It looks like you're using an Ad Blocker.

Please white-list or disable in your ad-blocking tool.

Thank you.


Some features of ATS will be disabled while you continue to use an ad-blocker.


Strange Browser Hijack - Need Some Help On This One :-D

page: 1

log in


posted on Jun, 18 2004 @ 12:15 AM
Normally I wouldn't ask for help for something like this, but I just can't seem to get rid of this browser hijack! I have tried Spybot, LavaSoft AdAware, Avast Virus Software, TrendMicro Virus Software, and many other Spyware/Adware/Virus detection software - none of them detect this thing! I know it is a file on my computer that causes my start page and search engine queries to be redirected to

I also think whatever the program is, it is sending out information over my network connection because I am seeing information being sent out when I am not even accessing the net. This is the first browser hijack I have had in a year! I don't know how I could have gotten it. This problem started about a day ago. I probably accidently visited a website that took advantage of some IE flaw. I'm all up to date on Microshaft fixes though. :-/ It might be a new variant of some old browser hijack, I just don't know though.

Any help would be most appreciated!

posted on Jun, 18 2004 @ 09:35 AM
Download and run HijackThis. Then post the logfile for me or somebody else to look over....

posted on Jun, 23 2004 @ 10:17 AM
If Spybot doesn't catch it, there's a good chance that you have something more than a browser plugin. Probably an program installed to run as a service and hijack you search and home page no matter how many times you change it. The best thing to do is find out what services are running on your computer and find out what each one does.

Once you find the offending software, you should delete it and any reference to it in the registry. If you don't know where to start, follow dramelandmafia's advice in the previous post. People that make this crap should be severly punished for their crimes.

posted on Jun, 23 2004 @ 10:48 AM
Im having the same problem and it also has hijacked my AIM so heres my log:

ogfile of HijackThis v1.97.7
Scan saved at 10:52:55 AM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Tweak-XP Pro\AdBlocker.exe
C:\Program Files\Tweak-XP Pro\tranicon.exe
C:\Program Files\Tweak-XP Pro\popup.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\instant messenger\aim95.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ROSSCO~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _[CFBFAE00-17A6-11D0-99CB-00C04FD64497] - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - [000020DD-C72E-4113-AF77-DD56626C6C42] - (no file)
O2 - BHO: MyWay Search Assistant BHO - [04079851-5845-4dea-848C-3ECD647AA554] - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - [0494D0D1-F8E0-41ad-92A3-14154ECE70AC] - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - [06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - [53707962-6F74-2D53-2644-206D7942484F] - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - [8C2CED55-06B6-485B-B057-00AAB42274B4] - C:\WINDOWS\System32\epnpala.dll
O3 - Toolbar: &Radio - [8E718888-423F-11D2-876E-00A0C9082467] - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - [0494D0D9-F8E0-41ad-92A3-14154ECE70AC] - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe
O4 - HKLM\..\Run: [Cleanup] D:\Complete Cleanup Trial\compind.bat
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [zuqnutfeo] C:\WINDOWS\System32\mzbxfp.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - HKCU\..\Run: [TransparentIcons] "C:\Program Files\Tweak-XP Pro\tranicon.exe" -ex
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro\popup.exe"
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ROSSBU~1.ROS\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: [166B1BCA-3F9C-11CF-8075-444553540000] (Shockwave ActiveX Control) -
O16 - DPF: [70BA88C8-DAE8-4CE9-92BB-979C4A75F53B] (GSDACtl Class) -
O16 - DPF: [74D05D43-3236-11D4-BDCD-00C04F9A3B61] (HouseCall Control) -
O16 - DPF: [9A9307A0-7DA4-4DAF-B042-5009F29E09E1] (ActiveScan Installer Class) -
O16 - DPF: [B942A249-D1E7-4C11-98AE-FCB76B08747F] (RealArcadeRdxIE Class) -
O16 - DPF: [C75BE5CC-7F80-458C-8B66-FAB86E3B13C3] (FotkiUploader Control) -
O16 - DPF: [D27CDB6E-AE6D-11CF-96B8-444553540000] (Shockwave Flash Object) -
O16 - DPF: [F54C1137-5E34-4B95-95A5-BA56D4D8D743] (Secure Delivery) -

posted on Jun, 24 2004 @ 09:27 AM
Agent47, I just skimmed your log and will try to look at it more closely later. I did notice a couple of things:

- It doesn't look like all the files for your Symantec antivirus are loaded.
- I don't recognize two of the files that are loading and didn't get any hits on a web search.
That indicates you might, at least, be dealing with a worm like
W32/Zafi-A aka Erkez.

Use Trend Micro's online housecall scanner and see if it finds anything.

And, if you feel adventurous, try locating those files, re-name them, and re-boot.

new topics

top topics

log in