Jump to content


Photo

Browser Hijack Cannot Be Fixed


  • Please log in to reply
8 replies to this topic

#1 dreamer512

dreamer512

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 16 July 2004 - 05:02 AM

I've got a browser hijack that can't seem to be fixed by Ad-aware or SpyBot or anything else that I've run. Ad-aware does find Possible Browser Hijacks everytime the computer is restarted but after fixing it, it keeps coming back. It seems to go from my default about:blank page to www.msn.com. Here is my log file of HijackThis.

Logfile of HijackThis v1.98.0
Scan saved at 3:02:09 AM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Dreamer\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22....ex/HMAtchmt.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O18 - Protocol: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 16 July 2004 - 03:17 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O18 - Protocol: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

Reboot after fixing.


Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 dreamer512

dreamer512

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 16 July 2004 - 06:00 PM

Okay, heres an update. I deleted those 7, 018 protocol lines then restarted. When I rescanned with Hijackthis, they still showed as being there. I tried to re-fix, then restarted, I get the same results. They are showed as being deleted because all 14 files landed in my backup directory. What shall I do now? Thank you for the replies and I appreciate all the help in advance. Here is a rescan of the log, no different than the one above.

Logfile of HijackThis v1.98.0
Scan saved at 3:55:22 PM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Dreamer\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22....ex/HMAtchmt.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O18 - Protocol: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

#4 dreamer512

dreamer512

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2004 - 02:15 AM

Okay, so I manually went in to delete those registry keys, the 018 ones. Restarted computer, opened IE and still, it redirects my start page to www.msn.com. Ad-aware seems to find the possible browser hijack and fixes it no problem, but when I restart, it just comes back. I've used all the basic tools, ad-aware, spybot, spy sweeper, x-clean, spywareblaster, etc. and nothing works. Any suggestions at all? My HijackThis log is the same as the two posted above with the exception of the 7, 018 lines that were deleted. Which leads to another question. If the deletion of those lines weren't apart of the problem, what did I just delete? I hope they weren't important registry lines. Thanks in advance.

#5 dreamer512

dreamer512

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 July 2004 - 05:00 PM

Anybody at all? So many people post threads everyday that mine, within two days was pushed back to page 15! Geez, I hope somebody stumbles on my post soon. :mellow:

#6 clingervsradar

clingervsradar

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 18 July 2004 - 05:22 PM

hang in there champ.. ive been fighting the thing for like 4 days now.. everytime i think i get it.... it comes back.. im at the point that if i could find a windows disk id just reformat.. but i have no idea where it is so ive got to just keep fightin this blasted thing..

#7 dreamer512

dreamer512

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 21 July 2004 - 04:26 AM

Sorry folks, gonna try bumping this one more time. I've never really had much problem with spyware or virii on my computer. Always taken care of it fairly easily. But this time I can't seem to find the source of the problem. I'm still being redirected to MSN.com. I also read on this forum that some other people have the same exact problem. Hope somebody can help. Thanks.

#8 dreamer512

dreamer512

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 24 July 2004 - 05:03 PM

Sorry for the bumping of my post. I'm just frustrated is all. I'm close to formatting and starting from scratch. Thanks Dave38 for the reply. It seems to me, that my logfile isn't showing anything suspicious. But everytime I get rid of the registry key for the possible browser hijack, via Ad-aware, it duplicates itself and comes back everytime. What do you do in this sort of situation? Logfile is clean, and all Spyware programs don't help at all. My only option at this point would be to format. I will be patient for a few more days to see if someone can help with this problem.

Edited by dreamer512, 24 July 2004 - 05:19 PM.


#9 dreamer512

dreamer512

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 July 2004 - 10:09 PM

Ugh, its still going to msn.com!! Everytime I get rid of the registry key via Ad-aware!! Help!! Don't want to format just yet..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button