Browser Hijack Blaster

Discussion in 'SpywareBlaster & Other Forum' started by Nancie, Jan 9, 2004.

Thread Status:
Not open for further replies.
  1. Nancie

    Nancie Guest

    Download link does not work.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Yes, unfortunately that file is not available at present. Sorry for the inconvenience.

    However, Javacool's recommendation is to use SpywareGuard for browser hijack protection now because he's updated that to a level that's more advanced than the Browser Hijack Blaster.

    Have you already looked at SpywareGuard, or perhaps have some reason that you'd prefer to only use the original Browser HijackBlaster.
     
  3. TCat

    TCat Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    8
    Hi LowWaterMark,

    I heeded your advice and tried to access SpyWare Guard 2.2. Your link first takes me here:

    http://www.wilderssecurity.net/spywareguard.html

    I opted for Full Setup, which takes me here:
    http://www.spywareinfoforum.com/downloads/swguard/down.html

    Unfortunately, clicking on either Download takes me to a dead page!

    Any suggestions?

    Thanks,
    Tom
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Tom,

    Please try the majorgeeks mirror (BTN) as described in reply #7 here:

    http://www.wilderssecurity.com/showthread.php?t=18096;start=msg112381#msg112381

    Regards,

    Pieter
     
  5. TCat

    TCat Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    8
    Thanks Pieter - I went to the alternative site and got SpyWare Guard 2.2. I also see Browser Hijack Blaster 1.0. Can you please tell me the difference between these 2?

    Of late, I've been nagged by homepage hijacks, mainly of the ilk:

    nkvd.us

    and

    //find.info


    I've been using HihackThis which outputs a log of registry items. In most cases, I can find corresponding entries, but when I delete them, and end my IE session, they reappear at next start-up! I wish I could attach the log file but see no easy way to do so; so I'll paste it in at the bottom.

    Maybe there are 1 or 2 items I fail to delete which causes the persistence.

    I also get this one, for which I don't see any correspondence in the Log:

    about:blank

    Have you seen this one?

    Is it your impression that somehow Spyware Guard 2.2 or Browser Hijack Blaster may work better than Hijack This?

    Any suggestoins are welcome.

    Thanks,
    Tom


    Recent Log follows here:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:47:26 AM, on 1/11/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINNT\system32\msrexe.exe
    C:\Downloads\Popup Killers\Another Popup Killer.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\Downloads\Hijack This\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nkvd.us/s.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkvd.us/1503/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nkvd.us/s.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkvd.us/1503/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nkvd.us/s.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nkvd.us/s.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nkvd.us/s.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nkvd.us/s.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    O1 - Hosts: 205.177.124.66 auto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINNT\madise.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [System Service] C:\WINNT\system32\msrexe.exe
    O4 - HKLM\..\Run: [WinAuth] C:\WINNT\winlogon.exe
    O4 - HKLM\..\Run: [aiepk] C:\Downloads\Popup Killers\Another Popup Killer.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Web Search - c:\winnt\ex.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O13 - DefaultPrefix: http://www.nkvd.us/1503/
    O13 - WWW Prefix: http://www.nkvd.us/1503/
    O13 - Home Prefix: http://www.nkvd.us/1503/
    O13 - Mosaic Prefix: http://www.nkvd.us/1503/
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37890.7573958333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -
    O19 - User stylesheet: C:\WINNT\system32\readme.txt
    O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi TCat,

    Everything BrowserHijackBlaster can do, SpywareGuard does better + it does more.

    For your hijack.
    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nkvd.us/s.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkvd.us/1503/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nkvd.us/s.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkvd.us/1503/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nkvd.us/s.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nkvd.us/s.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nkvd.us/s.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nkvd.us/s.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    O1 - Hosts: 205.177.124.66 auto.search.msn.com

    O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINNT\madise.dll

    O4 - HKLM\..\Run: [System Service] C:\WINNT\system32\msrexe.exe
    O4 - HKLM\..\Run: [WinAuth] C:\WINNT\winlogon.exe

    O8 - Extra context menu item: Web Search - c:\winnt\ex.htm

    O13 - DefaultPrefix: http://www.nkvd.us/1503/
    O13 - WWW Prefix: http://www.nkvd.us/1503/
    O13 - Home Prefix: http://www.nkvd.us/1503/
    O13 - Mosaic Prefix: http://www.nkvd.us/1503/

    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -
    O19 - User stylesheet: C:\WINNT\system32\readme.txt
    O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)

    Then reboot into safe mode and delete:
    C:\WINNT\madise.dll
    C:\WINNT\system32\msrexe.exe
    C:\WINNT\winlogon.exe <= only the one in the WINNT directory, do NOT remove any other files with that name
    C:\WINNT\system32\readme.txt
    C:\WINNT\hh.htt

    About:blank is a windows setting and it should show up when you are done with this.
    HijackThis is a troubleshooting tool. SpywareGuard is ment to warn you about spyware attacks, so a comparison is hard to make.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.