Computing.Net > Forums > Security and Virus > Hijacked Browser

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

Hijacked Browser

Reply to Message Icon
Original Message
Name: Gramma
Date: February 15, 2004 at 14:32:36 Pacific
Subject: Hijacked Browser
OS: Win98
CPU/Ram: 192
Comment:

I've had my browser hijacked & despite the removal of a BHO, some registry edits, deletion of *.tmp files and cookies, and cleaning up anything else that I could think of...the hijack persists. A couple of the registry edits took and have not been changed back but others keep getting reset. As a temporary measure, I have locked my browser home page but I would very much like to get rid of the problem.
I do scans with Spybot and my AV on a daily basis.

Logfile of HijackThis v1.97.7
Scan saved at 11:50:34 AM, on 2/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\PALTALK\PNETAWARE.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\G7PS\SHARED FILES\QCHEX\QCHEX.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: AnyTime Deluxe Edition 7.1.lnk = C:\Program Files\AnyTime Deluxe\Atw.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Check Messnger.lnk = C:\Program Files\Common Files\G7PS\Shared Files\Qchex\Qchex.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .2: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?4,0,1323,0
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38023.7009722222
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7277D039-CE10-4ED8-A05F-7C25AD12D433} - http://www.qchex.com/cm/QchexCheckMessenger.cab


Report Offensive Message For Removal

Response Number 1
Name: mesich
Date: February 15, 2004 at 21:41:51 Pacific
Subject: Hijacked Browser
Reply: (edit)

Hi Gramma, hello everyone,

Delete the following items using hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)

O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

After deleting those restart the computer and go to C:\Windows\System and delete the
wucrtupd.exe file.

Best Regards,
Mesich


Report Offensive Follow Up For Removal

Response Number 2
Name: Gramma
Date: February 15, 2004 at 21:45:29 Pacific
Subject: Hijacked Browser
Reply: (edit)

Thank you! I've tried to fix the R1's & R0 but never thought about the 04. That may be what is resetting them. I'll try it right now and get back to you.


Report Offensive Follow Up For Removal

Response Number 3
Name: mesich
Date: February 15, 2004 at 21:46:21 Pacific
Subject: Hijacked Browser
Reply: (edit)

Hi Gramma, hello everyone,

Sorry, don't delete the file wucrtupd.exe.

You can remove it from the registry this entry O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

From task list on wucrtupd.exe.

Windows Update Critical Update Notification. This will appear in your Task List if you did a Windows Update at some stage and installed the "Critical Update Notification" component. In some versions this process is scheduled to run every 5 minutes and you cannot change the schedule (under Windows 98 you can get round it with the "sucrtupd" technique, but not under other versions of Windows).

Recommendation :
Do not walk, run to your "Add/Remove Programs" icon in the Control Panel and immediately de-install Microsoft Windows Critical Updates Notification. The consequences of some Microsoft Critical Updates have been such that the last thing you need is something to remind you, and therefore entice you to update your Windows environment with the very latest bug fix (which is what critical updates really are) from Microsoft. It is not just that some of those updates have been quite simply disastrous (remember May/June 2002 ?), it is also that too often for our liking, the full consequences of installing some of those updates are not always clearly spelt out by Microsoft. Yes, some of those updates are needed from a security point of view, but in 98% of cases if you either run a good firewall or your PC is configured securely, then you are protected anyway, so do not fix what doesn’t need fixing. It is best that you simply do a Windows Update once every two or three months, say, and only at times when you do not require your PC urgently in the following 24 hours ! Finally, quite aside from the above, WUCRTUPD is also sometimes responsible for illegal operations, 3-seconds mouse freezes, WULOADER error messages, and Invalid Page Faults in KERNEL32. Have we said enough ?

Best Regards,
Mesich

Best Regards,
Mesich


Report Offensive Follow Up For Removal

Response Number 4
Name: Gramma
Date: February 15, 2004 at 21:56:12 Pacific
Subject: Hijacked Browser
Reply: (edit)

Ooops...too late. I uninstalled the notification & deleted the file. So far all is well...*crossing fingers*

The hijack is still there. Here is the new log...minus the wucrtupd.exe entry.

Logfile of HijackThis v1.97.7
Scan saved at 1:05:20 AM, on 2/16/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\PALTALK\PNETAWARE.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\G7PS\SHARED FILES\QCHEX\QCHEX.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX (disabled by BHODemon)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~2\zlclient.exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: AnyTime Deluxe Edition 7.1.lnk = C:\Program Files\AnyTime Deluxe\Atw.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Check Messnger.lnk = C:\Program Files\Common Files\G7PS\Shared Files\Qchex\Qchex.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .2: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?4,0,1323,0
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38023.7009722222
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {7277D039-CE10-4ED8-A05F-7C25AD12D433} - http://www.qchex.com/cm/QchexCheckMessenger.cab



Report Offensive Follow Up For Removal

Response Number 5
Name: mesich
Date: February 15, 2004 at 22:13:43 Pacific
Subject: Hijacked Browser
Reply: (edit)

Hi Gramma, hello everyone,

Don't worry about the file I will send you another one. Drop me an email and I'll get one to you.

Delete these items using hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://obrmtj.t.muxa.cc/s.php?aid=33 (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://obrmtj.t.muxa.cc/h.php?aid=33 (obfuscated)

O4 - HKLM\..\Run: [sys] regedit -s sys.reg

I also noticed two new entries. Don't delete them.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s

Did you just install Start Page Guard?
Did you lock your homepage?


Best Regards,
Mesich


Report Offensive Follow Up For Removal


Response Number 6
Name: Gramma
Date: February 15, 2004 at 22:26:52 Pacific
Subject: Hijacked Browser
Reply: (edit)

I already had SPG installed but it was open when I ran HJT...as was the Control Panel. I forgot to close them before running HJT. I use SPG to block the hijack from changing things.

I'll post the new log in the morning. Thank you for the help! An email is on its way to you.


Report Offensive Follow Up For Removal

Response Number 7
Name: Gramma
Date: February 16, 2004 at 05:27:36 Pacific
Subject: Hijacked Browser
Reply: (edit)

mesich, it worked. The hijack is gone! Thank you!!


Report Offensive Follow Up For Removal

Response Number 8
Name: mesich
Date: February 16, 2004 at 05:45:38 Pacific
Subject: Hijacked Browser
Reply: (edit)

Hi Gramma, hello everyone

You are very welcome, glad to hear everything worked out. Thank you for posting back with the results.

The problem was this one,
O4 - HKLM\..\Run: [sys] regedit -s sys.reg

Could you rename that file to .old and send it to me so I can take a look at it?
My ISP will reject any email containing an attatchment with a .reg extention.

Also are you running Win98 or Win98SE?

Best Regards,
Mesich


Report Offensive Follow Up For Removal

Response Number 9
Name: Gramma
Date: February 16, 2004 at 18:16:27 Pacific
Subject: Hijacked Browser
Reply: (edit)

It's been renamed & is on the way.

I'm running SE.

Thank you again!


Report Offensive Follow Up For Removal

Response Number 10
Name: mesich
Date: February 16, 2004 at 23:14:37 Pacific
Subject: Hijacked Browser
Reply: (edit)

Hi Gramma, hello everyone

Thanks for the file. I found the sys.reg file running at StartUp changes the following keys in the registry.

[HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main]
"Start Page"
"Search Bar"
"Search Page"

[HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search]
"SearchAssistant"

[HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main]
"Start Page"
"HOMEOldSP"
"Search Bar"
"Search Page"

[HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Search]
"SearchAssistant"

[HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings]
"PrivacyAdvanced"

[HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run]
"sys"="regedit -s sys.reg"

Thanks again for the file.

I'll get the wucrtupd.exe off to you first thing this morning. 2:14 a.m. here now. :-)

Best Regards,
Mesich


Report Offensive Follow Up For Removal

Response Number 11
Name: jbigwater
Date: February 20, 2004 at 04:42:13 Pacific
Subject: Hijacked Browser
Reply: (edit)

Great stuff - Hijackthis worked perfectly. Would recommend!!!! After three days of a vicious attack on my laptop I finally got it back, the last piece was the browser, which after changing registry info, removing BHO and other steps did not work. I found the above sugesstions and they worked flawlessly.

Thanks!!!!!!!!!!


Report Offensive Follow Up For Removal

Response Number 12
Name: mesich
Date: February 20, 2004 at 05:48:22 Pacific
Subject: Hijacked Browser
Reply: (edit)

Hi jbigwater, hello everyone,

Glad to hear the information was useful. Thanks for posting the results.

Best Regards,
Mesich

Best Regards,
Mesich


Report Offensive Follow Up For Removal






Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: Hijacked Browser

Comments:
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



Installing Win XP over Vista

Burning Boot Disk

faulty hdd?

Booting with a broken graphic card

Help with my DRAM:FSB Ratio

All Posts Awaiting Replies