Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine",
    "http://www.google.com/"); (C:\Documents and Settings\Deppswork\Application
    Data\Mozilla\Profiles\default\yvxd5ohm.slt\prefs.js)
    O2 - BHO: (no name) - {B5AE643E-99E3-0314-D6A4-8C5C1CBB4CDD} -
    C:\WINNT\netbj32.dll
    O4 - HKLM\..\Run: [ipxy.exe] C:\WINNT\ipxy.exe

    Any help on how to get rid of this would be appreciated. I've tried
    everything I can think of.
    -D-




    "-D-" <> wrote in message
    news:D...
    > Thanks for the information. The files were different due to a different
    > version of the hijack, but the information in the thread helped me track
    > down the files and wipe them out.
    >
    > This trojan was the wrost one I've encountered. I really appreciate your
    > help.
    >
    > Thank you,
    > Dwayne
    >
    >
    > "Mark Mandell" <> wrote in message
    > news:D9Nkd.12032$...
    > >
    > > "-D-" <> wrote in message
    > > news:...
    > > > I've got a broswer hijack trojan that is re-setting my home page

    > currently
    > > > to blank:page, but at first it was home search. I've run Spybot

    Search
    > &
    > > > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
    > > > haven't been able to clean this hijacker off my PC. Everytime I

    re-boot
    > > > it
    > > > re-sets my home page and if I do searches it will popup another search
    > > > page.
    > > >
    > > > I've had a browser hijacker before and never had this much trouble
    > > > removing
    > > > it. Normally, Spybot or CWShredder took care of it.
    > > >
    > > > I'm guessing I need to do this manually, but not sure on how to tackle
    > > > this?
    > > > Can anyone offer any help? I would be greatly appreciative.
    > > >
    > > > I'm running Win2000 Professional. I'm comfortable using the registry

    > and
    > > > the command shell. Not an expert, but I'm comfortable using both.
    > > >
    > > > Thanks in advance for any help.
    > > > -D-

    > >
    > > Check out this site:
    > > http://www.securiteam.com/securityreviews/5RP0L0UD5U.html
    > > >
    > > >

    > >
    > >

    >
    >
     
    -D-, Nov 11, 2004
    #4
  5. "-D-" <> wrote in message
    news:...
    > I've got a broswer hijack trojan that is re-setting my home page currently
    > to blank:page, but at first it was home search. I've run Spybot Search &
    > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
    > haven't been able to clean this hijacker off my PC. Everytime I re-boot
    > it
    > re-sets my home page and if I do searches it will popup another search
    > page.
    >
    > I've had a browser hijacker before and never had this much trouble
    > removing
    > it. Normally, Spybot or CWShredder took care of it.
    >
    > I'm guessing I need to do this manually, but not sure on how to tackle
    > this?
    > Can anyone offer any help? I would be greatly appreciative.
    >
    > I'm running Win2000 Professional. I'm comfortable using the registry and
    > the command shell. Not an expert, but I'm comfortable using both.
    >
    > Thanks in advance for any help.


    Did you try running HijackThis! and the other utilities in Safe Mode? I'd
    be shocked if doing so still didn't get rid of it.
     
    Patrick Michael, Nov 11, 2004
    #5
  6. -D-

    -D- Guest

    I ran the utilities from safe mode and it didn't make a difference either?


    "Patrick Michael" <> wrote in message
    news:UuQkd.53369$_g6.33951@okepread03...
    >
    > "-D-" <> wrote in message
    > news:...
    > > I've got a broswer hijack trojan that is re-setting my home page

    currently
    > > to blank:page, but at first it was home search. I've run Spybot Search

    &
    > > Destroy, CWShredder, Hijack This, HSRemove and About Buster. I still
    > > haven't been able to clean this hijacker off my PC. Everytime I re-boot
    > > it
    > > re-sets my home page and if I do searches it will popup another search
    > > page.
    > >
    > > I've had a browser hijacker before and never had this much trouble
    > > removing
    > > it. Normally, Spybot or CWShredder took care of it.
    > >
    > > I'm guessing I need to do this manually, but not sure on how to tackle
    > > this?
    > > Can anyone offer any help? I would be greatly appreciative.
    > >
    > > I'm running Win2000 Professional. I'm comfortable using the registry

    and
    > > the command shell. Not an expert, but I'm comfortable using both.
    > >
    > > Thanks in advance for any help.

    >
    > Did you try running HijackThis! and the other utilities in Safe Mode? I'd
    > be shocked if doing so still didn't get rid of it.
    >
    >
     
    -D-, Nov 11, 2004
    #6
  7. "-D-" <> wrote in message
    news:...
    >I ran the utilities from safe mode and it didn't make a difference either?
    >


    Wow, count me as me shocked. :) I've never had a browser hijack/spyware
    that I wasn't able to get rid of between the combination of Ad-Aware,
    Spybot, and HijackThis! That must have been some particularly nasty
    malware.
     
    Patrick Michael, Nov 11, 2004
    #7
  8. -D-

    GWB Guest

    "Patrick Michael" <> wrote in message
    news:ipRkd.53375$_g6.38309@okepread03...
    >
    > "-D-" <> wrote in message
    > news:...
    >>I ran the utilities from safe mode and it didn't make a difference either?
    >>

    >
    > Wow, count me as me shocked. :) I've never had a browser hijack/spyware
    > that I wasn't able to get rid of between the combination of Ad-Aware,
    > Spybot, and HijackThis! That must have been some particularly nasty
    > malware.


    I know this sounds stupid but I have had similar things in the past ,and I
    found some installer programs in my Add/Remove software program that were
    installed without my knowledge, so I ran removal on the renegade programs
    and found all references in the registry and deleted them.
    Now I check Add/Remove on a regular basis
     
    GWB, Nov 11, 2004
    #8
  9. "GWB" <> wrote in message
    news:QZSkd.87460$R05.13394@attbi_s53...
    >
    > "Patrick Michael" <> wrote in message
    > news:ipRkd.53375$_g6.38309@okepread03...
    > >
    > > "-D-" <> wrote in message
    > > news:...
    > >>I ran the utilities from safe mode and it didn't make a difference

    either?
    > >>

    > >
    > > Wow, count me as me shocked. :) I've never had a browser hijack/spyware
    > > that I wasn't able to get rid of between the combination of Ad-Aware,
    > > Spybot, and HijackThis! That must have been some particularly nasty
    > > malware.

    >
    > I know this sounds stupid but I have had similar things in the past ,and I
    > found some installer programs in my Add/Remove software program that were
    > installed without my knowledge, so I ran removal on the renegade programs
    > and found all references in the registry and deleted them.
    > Now I check Add/Remove on a regular basis
    >


    get the trial of Giant Antispy and the trial of Spysweeper...
    I worked on a Win98 PC with a similiar trojan last week
    and eventually just reinstalled windows (not much stuff on the PC
    so it was the easier path)...

    I never did figure out what was enabling the trojan... it kept
    respawning under different names, it put all sorts of files in the
    windows system folder... I used every trick in the book and it still
    had a presence...I scanned the drive on another machine and found all sorts
    of junk... but it still came back... sifted the registry too... major
    PITA...

    good luck...

    --
    <B0N3H3@D>
    "I have no special talent. I am only passionately curious." Albert Einstein
     
    «bonehead;\), Nov 12, 2004
    #9
  10. -D-

    Dave Guest

    Remove -
    R3 Default URLSearchHook is missing
    that one is definetly bad
    suspect ones are
    C:\WINNT\system32\sysnc.exe
    C:\WINNT\ipxy.exe
    O2 - BHO: (no name) - {B5AE643E-99E3-0314-D6A4-8C5C1CBB4CDD} -
    O4 - HKLM\..\Run: [ipxy.exe] C:\WINNT\ipxy.exe

    These last four entries can be removed one at a time if the problem doesn't
    clear up by removing R3 Default URLSearchHook is missing. Do not remove if
    you recognise the process that is running.


    "«bonehead;)" <> wrote in message
    news:hsTkd.21763$...
    >
    > "GWB" <> wrote in message
    > news:QZSkd.87460$R05.13394@attbi_s53...
    >>
    >> "Patrick Michael" <> wrote in message
    >> news:ipRkd.53375$_g6.38309@okepread03...
    >> >
    >> > "-D-" <> wrote in message
    >> > news:...
    >> >>I ran the utilities from safe mode and it didn't make a difference

    > either?
    >> >>
    >> >
    >> > Wow, count me as me shocked. :) I've never had a browser
    >> > hijack/spyware
    >> > that I wasn't able to get rid of between the combination of Ad-Aware,
    >> > Spybot, and HijackThis! That must have been some particularly nasty
    >> > malware.

    >>
    >> I know this sounds stupid but I have had similar things in the past ,and
    >> I
    >> found some installer programs in my Add/Remove software program that were
    >> installed without my knowledge, so I ran removal on the renegade
    >> programs
    >> and found all references in the registry and deleted them.
    >> Now I check Add/Remove on a regular basis
    >>

    >
    > get the trial of Giant Antispy and the trial of Spysweeper...
    > I worked on a Win98 PC with a similiar trojan last week
    > and eventually just reinstalled windows (not much stuff on the PC
    > so it was the easier path)...
    >
    > I never did figure out what was enabling the trojan... it kept
    > respawning under different names, it put all sorts of files in the
    > windows system folder... I used every trick in the book and it still
    > had a presence...I scanned the drive on another machine and found all
    > sorts
    > of junk... but it still came back... sifted the registry too... major
    > PITA...
    >
    > good luck...
    >
    > --
    > <B0N3H3@D>
    > "I have no special talent. I am only passionately curious." Albert
    > Einstein
    >
    >
    >
    >
     
    Dave, Nov 12, 2004
    #10
  11. -D-

    spamcram Guest

    Run Hijack this. Then check the logs on the website.
     
    spamcram, Nov 19, 2004
    #11
  12. -D-

    Jonathan L Guest

    With Trojan Hunter, multiple files were flagged that had Adaware in
    the name. Like a Adaware toolbar. A reference to a registery key that
    was some kind of Adaware search. What gives? Is Adaware in the spyware
    biz too?

    Jonathan
     
    Jonathan L, Nov 25, 2004
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dan

    Browser Hijack

    Dan, Apr 5, 2004, in forum: Computer Support
    Replies:
    6
    Views:
    2,760
    michael turner
    Apr 6, 2004
  2. Badger

    Browser Hijack

    Badger, Jun 30, 2004, in forum: Computer Support
    Replies:
    12
    Views:
    921
    °Mike°
    Jul 2, 2004
  3. johndoe

    Browser hijack

    johndoe, Jan 21, 2005, in forum: Computer Support
    Replies:
    7
    Views:
    932
    Governor Swill
    Jan 22, 2005
  4. Watcher111

    Browser Hijack... Help Please!!

    Watcher111, May 5, 2005, in forum: Computer Support
    Replies:
    14
    Views:
    756
    ellis_jay
    May 6, 2005
  5. Babba

    Browser Hijack

    Babba, Jan 31, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    500
    Robin T Cox
    Feb 6, 2004
Loading...

Share This Page