Jump to content


Hijacked Browser, Running Win Xp Svc. Pk 2

  • Please log in to reply
3 replies to this topic

#1 intlexp



  • New Member
  • Pip
  • 2 posts

Posted 24 July 2004 - 02:55 PM

My browser reverts to a porn site every 60 seconds. Ran hijack this and got the following log:
Logfile of HijackThis v1.97.7
Scan saved at 11:01:21 PM, on 7/22/2004
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)

Running processes:
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ADVANCEPRO\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\Jim\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/...gx/GrooveAX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupd...7893.5481597222
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.side...00719/sb027.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A519CE62-BEFD-41DD-A41F-2500F36313CC}: NameServer =,

I have and ran Spybot and Adaware, current versions. I have Norton AV up to date. I downloaded MS Win XP Svc Pak 2 Beta. Nothing helps.

Any recommendations would be greatly appreciated - my kids are OFF the computer until we solve this. Thanks in advance,

#2 mmxx66


    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 24 July 2004 - 06:58 PM

Print out these instructions so you can read them while you clean your system.

Move Hijack This to its own folder.Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Move hijack this

there. Hijack this makes backups of everything you fix, these backups are saved in the same folder the program is.

Now close all open windows AND browsers and check these items for HJT to fix:
O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll

Please reboot into safe mode - How do I boot into "Safe" mode?

Delete these files:

C:\WINDOWS\Downloaded Program Files\SbCIe027.dll

You may need to show hidden files to delete them.How to show all hidden and system files

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet
content including cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Then disable your system restore

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.

#3 intlexp



  • New Member
  • Pip
  • 2 posts

Posted 26 July 2004 - 06:02 PM

Dear SWI Junkie;

I did everything you said and it seemed to work. but after a day the same sex site appeared on my browser, overriding another site. I ran Hijack This again, and the file you asked me to "fix" was not there.

Any other suggestions would be really appreciated.

#4 mmxx66


    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 26 July 2004 - 07:02 PM

Post a new log please

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!