Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Browser hijacked by web.yoursearchfinder.com (Please help)

Posted on 2004-04-15
11
Medium Priority
?
4,798 Views
Last Modified: 2013-12-04
I think my browser have been hijacked ... please help me - for every url I type it takes me to the site web.yoursearchfinder.com/... I ran Hijackthis and the log log is as pasted below ...



Logfile of HijackThis v1.97.3
Scan saved at 11:33:26 AM, on 4/15/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.11\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.11\Jconfig\jconfigdnt.exe
C:\Program Files\NavNT\rtvscan.exe
C:\oracle\ora81\bin\omtsreco.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\blss\blss.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\System32\mdm.exe
C:\Documents and Settings\500517577\My Documents\ie6setup.exe
C:\DOCUME~1\500517~1\LOCALS~1\Temp\IXP001.TMP\ie6wzd.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Lotus\Sametime Client\activmon.srv
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\500517~1\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://corp.home.ge.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://corp.setpac.ge.com/pac.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=cin01.proxy.corporate.ge.com:80;https=cin01.proxy.corporate.ge.com:80;ftp=cin01.proxy.corporate.ge.com:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://corp.home.ge.com/
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_22.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINNT\Downloaded Program Files\bridge.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LogoffOnConnect] C:\Program Files\LogoffOnConnect.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\Netmanag.97\NMGOINN.DLL,VerifyStartMenu
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [PMA] C:\Netmanag.97\PMALOAD.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\500517~1\LOCALS~1\Temp\IXP001.TMP\"
O4 - HKLM\..\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanInstallStubs >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.ge-registrar.com
O15 - Trusted Zone: *.ge.com
O15 - Trusted Zone: *.gefinancialbenefits.com
O15 - Trusted Zone: *.mypenskesignon.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4524F6B8-B807-11D5-B6C8-00805F77B630} (Signer Control) - https://www.ultimatix.net/certEXE/Signer.cab
O16 - DPF: {9B935470-AD4A-11D5-B63E-00C04FAEDB18} - http://corpt028.corporate.ge.com:3643/OA_HTML/oajinit.exe
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) - http://corpp034.corporate.ge.com:3243/jinitiator/oajinit.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corporate.ge.com

0
Comment
Question by:Subhadeep
  • 4
  • 4
  • 3
11 Comments
 
LVL 18

Accepted Solution

by:
JConchie earned 1000 total points
ID: 10834240
Download and run  Adaware and Spybot S&D
0
 
LVL 18

Expert Comment

by:JConchie
ID: 10834284
Adaware is at: http://www.lavasoftusa.com/software/adaware/
Spybot is at: http://www.safer-networking.org/

Both are freeware and one or both will cure your hijacking
0
 
LVL 32

Expert Comment

by:LucF
ID: 10834366
Hi Subhadeep,

I agree with JConchie on both programs. But as you have those O10 lines in your logfile, watch out...
I suggest you to run this tool first: http://www.merijn.org/files/CWShredder.exe
you will probably see that after you fix the culprit your internet connection won't work anymore, use this tool to get back online:
http://members.shaw.ca/techcd/WinsockXPFix.exe

Greetings,

LucF
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:Subhadeep
ID: 10834381
CWShredder did not work - could not find any registry entries... said all was clean
0
 
LVL 18

Expert Comment

by:JConchie
ID: 10834383
Both adaware and spybot will remove the hijacker and leave your browser intact.
0
 
LVL 32

Expert Comment

by:LucF
ID: 10834416
>>and leave your browser intact.
JConchie, just for the fun of it, check the one and only serious question I've ever asked at EE :)
Adaware did couse my internet connection to drop like a hot potato :)

I do hope Subhadeep has more luck though.

LucF
0
 

Author Comment

by:Subhadeep
ID: 10834548
Thanks,
I seemed it worked ran only Spybot - some entries could not be deleted as they were already loaded in memory - upon restarting and running it again it worked ... - Can I uninstall Spy bot now ?

-Subhadeep
0
 
LVL 32

Expert Comment

by:LucF
ID: 10834576
Great to hear that, good work JConchie ;-)
0
 
LVL 18

Expert Comment

by:JConchie
ID: 10834599
I can only go by my own experience........have used bothe adaware and spybot extensively.... have never had issues.
Hopefully what crashed Luc was an earlier version
0
 

Author Comment

by:Subhadeep
ID: 10855627
this has not ended it seems.....

After this incident all kinds of pop ups while I browsed were just eating my head out. I installed ad aware. This helped but not totally .... now while looking I could find a program web rebates .com have been already installed in my PC spy bot hangs while removing and I am not able to remove it form the ad remove programs also ..... any suggestions ????
0
 
LVL 32

Expert Comment

by:LucF
ID: 10857087
Please post another log.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Enter Foreign and Special Characters Enter characters you can't find on a keyboard using its ASCII code ... and learn how to make a handy reference for yourself using Excel ~ Use these codes in any Windows application! ... whether it is a Micr…
Suggested Courses
Course of the Month10 days, 12 hours left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question