Tech Support Guy banner
Cancel

Browser Hijacked again

1334 Views 7 Replies 4 Participants Last post by  cybertech
J
OK, I'm a victim of my own greed here, so I probably deserve this. Ran across a "free MP3 download site" on the web and clicked on a file. When it asked me to uninstall the "downloader" I did. Of course there was no free MP3 and my browser reconfigured itself and delivers pop-up ads like it's the fourth of July.

Anyway, Here's the Hijack File.

Logfile of HijackThis v1.97.7
Scan saved at 2:33:50 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nord-Vision\DynDNS-Updater\ddusrv.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\docume~1\jwhall~1\locals~1\temp\msbb.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nord-Vision\DynDNS-Updater\ddutray.exe
C:\Program Files\DeskSweeper\DeskSweeper.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINDOWS\System32\gbuacngi.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Bargain Buddy\bin2\bargains.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ZipGenius 5\zipgenius.exe
C:\DOCUME~1\JWHALL~1\LOCALS~1\Temp\ZGTemp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [msbb] c:\docume~1\jwhall~1\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [yvwr] C:\WINDOWS\yvwr.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
See less See more
Save
Like
Status
Not open for further replies.
1 - 2 of 8 Posts
raybro
Add these to the list of objects to be fixed with HJT

O4 - HKLM\..\Run: [msbb] c:\dome~1\jwhall~1\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [yvwr] C:\WINDOWS\yvwr.exe

Restart your computer in Safe mode.

How to start your computer in Safe mode

Open Windows Explorer, then go to View > Folder Options. Click on the View tab and make sure Show all files is ticked and uncheck Hide file extensions for known file types. Click Like Current Folder then click Apply then OK

Using Windows Explorer, navigate to and delete the following file identified in bold type:

C:\WINDOWS\yvwr.exe

Empty your TEMP folder. Navigate to C:\Windows TEMP. Under Edit, choose Select All, then hit the Delete key.

Boot back to Normal Mode and post another HJT log.

Assuming this all gets you clean again, I strongly suggest you go through the following steps to protect yourself against your own "greed", as you say.

I advise the following preventive measures to help prevent reinfection. This is no guarantee, but it will definitely help.

I strongly recommend you have a firewall. There are a couple of good free ones available for downloading. ZoneAlarm Here, and Sygate Here.

Get Spybot S&D Here. Install and update it right away. Run a scan and remove anything identified in RED Spybot has an Immunize feature which will stop a lot of nasties from being installed on your computer. To activate it, open Spybot and click the Immunize icon in the left pane. Now click the Immunize button in the right pane.

Next, download SpyWareBlaster Here. Install it and open the program. Click the Updates button and download the latest updates. While on the "Status" page, Now click the "Enable All Protection" link near the bottom of the window. This program will now be running in the background and adding to the protection provided by Spybot's Immunize feature for ActiveX nasties.

Next, download IE-SPYAD Here. Follow the installation instructions on the site. This little item will install a TON of URL's in IE's Restricted sites list, thereby preventing your computer from accessing known bad sites from which nasties can be installed.

Also, be very sure you have installed all the latest Critical Updates from the Windows Update site.

You may also want to take a look at This thread.
See less See more
Save
Like
raybro
You have some nasties not listed in your original log post. I suspect you did not have your complete log posted the first time. However, please do the following.

Run a new HJT scan and put a check beside the following objects in the list.

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - Global Startup: file.exe

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/aess2.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/2000XP/new/bridge.cab

Close all application windows except HJT. Close all browser windows, including this one. Click the Fix Checked button.

Restart your computer in Safe mode.

How to start your computer in Safe mode

Open Windows Explorer, then go to View > Folder Options. Click on the View tab and make sure Show all files is ticked and uncheck Hide file extensions for known file types. Click Like Current Folder then click Apply then OK

Using Windows Explorer, navigate to and delete the following folder identified in bold type:

C:\WINDOWS\sysupd.exe

Boot back to Normal Mode and post another HJT log.
See less See more
Save
Like
1 - 2 of 8 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top