#1
|
|||
|
|||
Browser Hijack Problem
Hi,
I've had a problem with one of my computers for quite a while now. The browser has been hijacked and it does not let me go anywhere now. I have run adaware, antivirus, and spyware. These programs find the hijack application and supposedly remove it. The program just reappears, however. I have tried to delete it manually, but, once again, it reappears. Does anyone have any advice or am I just SOL on this one and have to reformat? |
#2
|
|||
|
|||
Re: Browser Hijack Problem
Perhaps try running the revmoval programs in safe mode if you haven't done so.
also, have you tried cwshredder? if it's cool web search, this may help where others have failed. |
#3
|
|||
|
|||
Re: Browser Hijack Problem
Sounds like a trojan I had awhile back that kept recreating itself every time I deleted it.
Have a look at these two Symantec virus descriptions and see if it rings a bell. They have manual removal instructions down at the bottom. Poldo.b trojan Dasmin trojan |
#4
|
|||
|
|||
Re: Browser Hijack Problem
What hijacker is it?
|
#5
|
|||
|
|||
Re: Browser Hijack Problem
|
#6
|
|||
|
|||
Re: Browser Hijack Problem
[ QUOTE ]
Get Highjack This!. Use with caution. [/ QUOTE ] Yes hijack this is the shiz. And right after removing the piece of crap out of your web browser, get better browser! Opera or mozilla firefox. |
#7
|
|||
|
|||
Re: Browser Hijack Problem
I ran it and I got a logfile but I'm not quite sure what I'm looking at as I'm a true fish in this regard. I know just enough to get me in trouble if you know what I mean [img]/images/graemlins/tongue.gif[/img]. Logfile looks like this:
Logfile of HijackThis v1.99.1 Scan saved at 2:03:18 PM, on 8/27/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\SM1BG.EXE C:\WINDOWS\stisvsq.exe C:\WINDOWS\svshost.exe C:\WINDOWS\msqdevl.exe C:\WINDOWS\lssas.exe C:\WINDOWS\mservice.exe C:\WINDOWS\System32\l?ass.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\devldr32.exe C:\Documents and Settings\Jeremy\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https:// O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1CD73065-FAAC-8523-D2E7-830A7A08F299} - C:\WINDOWS\System32\acwptxg.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\snim.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe O4 - HKLM\..\Run: [Games Acceleration] svshost.exe O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer O4 - HKCU\..\Run: [Spa] C:\WINDOWS\System32\l?ass.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [Ooli] C:\Documents and Settings\Jeremy\Application Data\etel.exe O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe O4 - HKCU\..\Run: [Games Acceleration] svshost.exe O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02a1d15a...p/RdxIE601.cab O16 - DPF: {563ED66E-531B-51D2-5DB0-5080C83DA4EE} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/xsext01....aInstaller.exe O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mp...CX/FlashAX.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\snim.dll O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\snim.dll O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe Does anyone know what this means. BTW, I really appreciate the help...and I just downloaded Firefox. |
#8
|
|||
|
|||
Re: Browser Hijack Problem
What I tend to do is go through all the running processes and programs that are run at startup (entries with HKLM\..\Run. I'm looking for programs I don't recognise. Do a search for those on google. If you find any that are bad, look for removal instructions.
A quick google showed that l?ass.exe and snim.dll and nasties. Hope that helps. |
#9
|
|||
|
|||
Re: Browser Hijack Problem
C:\WINDOWS\System32\l?ass.exe
That one looks suspicious, as it has a ? mark in the middle of the legit system module above it. Did you run the Hijack This program yet? What about Spybot or Adaware which you can also download free. You might have to run them more than once to get it done. And like the other poster said, dump IE and get Firefox or another browser. Also note that if you just try to manually delete a hijacker module there is often another one in memory which immediately restores it, so you really need to run those programs. |
|
|