?
Solved

Attempted Browser Hijack..

Posted on 2004-08-16
5
Medium Priority
?
515 Views
Last Modified: 2013-12-04
I have Ewido running in the background when it alerted me of an attempted browser hijack...Thereafter I ran the Hijack This program and found a few entries that I believe to be questionable. Before I delete anything can I get an opinion on my log??
[YES - I have the latest HJ This:) ] The questionable entries are:

**O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

**O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll

**R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =



****HERE IS THE ENTIRE LOG****

Logfile of HijackThis v1.98.2
Scan saved at 12:41:04 AM, on 8/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Documents and Settings\All Users\Documents\Applications\Spyware-Computer Apps\Anti Virus & Trojan Cleaners\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documents\Applications\Spyware-Computer Apps\Spyware Apps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.foxnews.com/"); (C:\Documents and Settings\Carmen Vendinha\Application Data\Mozilla\Profiles\default\rq6ot42o.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Carmen Vendinha\Application Data\Mozilla\Profiles\default\rq6ot42o.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\DOCUME~1\APPLIC~1\SPYWAR~1\SPYWAR~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
0
Comment
Question by:alguerrero
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 32

Accepted Solution

by:
LucF earned 400 total points
ID: 11817975
Hi alguerrero,

The O9 line has to go right away.
The O12 line just tells your browser what to do when it finds a .hlq file on a page, looks doubtful to me, so I suggest you to get rid of it unless you know you use that file extension.
The R0 line is pretty safe, it just sais there is no local startpage, getting rid of this one won't make any difference.

Rest of your log looks clean to me.

Greetings,

LucF
0
 

Author Comment

by:alguerrero
ID: 11818076
LucF...
Thanks for the S-P-E-E-D-Y reply!! I will move ahead and delete the items that you verified!!!

Thanks again for verifying my log!!!!! I am sure you will continue your stay at this site for a while@@@ [ I read your bio--very informative!!]

Anyway, this web site and the folks who help with answers definitely ROCK!!!!

THANKS AGAIN!!!!
0
 
LVL 32

Expert Comment

by:LucF
ID: 11818133
You're very welcome :)

btw, the "attempted browser hijack" most likely comes from some page you visited on the internet, there are a lot of dodgy sites out there.

LucF
0
 

Author Comment

by:alguerrero
ID: 11818904
I am in the "know" of how one gets hijacked...but it was weird...reason being is that I was on a well respected news site. Just goes to show that nothing is sacred anymore@@@

Closed this question.
Over and out!!
0
 
LVL 32

Expert Comment

by:LucF
ID: 11822095
:)
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month8 days, 9 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question