Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.
Solved
Browser hijacked by web.yoursearchfinder.com (Please help)
Posted on 2004-04-15
I think my browser have been hijacked ... please help me - for every url I type it takes me to the site web.yoursearchfinder.com/.
Logfile of HijackThis v1.97.3
Scan saved at 11:33:26 AM, on 4/15/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\Ati2evxx
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\MS\SMS\CORE\BIN\C
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\Hummingb
C:\WINNT\System32\Hummingb
C:\Program Files\NavNT\rtvscan.exe
C:\oracle\ora81\bin\omtsre
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\mspmspsv
C:\WINNT\MS\SMS\clicomp\ap
C:\WINNT\MS\SMS\CLICOMP\Re
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx
C:\Program Files\DELL\AccessDirect\da
C:\WINNT\System32\pctspk.e
C:\WINNT\System32\PRPCUI.e
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\progra~1\scansoft\paper
C:\PROGRA~1\TEXTBR~1.0\Bin
C:\WINNT\MS\SMS\CORE\BIN\L
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\blss\blss.exe
C:\WINNT\System32\rundll32
C:\WINNT\MS\SMS\CLICOMP\SW
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\System32\mdm.exe
C:\Documents and Settings\500517577\My Documents\ie6setup.exe
C:\DOCUME~1\500517~1\LOCAL
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Lotus\Sametime Client\activmon.srv
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip3
C:\DOCUME~1\500517~1\LOCAL
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-0
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\da
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LogoffOnConnect] C:\Program Files\LogoffOnConnect.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paper
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\Netmanag.97\NMGOINN.DLL
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\L
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDO
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\RunServices: [PMA] C:\Netmanag.97\PMALOAD.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\System32\advpack.
O4 - HKLM\..\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanIns
O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.ge-registrar.com
O15 - Trusted Zone: *.ge.com
O15 - Trusted Zone: *.gefinancialbenefits.com
O15 - Trusted Zone: *.mypenskesignon.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-0
O16 - DPF: {13197ACE-6851-45C3-A7FF-C
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4524F6B8-B807-11D5-B6C8-0
O16 - DPF: {9B935470-AD4A-11D5-B63E-0
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C
O16 - DPF: {CAFECAFE-0013-0001-0009-A
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
Logfile of HijackThis v1.97.3
Scan saved at 11:33:26 AM, on 4/15/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\Ati2evxx
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\MS\SMS\CORE\BIN\C
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\Hummingb
C:\WINNT\System32\Hummingb
C:\Program Files\NavNT\rtvscan.exe
C:\oracle\ora81\bin\omtsre
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\mspmspsv
C:\WINNT\MS\SMS\clicomp\ap
C:\WINNT\MS\SMS\CLICOMP\Re
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx
C:\Program Files\DELL\AccessDirect\da
C:\WINNT\System32\pctspk.e
C:\WINNT\System32\PRPCUI.e
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\progra~1\scansoft\paper
C:\PROGRA~1\TEXTBR~1.0\Bin
C:\WINNT\MS\SMS\CORE\BIN\L
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\blss\blss.exe
C:\WINNT\System32\rundll32
C:\WINNT\MS\SMS\CLICOMP\SW
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\System32\mdm.exe
C:\Documents and Settings\500517577\My Documents\ie6setup.exe
C:\DOCUME~1\500517~1\LOCAL
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Lotus\Sametime Client\activmon.srv
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip3
C:\DOCUME~1\500517~1\LOCAL
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-0
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\da
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LogoffOnConnect] C:\Program Files\LogoffOnConnect.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paper
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\Netmanag.97\NMGOINN.DLL
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\L
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDO
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\RunServices: [PMA] C:\Netmanag.97\PMALOAD.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\System32\advpack.
O4 - HKLM\..\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanIns
O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.ge-registrar.com
O15 - Trusted Zone: *.ge.com
O15 - Trusted Zone: *.gefinancialbenefits.com
O15 - Trusted Zone: *.mypenskesignon.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-0
O16 - DPF: {13197ACE-6851-45C3-A7FF-C
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4524F6B8-B807-11D5-B6C8-0
O16 - DPF: {9B935470-AD4A-11D5-B63E-0
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C
O16 - DPF: {CAFECAFE-0013-0001-0009-A
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
-
4
4-
3
11 Comments
Adaware is at: http://www.lavasoftusa.com/software/adaware/
Spybot is at: http://www.safer-networking.org/
Both are freeware and one or both will cure your hijacking
Spybot is at: http://www.safer-networking.org/
Both are freeware and one or both will cure your hijacking
Active today
Hi Subhadeep,
I agree with JConchie on both programs. But as you have those O10 lines in your logfile, watch out...
I suggest you to run this tool first: http://www.merijn.org/files/CWShredder.exe
you will probably see that after you fix the culprit your internet connection won't work anymore, use this tool to get back online:
http://members.shaw.ca/techcd/WinsockXPFix.exe
Greetings,
LucF
I agree with JConchie on both programs. But as you have those O10 lines in your logfile, watch out...
I suggest you to run this tool first: http://www.merijn.org/files/CWShredder.exe
you will probably see that after you fix the culprit your internet connection won't work anymore, use this tool to get back online:
http://members.shaw.ca/techcd/WinsockXPFix.exe
Greetings,
LucF
Active today
>>and leave your browser intact.
JConchie, just for the fun of it, check the one and only serious question I've ever asked at EE :)
Adaware did couse my internet connection to drop like a hot potato :)
I do hope Subhadeep has more luck though.
LucF
JConchie, just for the fun of it, check the one and only serious question I've ever asked at EE :)
Adaware did couse my internet connection to drop like a hot potato :)
I do hope Subhadeep has more luck though.
LucF
Thanks,
I seemed it worked ran only Spybot - some entries could not be deleted as they were already loaded in memory - upon restarting and running it again it worked ... - Can I uninstall Spy bot now ?
-Subhadeep
I seemed it worked ran only Spybot - some entries could not be deleted as they were already loaded in memory - upon restarting and running it again it worked ... - Can I uninstall Spy bot now ?
-Subhadeep
I can only go by my own experience........have used bothe adaware and spybot extensively.... have never had issues.
Hopefully what crashed Luc was an earlier version
Hopefully what crashed Luc was an earlier version
this has not ended it seems.....
After this incident all kinds of pop ups while I browsed were just eating my head out. I installed ad aware. This helped but not totally .... now while looking I could find a program web rebates .com have been already installed in my PC spy bot hangs while removing and I am not able to remove it form the ad remove programs also ..... any suggestions ????
After this incident all kinds of pop ups while I browsed were just eating my head out. I installed ad aware. This helped but not totally .... now while looking I could find a program web rebates .com have been already installed in my PC spy bot hangs while removing and I am not able to remove it form the ad remove programs also ..... any suggestions ????
Featured Post
90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality.
That was m…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY.
How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…
Watch the video to know the simple way to remove or recover or reset lost or forgotten passwords of Outlook PST file. With Kernel Outlook Password Recovery tool such operation is very easy to perform. It is a freeware with limitation to use with 500…
Suggested Courses
Course of the Month8 days, 13 hours left to enroll
595 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.