Yet another borwser hijacking

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Mr Mc, Sep 8, 2004.

  1. Mr Mc

    Mr Mc Private E-2

    Hi, I've been following the threads and am now stuck and am hoping you can give me some advice.

    My browser has been hijacked and the home page is now "find-everythingdotcom". As well as adding various other pages to my favourites my dial-up ISP connections have been changed and their user IDs, passwords and the dial up numbers changed (while still retaining the same connection names).

    My laptop is an Acer Travelmate 2501LMi
    Intel Pentium 4 2.8GHz processor
    512MB DDR
    40GB hard drive
    DVD-RW combo
    Floppy disk drive
    15" TFT display
    56k V92 modem
    Wired LAN
    Wireless LAN 11g
    Microsoft Windows XP Professional SP2


    I'm not a technical computer user so I followed the tutorial "MajorGeeks Support Forums - READ ME FIRST Basic Spyware, Trojan And Virus Removal.htm" and did the following;

    1 - updated XP Pro with SP2
    2 - disabled system restore
    3 - checked for "network security service" which was not there
    4 - changed folder settings to display hidden files and extentions
    5 - ran Norton System Works 2004 version 7 for viruses and trojans
    6 - cleaned temp folders with Norton SW
    7 - ran Ad-Aware which quarantined 100 objects. Note I could not get the VX2 plug in to run
    8 - ran Spybot which identified and fixed 5 registry changes with the message "There's a security hole in IE allowing websites to execute code without asking you first" (These reappeared when I ran Spybot again???)
    9 - immunised my system with Spybot

    I then rebooted the machine but the "good ol'boys" were still there. I've now reached the level of my competence and have held back on using Hijack This until someone could give me some advice - gratefully received.

    Thanks you guys
     
    Mr Mc, Sep 8, 2004
    #1
  2. I.M.O.G.

    I.M.O.G. Private E-2

    Attach your saved hijackthis log to your post as a file. This will give us a lead on what is ailing your system. (Please do not post the log file as plain text in your post)
     
    I.M.O.G., Sep 8, 2004
    #2
  3. Mr Mc

    Mr Mc Private E-2

    Attached HJThis log

    Thanks
     
    Mr Mc, Sep 13, 2004
    #3
  4. Mr Mc

    Mr Mc Private E-2

    Added attachment
     

    Attached Files:

    Mr Mc, Sep 13, 2004
    #4
  5. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    FYI, your Hijack This is out of date, please update it. Remove:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.html
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c9 -w
     
    Major Attitude, Sep 13, 2004
    #5
  6. Mr Mc

    Mr Mc Private E-2

    I installed the updated version of HJT, ran it and deleted the files you identified but the homepage and links are still there.

    I've read other threads about rebooting in safe mode and deleting certain files but I couldn't find these setps in the HJT tutorial and I didn't want to risk deleting the wrong stuff. Can you advise or do you need more info..?

    Thanks a million
     
    Mr Mc, Sep 14, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you fix those lines with all browsers sessions closed? That is important to do anytime you use HijackThis. Also some items were missed. Add the below to the list of items to fix with HJT and fix them again:
    O4 - HKCU\..\Run: [zhelp] C:\WINDOWS\zhelp.exe

    Make sure you have enabled viewing of hidden files per the readme instructions.

    Then reboot in safe mode and use Windows Explorer to find and delete:
    C:\WINDOWS\system32\explorer.exe
    C:\WINDOWS\zhelp.exe

    If you have a problem deleting these, run Task Manager (CTRL-ALT-DEL) and look for them in the processes list and end them. Then try to delete them.

    I'm also concerned as to what this item is:
    O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe

    Your HJT log looks incomplete. Is that the whole log? I think you need to go back to the Read Me First sticky thread and run the online scanners and McAfee Stinger. (Note run the online scans in normal boot mode).
     
    chaslang, Sep 14, 2004
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds