browser hijacked by
Results 1 to 9 of 9

Thread: browser hijacked by

  1. #1
    Junior Member
    Join Date
    May 2004

    Red face browser hijacked by

    My browser on 18th of may was hijacked. Whenever i open internet explorer becomes the home page and it redirects to some xxx site. I tried deleting unknown entries from registry deleted all cookies refreshed everything but invain it comes back within seconds
    can anyone help me there.??
    Share on Google+

  2. #2
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    alright,first of all get adaware,spybot and hijackthis(
    Post your HijackThis log here
    Best of luck
    Share on Google+

  3. #3
    Junior Member
    Join Date
    May 2004

    Unhappy hijacked by

    Logfile of HijackThis v1.97.7
    Scan saved at 2:53:00 PM, on 21/05/04
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
    C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
    C:\windows\program files\WZQKPICK.EXE
    C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe
    C:\Program Files\SAP\FrontEnd\SAPgui\sapfewgsrv.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Satyam Infoway Limited
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = (obfuscated)
    O1 - Hosts: PRD PRD
    O1 - Hosts: NAVNT NAVNT
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
    O4 - HKLM\..\Run: [HP Status] C:\WINNT\System32\hpstatus.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
    O4 - HKLM\..\Run: [Dial32] C:\WINNT\dl.exe
    O4 - HKLM\..\Run: [Services Process] C:\WINNT\system32\config\services.exe
    O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\windows\program files\WZQKPICK.EXE
    O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) -
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O19 - User stylesheet: C:\WINNT\color.css
    Share on Google+

  4. #4
    I don't get why people already request others to post the Hijack logfile (despite how much I hate that program to be recommended...).

    Have them learn the program, understand it, and RTFM. Not only will they then understand (and know google better) how to work the program, but how to prevent future jacking attempts. Solving the problem without any reason why or how does no more good than pulling out the top leaves of a deeply seated weed. The weed's roots (problem exists of why and how he got it anyways) still exists and thus can happen again.

    Answers == quick solutions
    Teaching how you got those answers and helping them find the answers rather than give it == a rock solid foundation to learn further on, and thus gaining experience.

    Hijack This tutorials, FAQ's, and guides
    Share on Google+

  5. #5
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    pooh sun tzu's right,try and google for all the entries and see if you can come up with some's something I got from just browsing thru it O4 - HKLM\..\Run: [Dial32] C:\WINNT\dl.exe
    Take a look at the link here:
    you've also got some stuff you dont need,google everything and see if you can make do without them
    Share on Google+

  6. #6
    AntiOnline n00b
    Join Date
    Feb 2004
    This one could i recognised easily because i removed it recently and might be one of the problem. On my computer there were dl.exe and dl.htm in the winNT folder , the dl.exe it pops up this dl.htm file after a few 3 to 4 minutes.. Reboot to safe mode: delete "dl.exe ". everything else seems to be fine........or i am missing something

    --Good Luck--
    Share on Google+

  7. #7
    Senior Member
    Join Date
    Feb 2004
    Ok please copy the contents of the quote box to notepad:



    hit save as
    give it the name clear.reg
    under the filename set file types to all files.
    save it to the desktop.

    After done double click the clear.reg
    when asked to merge say yes


    then find this file:
    its probably in one of two locations:
    and delete it.

    Secondly, you have a CWS infection. Please download the CWShredder from

    Next, please boot into safe mode and run it.

    Please download, update and run (one at a time of course!) Spybot and Adaware. They are both available from this link.

    After that, run your pc through an online virus scanner. Here are a few:

    After all that, either post your HijackThis log here and I will look through it again, or google the entries and fix the ones that don't belong.

    While for some infections RTFM is the correct approach, this poster has two VERY tricky infections to spot and treat. It could potentially take him forever to figure it out. Sometimes we just need to stop and give someone a helping hand!

    Share on Google+

  8. #8
    You just instructed him to delete Windows critical DLL's and registry keys..... if they are infected, they need to be fixed, not deleted.
    Share on Google+

  9. #9
    Senior Member
    Join Date
    Feb 2004
    I assure you that I didn't ask the poster to delete anything harmful on his pc. Here are some examples of this fix SUCCESSFULLY performed:\.biz\.biz\.biz
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts