hijacked browser

Discussion in 'privacy problems' started by jim, Apr 27, 2003.

Thread Status:
Not open for further replies.
  1. jim

    jim Guest

    i hope someone can help me...it seems my browser has been hijacked.if i right click on "address" i get a list of options ,all are checked except "hyeebtssjus" if i check that i get another bar with a bunch of junk on it. i have ran spybot search and destroy and spyware blaster with no luck.....help.......
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Jim,

    Sounds like you found yourself a new variant of lop.com

    Could you post your HijackThis log
    Download, Unzip and run HijackTHis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  3. jbright1

    jbright1 Registered Member

    Joined:
    Apr 27, 2003
    Posts:
    7
    Logfile of HijackThis v1.93.0
    Scan saved at 1:18:59 PM, on 4/27/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=www.msn.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.zoomtown.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=www.zoomtown.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=www.microsoft.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=www.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
    O2 - BHO: (no name) - {8f1a15a7-92b0-4467-ad12-369f60174008} - C:\WINDOWS\APPLICATION DATA\DKBRTFVZ.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] systray.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
    O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
    O4 - HKLM\..\Run: [ZoomTownEXE] d:\autorun\autorun.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
    O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000a\cstray.exe
    O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1812cdb07d15fa142c21/netzip/RdxIE6.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003031901/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi jbright1,

    Check the following items in HijackThis, close all IE, OE and explorer windows and click Fix checked:

    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
    O2 - BHO: (no name) - {8f1a15a7-92b0-4467-ad12-369f60174008} - C:\WINDOWS\APPLICATION DATA\DKBRTFVZ.DLL
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1812cdb07d15fa142c21/netzip/RdxIE6.cab

    The second one is the one causing your problem. Please send me a copy of C:\WINDOWS\APPLICATION DATA\DKBRTFVZ.DLL before fixing it.
    I´ll make sure it gets submitted so it will be included in Spybot S&D´s definitions.

    Regards,

    Pieter
     
  5. jbright1

    jbright1 Registered Member

    Joined:
    Apr 27, 2003
    Posts:
    7
    ok i found the file that yu want a copy of...do i send the file that was found or do i open it ,and if so what do i open it with .to send?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Do not doubleclick or try to open it. Please send it to the email-addres in my profile (pieter @ wilders.org)
    After that remove it.

    Thanx,

    Pieter
     
  7. jbright1

    jbright1 Registered Member

    Joined:
    Apr 27, 2003
    Posts:
    7
    ok..it is sent and fixed thanks a lot
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    You´re welcome. :)
    Thanx for mailing it. AdAware didn´t recognize it either.
    Will be submitting it immediately.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.