Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > My browser has been hijacked

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

My browser has been hijacked

Reply to Message Icon

Name: Andre
Date: October 7, 2003 at 17:51:38 Pacific
OS: Windows 98
CPU/Ram: Intel 2/ ?
Comment:

It turns itself to revolto.da.ru even after using spy and adware, and even Startup Pageblock. Here is my HI Jack Log. I would apreciate some help?

Logfile of HijackThis v1.97.2
Scan saved at 7:42:28 PM, on 10/7/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.exe
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\PROGRAM FILES\AIM95\AIM.exe
C:\PROGRAM FILES\QUALCOMM\EUDORA MAIL\EUDORA.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://revolto.da.ru/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://revolto.da.ru/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
O1 - Hosts: 66.250.171.136 sitefinder.verisign.com
O1 - Hosts: 66.250.171.136 sitefinder-idn.verisign.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.exe /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [sys] regedit /s sys.reg
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://dell.excite.com/
O16 - DPF: {E89366AF-2E44-11D1-91AE-006097D602F7} (FileAccess Control) - http://fd5.visto.com/static/activex/vfile07.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/characters/isabella.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = rh.psu.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = rh.psu.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.118.25.3,130.203.1.4,128.118.58.11




Sponsored Link
Ads by Google

Response Number 1
Name: Tom41
Date: October 7, 2003 at 18:30:06 Pacific
Reply:

Run HT again and check the following items. Next, close all browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://revolto.da.ru/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://revolto.da.ru/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
O1 - Hosts: 66.250.171.136 sitefinder.verisign.com
O1 - Hosts: 66.250.171.136 sitefinder-idn.verisign.com
O4 - HKLM\..\Run: [sys] regedit /s sys.reg

After restarting delete the following file:
sys.reg



0
Reply to Message Icon

Related Posts

See More



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: My browser has been hijacked
Think my browser has been hijacked. www.computing.net/answers/security/think-my-browser-has-been-hijacked/24935.html

My browser has been hijacked... www.computing.net/answers/security/my-browser-has-been-hijacked/20803.html

My background has been hijacked! www.computing.net/answers/security/my-background-has-been-hijacked/23170.html