Browser hijacking

Computing.Net > Forums > Security and Virus > Browser hijacking

Original Message

Name: Jme
Date: December 29, 2003 at 05:02:10 Pacific
Subject: Browser hijacking
OS: 98se
CPU/Ram: AMD K7 600Mhz / 128MB

Comment:

My browser has been hijacked.
I uninstalled my ZONE ALARM in an effort to pin down an unrelated problem. Before we got around to installing a new copy of ZA...our Internet Explorer browser was hijacked.
I have BOTH SpyBot and AdAware on my computer and run them regularly. (Just finished running them now...in fact.)
I think I know which items I need to check in my HIJACK THIS program...but I want to make sure.
In the HIJACK report below...I am going to check and fix R0, both R1 entries, all three O12 entries, and the O17 entry.
Can you tell me if I am doing the right thing. And also, does the rest of the report show any problems?

Logfile of HijackThis v1.97.7
Scan saved at 6:51:49 AM, on 12/29/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\NEWLY INSTALLED PROGRAMS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ad1.zendmedia.com/ad-spy_hdc.php?id=start6
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .m1v: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
----

StartupList report, 12/29/03, 6:53:14 AM
StartupList version: 1.52
Started from : C:\NEWLY INSTALLED PROGRAMS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
==================================================
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\NEWLY INSTALLED PROGRAMS\HIJACKTHIS.EXE
---------------------
Listing of startup folders:
Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
EnsoniqMixer = starter.exe
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No values found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
---------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
---------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
---------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
---------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=
run=
---------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv
---------------------
C:\WINDOWS\WININIT.INI listing:
*File not found*
---------------------
C:\WINDOWS\WININIT.BAK listing:
(Created 29/12/2003, 6:26:46)
[Rename]
NUL=c:\windows\cookies\anyuser@trafficmp[2].txt
NUL=c:\windows\cookies\anyuser@targetnet[1].txt
NUL=c:\windows\cookies\anyuser@bfast[1].txt
NUL=c:\windows\cookies\anyuser@z1.adserver[1].txt
NUL=c:\windows\cookies\anyuser@bluestreak[2].txt
NUL=c:\windows\cookies\anyuser@doubleclick[1].txt
NUL=c:\windows\cookies\anyuser@tribalfusion[1].txt
NUL=c:\windows\cookies\anyuser@hitbox[2].txt
NUL=c:\windows\cookies\anyuser@addynamix[1].txt
NUL=c:\windows\cookies\anyuser@hotlog[1].txt
NUL=c:\windows\cookies\anyuser@spylog[1].txt
NUL=c:\windows\cookies\anyuser@fastclick[2].txt
NUL=c:\windows\cookies\anyuser@w101.hitbox[1].txt
NUL=c:\windows\cookies\anyuser@atdmt[1].txt
---------------------
C:\AUTOEXEC.BAT listing:
SET BLASTER=A220 I7 D3 H7 P330 T6
SET SBPCI=C:\SBPCI
ECHO OFF
---------------------
C:\WINDOWS\WINSTART.BAT listing:
*File not found*
---------------------

Enumerating Browser Helper Objects:
(no name) - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}
---------------------
Enumerating Task Scheduler jobs:
Tune-up Application Start.job
---------------------
Enumerating Download Program Files:
[Microsoft XML Parser for Java]
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[DirectAnimation Java Classes]
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
[Internet Explorer Classes for Java]
CODEBASE = file://c:\windows\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd
[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\DOWNLO~1\PCPITS~1.DLL
CODEBASE = http://support.gateway.com/support/profiler/PCPitStop.CAB
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
[CRAVOnline Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\RAVONLINE.DLL
CODEBASE = http://www.rav.ro/scan/ravonline.cab
---------------------
Enumerating Winsock LSP files:
NameSpace #1: c:\windows\SYSTEM\rnr20.dll
Protocol #1: c:\windows\SYSTEM\mswsosp.dll
Protocol #2: c:\windows\SYSTEM\msafd.dll
Protocol #3: c:\windows\SYSTEM\msafd.dll
Protocol #4: c:\windows\SYSTEM\msafd.dll
Protocol #5: c:\windows\SYSTEM\rsvpsp.dll
Protocol #6: c:\windows\SYSTEM\rsvpsp.dll
---------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
---------------------
End of report, 11,119 bytes
Report generated in 0.092 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Report Offensive Message For Removal

Response Number 1

Name: JohnO
Date: December 29, 2003 at 05:08:22 Pacific
Subject: Browser hijacking

Reply: (edit)

Most browser hijackers get into the computer through Active X, so ZA won't stop them. I suggest you d/l and run CWShredder since the CoolWebSearch seems to be pretty prevalent now. If it's something else, running this can't hurt.

Report Offensive Follow Up For Removal

Response Number 2

Name: Jme
Date: December 29, 2003 at 05:21:17 Pacific
Subject: Browser hijacking

Reply: (edit)

Thanks, John, for your amazingly swift response.
Loading CWShredder right now.
Thanks for mentioning it, as I know for a FACT that I need to run this on my mother's computer.
Will let you know if I have any luck.

Report Offensive Follow Up For Removal

Response Number 3

Name: Jme
Date: December 29, 2003 at 06:54:05 Pacific
Subject: Browser hijacking

Reply: (edit)

Ran the CWShredder and was initially under the impression that it didn't do anything for me. But, then, I went into the INTERNET OPTIONS tool on Internet Explorer...and for the first time in weeks, my HOME PAGE settings were NOT grayed out!!
Therefore, I was able to reset my home page. So, at least part of the CWShredder came in handy.
But, now I have a NEW question...
How do I delete Microsoft Java Virtual Machine in WINDOWS 98se? The site I get directed to from the CWShredder website covers XP only. Are the steps the same?

Report Offensive Follow Up For Removal

Response Number 4

Name: JohnO
Date: December 29, 2003 at 10:33:19 Pacific
Subject: Browser hijacking

Reply: (edit)

I'm too long gone from 98SE. Didn't notice you had 98 when I first posted. Click on Win 98 in the site list to the left and post your question there. I assume you've looked through both sections of Add/Remove in control panel?

Report Offensive Follow Up For Removal

Response Number 5

Name: Jme
Date: December 29, 2003 at 11:24:29 Pacific
Subject: Browser hijacking

Reply: (edit)

yep... even though I was sure it wouldn't be that easy.
Thinking about installing the SUN MICROSYSTEMS JAVA machine, WITHOUT removing the MicroSoft JAVA machine,.....and checking to see if my system asks me to choose which program I want to run.
Then, hopefully......I can simply turn the MicroSoft controls OFF.
Thanks for your help, John.
And have a HAPPY NEW YEAR !!!

Report Offensive Follow Up For Removal


Browser Hijack? browser hijacked? what is a browser hijack attempt? Browser Hijack? never ending browser hijack	Browser hijack Browser Hijacker Possible Browser Hijack attempt... Browser Hijack? Browser Hijack attempt?

Response Number 6

Name: iceblue
Date: December 29, 2003 at 16:11:39 Pacific
Subject: Browser hijacking

Reply: (edit)

all three O12 entries, and the O17 entry = these are OK, 017 looks like your service provider; 012's are almost always ok.
The patch mentioned below covers all Windows versions.
Another link for MSJava removal is http://9337387.home.icq.com/main5.html
The steps look pretty much the same just the OS differences.
It's always worthwhile repeating the CWShredder info on the ByteVerify exploit and generally getting any security related windowsupdates as a must do.
QUOTE:
We strongly recommend you install the patch, available from this MS security bulletin.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp
If you have Windows XP with Service Pack 1a, your system has no MS Java VM. Information on removing the MS Java VM completely and replacing it with the newer, safer Sun Java VM can be found here.
http://www.winnetmag.com/Article/ArticleID/38206/38206.html /
http://9337387.home.icq.com/main5.html
An a side note, some of the affiliates (Search-Meta has been verified) use another Java exploit to install their malware. It's classified as the JS.Exception.Exploit, and a patch can be downloaded from this MS security bulletin.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-075.asp

Report Offensive Follow Up For Removal

Response Number 7

Name: Jme
Date: December 30, 2003 at 11:22:05 Pacific
Subject: Browser hijacking

Reply: (edit)

Thanks....Iceblue
Just the information I needed.
Problem is....I can't download from the WINDOWS UPDATE site. Can't figure out why.
The site lets me select the downloads...and it goes through the WHOLE download process.
But, when the download WINDOW comes up...nothing happens.
Been that way for a LONG time (1-2 months).
I was hoping that cleaning up this crappy browser hijacker would make the problem disappear...but it didn't.
Oh, well....
Back to racking my brain....

Report Offensive Follow Up For Removal

Response Number 8

Name: iceblue
Date: December 30, 2003 at 12:41:33 Pacific
Subject: Browser hijacking

Reply: (edit)

ok, better to go back to basics.
Ensure updates are current for both AdAware and Spybot. Make sure AdAware has the the TWEAK>Cleaning engine section of 'Customize' checked for "Unload recognized processes during scanning." ; as well as "Let Windows remove files in use after reboot."
CWShredder has a new recent version. Make sure you click �Next� and don't just scan only. CWShredder.exe
After that repost a new HJT log; just the log - the startuplist is not needed yet.
We'll have another look.

Report Offensive Follow Up For Removal

Response Number 9

Name: iceblue
Date: December 30, 2003 at 13:03:17 Pacific
Subject: Browser hijacking

Reply: (edit)

ok, have HjT fix checked this one as well as the process in the previous post;
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
iceblue

Report Offensive Follow Up For Removal

Response Number 10

Name: Jme
Date: December 31, 2003 at 11:22:21 Pacific
Subject: Browser hijacking

Reply: (edit)

Thanks,....Iceblue.

I am using the FREE version of ADAWARE...and it won't let me select the options that you have described.
Also, ....I can't UPDATE the program. It keeps telling me that there are
"no updated components available"
....even though my reference file is
OR150 05.07.2003
SpyBot, on the other hand, simply HANGS when I click on the DOWNLOAD UPDATES button.
I give up....
Gonna try a FULL RESTORE....and if that doesn't work, then I'll do a complete re-format.

Report Offensive Follow Up For Removal

Response Number 11

Name: Jme
Date: December 31, 2003 at 13:41:42 Pacific
Subject: Browser hijacking

Reply: (edit)

By the way....
Here is my latest HT report....
Logfile of HijackThis v1.97.7
Scan saved at 3:06:01 PM, on 12/31/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\NEWLY INSTALLED PROGRAMS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .m1v: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

As you can see....the line that Iceblue referred to ...
O6 HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
....is no longer present.
Everything else, .....looks legit.
Am I mistaken....?

Report Offensive Follow Up For Removal

Response Number 12

Name: iceblue
Date: December 31, 2003 at 16:44:34 Pacific
Subject: Browser hijacking

Reply: (edit)

looks are deceiving when SPybot and AdAware have been disabled. These may have to be uninstalled/re-installed and updated before using the scans. We are not done yet, bro!
Run these first;
XCleaner
A general cleanout tool.
IESPyad
IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of known ad/spy servers and domains to the "Restricted Zone" of Internet Explorer.
Then, recent versions
Spybot
AdAware
If you can download these, update first, and then run and scan. Follow up with a new HJT log.

Report Offensive Follow Up For Removal

Response Number 13

Name: Jme
Date: January 1, 2004 at 18:42:51 Pacific
Subject: Browser hijacking

Reply: (edit)

Thank you so much for all of your help.
Especially Iceblue.
I have uninstalled/reinstalled both SpyBot and AdAware, as you suggested...and run both programs. Also, I have loaded IE SpyAd.
Here is my latest HT report.
Logfile of HijackThis v1.97.7
Scan saved at 8:34:51 PM, on 1/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\NEWLY INSTALLED PROGRAMS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Report Offensive Follow Up For Removal

What does this mean?

A program to clear ur hdd

Use following form to reply to current message:

Name: From My Computing.Net Settings E-Mail: From My Computing.Net Settings Subject: Browser hijacking

Comments:

  Homepage URL (*): 
Homepage Title (*): 
         Image URL:

How often do you use Computing.Net?

Poll Finishes In 3 Days.
Discuss in The Lounge

Games for Windows disc problem

Google Redirect

Your computer has been infected

New PC.

Blank cd from unknown sender

All Posts Awaiting Replies