MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.
Solved
Browser hijacked by web.yoursearchfinder.com (Please help)
Posted on 2004-04-15
I think my browser have been hijacked ... please help me - for every url I type it takes me to the site web.yoursearchfinder.com/.
Logfile of HijackThis v1.97.3
Scan saved at 11:33:26 AM, on 4/15/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\Ati2evxx
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\MS\SMS\CORE\BIN\C
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\Hummingb
C:\WINNT\System32\Hummingb
C:\Program Files\NavNT\rtvscan.exe
C:\oracle\ora81\bin\omtsre
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\mspmspsv
C:\WINNT\MS\SMS\clicomp\ap
C:\WINNT\MS\SMS\CLICOMP\Re
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx
C:\Program Files\DELL\AccessDirect\da
C:\WINNT\System32\pctspk.e
C:\WINNT\System32\PRPCUI.e
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\progra~1\scansoft\paper
C:\PROGRA~1\TEXTBR~1.0\Bin
C:\WINNT\MS\SMS\CORE\BIN\L
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\blss\blss.exe
C:\WINNT\System32\rundll32
C:\WINNT\MS\SMS\CLICOMP\SW
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\System32\mdm.exe
C:\Documents and Settings\500517577\My Documents\ie6setup.exe
C:\DOCUME~1\500517~1\LOCAL
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Lotus\Sametime Client\activmon.srv
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip3
C:\DOCUME~1\500517~1\LOCAL
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-0
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\da
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LogoffOnConnect] C:\Program Files\LogoffOnConnect.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paper
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\Netmanag.97\NMGOINN.DLL
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\L
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDO
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\RunServices: [PMA] C:\Netmanag.97\PMALOAD.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\System32\advpack.
O4 - HKLM\..\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanIns
O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.ge-registrar.com
O15 - Trusted Zone: *.ge.com
O15 - Trusted Zone: *.gefinancialbenefits.com
O15 - Trusted Zone: *.mypenskesignon.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-0
O16 - DPF: {13197ACE-6851-45C3-A7FF-C
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4524F6B8-B807-11D5-B6C8-0
O16 - DPF: {9B935470-AD4A-11D5-B63E-0
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C
O16 - DPF: {CAFECAFE-0013-0001-0009-A
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
Logfile of HijackThis v1.97.3
Scan saved at 11:33:26 AM, on 4/15/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\Ati2evxx
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\MS\SMS\CORE\BIN\C
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\Hummingb
C:\WINNT\System32\Hummingb
C:\Program Files\NavNT\rtvscan.exe
C:\oracle\ora81\bin\omtsre
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\mspmspsv
C:\WINNT\MS\SMS\clicomp\ap
C:\WINNT\MS\SMS\CLICOMP\Re
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx
C:\Program Files\DELL\AccessDirect\da
C:\WINNT\System32\pctspk.e
C:\WINNT\System32\PRPCUI.e
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\progra~1\scansoft\paper
C:\PROGRA~1\TEXTBR~1.0\Bin
C:\WINNT\MS\SMS\CORE\BIN\L
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\blss\blss.exe
C:\WINNT\System32\rundll32
C:\WINNT\MS\SMS\CLICOMP\SW
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\System32\mdm.exe
C:\Documents and Settings\500517577\My Documents\ie6setup.exe
C:\DOCUME~1\500517~1\LOCAL
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Lotus\Sametime Client\activmon.srv
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip3
C:\DOCUME~1\500517~1\LOCAL
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-0
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\da
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LogoffOnConnect] C:\Program Files\LogoffOnConnect.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paper
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\Netmanag.97\NMGOINN.DLL
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\L
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDO
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\RunServices: [PMA] C:\Netmanag.97\PMALOAD.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\System32\advpack.
O4 - HKLM\..\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanIns
O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.ge-registrar.com
O15 - Trusted Zone: *.ge.com
O15 - Trusted Zone: *.gefinancialbenefits.com
O15 - Trusted Zone: *.mypenskesignon.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-0
O16 - DPF: {13197ACE-6851-45C3-A7FF-C
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4524F6B8-B807-11D5-B6C8-0
O16 - DPF: {9B935470-AD4A-11D5-B63E-0
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C
O16 - DPF: {CAFECAFE-0013-0001-0009-A
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
4-
3
11 Comments
Adaware is at: http://www.lavasoftusa.com/software/adaware/
Spybot is at: http://www.safer-networking.org/
Both are freeware and one or both will cure your hijacking
Spybot is at: http://www.safer-networking.org/
Both are freeware and one or both will cure your hijacking
Active 2 days ago
Hi Subhadeep,
I agree with JConchie on both programs. But as you have those O10 lines in your logfile, watch out...
I suggest you to run this tool first: http://www.merijn.org/files/CWShredder.exe
you will probably see that after you fix the culprit your internet connection won't work anymore, use this tool to get back online:
http://members.shaw.ca/techcd/WinsockXPFix.exe
Greetings,
LucF
I agree with JConchie on both programs. But as you have those O10 lines in your logfile, watch out...
I suggest you to run this tool first: http://www.merijn.org/files/CWShredder.exe
you will probably see that after you fix the culprit your internet connection won't work anymore, use this tool to get back online:
http://members.shaw.ca/techcd/WinsockXPFix.exe
Greetings,
LucF
Active 2 days ago
>>and leave your browser intact.
JConchie, just for the fun of it, check the one and only serious question I've ever asked at EE :)
Adaware did couse my internet connection to drop like a hot potato :)
I do hope Subhadeep has more luck though.
LucF
JConchie, just for the fun of it, check the one and only serious question I've ever asked at EE :)
Adaware did couse my internet connection to drop like a hot potato :)
I do hope Subhadeep has more luck though.
LucF
Thanks,
I seemed it worked ran only Spybot - some entries could not be deleted as they were already loaded in memory - upon restarting and running it again it worked ... - Can I uninstall Spy bot now ?
-Subhadeep
I seemed it worked ran only Spybot - some entries could not be deleted as they were already loaded in memory - upon restarting and running it again it worked ... - Can I uninstall Spy bot now ?
-Subhadeep
I can only go by my own experience........have used bothe adaware and spybot extensively.... have never had issues.
Hopefully what crashed Luc was an earlier version
Hopefully what crashed Luc was an earlier version
this has not ended it seems.....
After this incident all kinds of pop ups while I browsed were just eating my head out. I installed ad aware. This helped but not totally .... now while looking I could find a program web rebates .com have been already installed in my PC spy bot hangs while removing and I am not able to remove it form the ad remove programs also ..... any suggestions ????
After this incident all kinds of pop ups while I browsed were just eating my head out. I installed ad aware. This helped but not totally .... now while looking I could find a program web rebates .com have been already installed in my PC spy bot hangs while removing and I am not able to remove it form the ad remove programs also ..... any suggestions ????
Featured Post
ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.
One of a set of tools we're offering as a way to say thank you for being a part of the community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
This is a guide to the following problem (not exclusive but here) on Windows:
Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge.
Any admin who takes se…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data.
But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month9 days, 7 hours left to enroll
609 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.