HELP - Browser Hijack (HJT log included)

Toggle sidebar Toggle sidebar
M

munga

Member
Dec 19, 2003
35
0
0
My wife's browser (IE 6.0 on Win98SE) has been hijacked. No matter what's in the browser address bar, she gets a page that looks like a customer service letter titled "Important Message: New Access Numbers" that asks her to key in the phone number from which she dials in (a battle for another day).

I burned CWShredder, Spybot S&D, AdAware, and HijackThis onto a CD and ran them all. I'm not savvy enough to screw with what HJT finds, so here I am, asking for advice. Please have a look at the log (below) and tell me what you think. Also, please suggest anything I can do to protect her machine better. (My first step along these lines is to get her behind a firewall by networking her to our cable modem). Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 12:10:29 PM, on 2/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\COMPUSERVE 2000\CSTRAY.EXE
C:\AMERICA ONLINE 4.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dell.com/search/index.htm
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000\cstray.exe
O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37964.7254398148
Click to expand...
 
theAnimal

theAnimal

Diamond Member
Mar 18, 2003
3,828
23
76
Make sure all your spyware tools are up to date.

Check the hosts file under Tools in Spybot. (Unless you've added to it there should only be localhost 127.0.0.1)
Also disable changes to the home page under Tools, IE Options in Spybot.

Use SpywareBlaster to prevent future spyware installation.

Turn off ActiveX except for trusted sites where you need it.
 
Schadenfroh

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
1st Run LSP-Fix
2nd Run CWS smartkiller removal tool
3rd Run CWShredder (make sure you have the latest version)

then run spybot and adaware, again, MAKE SURE EVERYTHING IS AT THE LATEST VERSION, THIS STUFF MUTATES FAST

oh yeh, and dont forget to make sure your security settings and privacy settings are on acceptable levels in IE and then manually set your homepage to google.com or something

for even more protection, try spyware guard, it functions much like zonealarm, cept for spybots, with an item in your tray, and will help in realtime spyware protection and protection against hijacking.
 
O

OZEE

Senior member
Feb 23, 2001
985
0
0
Maybe I'm missing something - but I don't see a hijack. Sounds like a variant of the QHOST virus to me. Check your hosts file and do a virus scan... preferably online at housecall.trendmicro.com since it may have messed up your norton.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom