Jump to content


Photo

Question about res:// hijacking


  • Please log in to reply
4 replies to this topic

#1 animaldr

animaldr

    Member

  • New Member
  • Pip
  • 3 posts

Posted 27 June 2004 - 10:11 PM

My browser was hijacked and kept returning to the following homepage:

res://yrzitdll/index.html#37049

After researching this site, I did the following:

Under internet options>advanced - I unchecked the 'enable third party browser extensions'

Restarted computer in Safe Mode

Ran AdAware (v6.0 Build 6.181; reference 01R325 27.6.2004)

Deleted everything it came up with

Ran HijackThis. Here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 6:22:17 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Elizabeth\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yrzit.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yrzit.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yrzit.dll/sp.html#37049
O2 - BHO: (no name) - {AA258D02-7EAF-CF17-74F9-F542353A0DA6} - C:\WINDOWS\system32\addlt32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [addrw32.exe] C:\WINDOWS\addrw32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs7.chat.sc5....v43/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8164.4362037037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


I checked and fixed the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yrzit.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yrzit.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yrzit.dll/sp.html#37049


I then rebooted the computer in Normal Mode. The problem seems to be fixed. I'm no longer sent to the res:// site and I'm no longer getting the "Only the Best" pop-ups.

However, I am getting an Error message and IE shuts down whenever I try to use the drop-down arrow on the Address bar (to look at my previously visited sites).

When I deleted the files in the HijackThis log, did I delete someting vital to IE??

Is there anything else I need to do?

Thanks!!

#2 animaldr

animaldr

    Member

  • New Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 02:39 PM

Bumped for more traffic (hopefully). Thank you verah much.

#3 animaldr

animaldr

    Member

  • New Member
  • Pip
  • 3 posts

Posted 29 June 2004 - 08:29 AM

Bump

#4 spydr1

spydr1

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 07:39 PM

I had the same infection and tried the above and I have been clean for a couple of hours now.

I had tried AdAware and Spybot along with HiJackThis but it kept returning until I followed exactly what animaldr suggested from unchecking enable third party browser extensions to running AdAware in safe mode. I ran HiJackThis as well and Spybot S&D in safe mode, then booted back into Normal mode.

Then I made a donation to this site, read up on Preventing Browser Hijacking in Spyware Info and took his advice about changing IE settings, downloading Spyware Blaster and Browser Hijack Blaster. The next step is Opera or Mozilla. I'll take a look and those and if they are decent one of them is my new browser.

Holding my breath, but OK currently.

#5 spydr1

spydr1

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 07:41 PM

Forgot to add one thing. So far the only thing I see different from when IE was normal is more prompting and the loss of the google tool bar from my Yahoo Home Page. If that's all I'm happy. Still holding my breath, though.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button