Subhadeep
asked on
Browser hijacked by web.yoursearchfinder.com (Please help)
I think my browser have been hijacked ... please help me - for every url I type it takes me to the site web.yoursearchfinder.com/. .. I ran Hijackthis and the log log is as pasted below ...
Logfile of HijackThis v1.97.3
Scan saved at 11:33:26 AM, on 4/15/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\WINNT\System32\Ati2evxx .exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\MS\SMS\CORE\BIN\C LISVCL.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\Hummingb ird\Connec tivity\7.1 1\Inetd\in etd32.exe
C:\WINNT\System32\Hummingb ird\Connec tivity\7.1 1\Jconfig\ jconfigdnt .exe
C:\Program Files\NavNT\rtvscan.exe
C:\oracle\ora81\bin\omtsre co.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\System32\mspmspsv .exe
C:\WINNT\MS\SMS\clicomp\ap a\Bin\smsa pm32.exe
C:\WINNT\MS\SMS\CLICOMP\Re mCtrl\Wuse r32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx .exe
C:\Program Files\DELL\AccessDirect\da dapp.exe
C:\WINNT\System32\pctspk.e xe
C:\WINNT\System32\PRPCUI.e xe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\progra~1\scansoft\paper p~1\pptd40 nt.exe
C:\PROGRA~1\TEXTBR~1.0\Bin \INSTAN~1. EXE
C:\WINNT\MS\SMS\CORE\BIN\L AUNCH32.EX E
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\blss\blss.exe
C:\WINNT\System32\rundll32 .exe
C:\WINNT\MS\SMS\CLICOMP\SW Dist32\bin \smsmon32. exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\System32\mdm.exe
C:\Documents and Settings\500517577\My Documents\ie6setup.exe
C:\DOCUME~1\500517~1\LOCAL S~1\Temp\I XP001.TMP\ ie6wzd.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Lotus\Sametime Client\activmon.srv
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip3 2.exe
C:\DOCUME~1\500517~1\LOCAL S~1\Temp\H ijackThis. exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://corp.home.ge.com/
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,AutoConfigURL = http://corp.setpac.ge.com/pac.pac
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = http=cin01.proxy.corporate .ge.com:80 ;https=cin 01.proxy.c orporate.g e.com:80;f tp=cin01.p roxy.corpo rate.ge.co m:80
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,Shellnext = http://corp.home.ge.com/
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3 DBE0391097 2} - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-0 0E018981B9 E} - C:\Program Files\NewDotNet\newdotnet6 _22.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C 581AC420D4 1} - C:\PROGRA~1\COMMON~1\WinTo ols\btiein .dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C 176083F35C F} - C:\WINNT\Downloaded Program Files\bridge.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\da dapp.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT PLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LogoffOnConnect] C:\Program Files\LogoffOnConnect.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paper p~1\pptd40 nt.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin \INSTAN~1. EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin \REGIST~1. EXE
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\Netmanag.97\NMGOINN.DLL ,VerifySta rtMenu
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\L AUNCH32.EX E
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDO T~2.DLL,Ne wDotNetSta rtup
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin \REGIST~1. EXE
O4 - HKLM\..\RunServices: [PMA] C:\Netmanag.97\PMALOAD.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa ger.exe -quiet
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\System32\advpack. dll,DelNod eRunDLL32 "C:\DOCUME~1\500517~1\LOCA LS~1\Temp\ IXP001.TMP \"
O4 - HKLM\..\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanIns tallStubs >{60B49E34-C7CC-11D0-8953- 00A0C90347 FF}MICROS
O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.ge-registrar.com
O15 - Trusted Zone: *.ge.com
O15 - Trusted Zone: *.gefinancialbenefits.com
O15 - Trusted Zone: *.mypenskesignon.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-0 0A0C9037DF E} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C 281324D548 9} - http://www.2nd-thought.com/files/install011.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4 4455354000 0} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-F A1D4F56A2A B} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4524F6B8-B807-11D5-B6C8-0 0805F77B63 0} (Signer Control) - https://www.ultimatix.net/certEXE/Signer.cab
O16 - DPF: {9B935470-AD4A-11D5-B63E-0 0C04FAEDB1 8} - http://corpt028.corporate.ge.com:3643/OA_HTML/oajinit.exe
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C 176083F35C F} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
O16 - DPF: {CAFECAFE-0013-0001-0009-A BCDEFABCDE F} (JInitiator 1.3.1.9) - http://corpp034.corporate.ge.com:3243/jinitiator/oajinit.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-0 0c04fa3251 8} -
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = corporate.ge.com
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = corporate.ge.com
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = corporate.ge.com
Logfile of HijackThis v1.97.3
Scan saved at 11:33:26 AM, on 4/15/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\Ati2evxx
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\MS\SMS\CORE\BIN\C
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\Hummingb
C:\WINNT\System32\Hummingb
C:\Program Files\NavNT\rtvscan.exe
C:\oracle\ora81\bin\omtsre
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\mspmspsv
C:\WINNT\MS\SMS\clicomp\ap
C:\WINNT\MS\SMS\CLICOMP\Re
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx
C:\Program Files\DELL\AccessDirect\da
C:\WINNT\System32\pctspk.e
C:\WINNT\System32\PRPCUI.e
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\progra~1\scansoft\paper
C:\PROGRA~1\TEXTBR~1.0\Bin
C:\WINNT\MS\SMS\CORE\BIN\L
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\blss\blss.exe
C:\WINNT\System32\rundll32
C:\WINNT\MS\SMS\CLICOMP\SW
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\System32\mdm.exe
C:\Documents and Settings\500517577\My Documents\ie6setup.exe
C:\DOCUME~1\500517~1\LOCAL
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Lotus\Sametime Client\activmon.srv
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip3
C:\DOCUME~1\500517~1\LOCAL
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-0
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\da
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LogoffOnConnect] C:\Program Files\LogoffOnConnect.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paper
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\Netmanag.97\NMGOINN.DLL
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\L
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDO
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
O4 - HKLM\..\RunServices: [PMA] C:\Netmanag.97\PMALOAD.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\System32\advpack.
O4 - HKLM\..\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanIns
O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.ge-registrar.com
O15 - Trusted Zone: *.ge.com
O15 - Trusted Zone: *.gefinancialbenefits.com
O15 - Trusted Zone: *.mypenskesignon.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-0
O16 - DPF: {13197ACE-6851-45C3-A7FF-C
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4524F6B8-B807-11D5-B6C8-0
O16 - DPF: {9B935470-AD4A-11D5-B63E-0
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C
O16 - DPF: {CAFECAFE-0013-0001-0009-A
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi Subhadeep,
I agree with JConchie on both programs. But as you have those O10 lines in your logfile, watch out...
I suggest you to run this tool first: http://www.merijn.org/files/CWShredder.exe
you will probably see that after you fix the culprit your internet connection won't work anymore, use this tool to get back online:
http://members.shaw.ca/techcd/WinsockXPFix.exe
Greetings,
LucF
I agree with JConchie on both programs. But as you have those O10 lines in your logfile, watch out...
I suggest you to run this tool first: http://www.merijn.org/files/CWShredder.exe
you will probably see that after you fix the culprit your internet connection won't work anymore, use this tool to get back online:
http://members.shaw.ca/techcd/WinsockXPFix.exe
Greetings,
LucF
ASKER
CWShredder did not work - could not find any registry entries... said all was clean
Both adaware and spybot will remove the hijacker and leave your browser intact.
>>and leave your browser intact.
JConchie, just for the fun of it, check the one and only serious question I've ever asked at EE :)
Adaware did couse my internet connection to drop like a hot potato :)
I do hope Subhadeep has more luck though.
LucF
JConchie, just for the fun of it, check the one and only serious question I've ever asked at EE :)
Adaware did couse my internet connection to drop like a hot potato :)
I do hope Subhadeep has more luck though.
LucF
ASKER
Thanks,
I seemed it worked ran only Spybot - some entries could not be deleted as they were already loaded in memory - upon restarting and running it again it worked ... - Can I uninstall Spy bot now ?
-Subhadeep
I seemed it worked ran only Spybot - some entries could not be deleted as they were already loaded in memory - upon restarting and running it again it worked ... - Can I uninstall Spy bot now ?
-Subhadeep
Great to hear that, good work JConchie ;-)
I can only go by my own experience........have used bothe adaware and spybot extensively.... have never had issues.
Hopefully what crashed Luc was an earlier version
Hopefully what crashed Luc was an earlier version
ASKER
this has not ended it seems.....
After this incident all kinds of pop ups while I browsed were just eating my head out. I installed ad aware. This helped but not totally .... now while looking I could find a program web rebates .com have been already installed in my PC spy bot hangs while removing and I am not able to remove it form the ad remove programs also ..... any suggestions ????
After this incident all kinds of pop ups while I browsed were just eating my head out. I installed ad aware. This helped but not totally .... now while looking I could find a program web rebates .com have been already installed in my PC spy bot hangs while removing and I am not able to remove it form the ad remove programs also ..... any suggestions ????
Please post another log.
Spybot is at: http://www.safer-networking.org/
Both are freeware and one or both will cure your hijacking