Browser hi-jacked by BHO?

T

tobyz

I have been hit by a real nuisance in clicking on URL
links. If the server is not found immediately, the URL
is reformatted to a search statement and opens a Lycos
search engine (which I never use otherwise).

If the URL segment can be decomposed into two or more
words, they become separate search terms. For instance,
trying to connect to www.linnsoft.com feeds to a Lycos
search for 'linn' and 'soft'. This is very frustrating
when you know the URL is valid and get sidetracked to the
search engine several consecutive times.

Some of my research earlier today (a ZD Net site, I
believe) suggested a malicious BHO ('browser helper
object'). I then downloaded BHODemon and disabled three
of the ten BHO's reported to be in my registry.

The problem with disabling BHO's is that if they support
a browser application (such as streaming real-time stock
quotes), the application will not work. I later restored
two of the three BHO's I had disabled. (Several of the
BHO's are associated with toolbars or search engines.
googletoolbar1.dll is an example.)

I have tried to duplicate my URL-diversion-to-search-
engine as I type this message. I could not duplicate it
at this time. Possibly the one remaining disabled BHO is
the culprit.

That BHO is something like 'opncst.dll' (OpenCast?). Does
anyone have experience with OpenCast?

The above BHO name is vague because I've just opened
BHODemon again and this time it sees only 7 BHO's, not
10. opncst.dll (?) is missing, as are two that are
supposed to be enabled. We'll see if I have any browser
applications that don't work.

Does anyone have experience with Browser hi-jacking? Am
I on the right track to correct it??
 
S

Shenan Stanley

tobyz said:
I have been hit by a real nuisance in clicking on URL
links. If the server is not found immediately, the URL
is reformatted to a search statement and opens a Lycos
search engine (which I never use otherwise).

If the URL segment can be decomposed into two or more
words, they become separate search terms. For instance,
trying to connect to www.linnsoft.com feeds to a Lycos
search for 'linn' and 'soft'. This is very frustrating
when you know the URL is valid and get sidetracked to the
search engine several consecutive times.

Some of my research earlier today (a ZD Net site, I
believe) suggested a malicious BHO ('browser helper
object'). I then downloaded BHODemon and disabled three
of the ten BHO's reported to be in my registry.

The problem with disabling BHO's is that if they support
a browser application (such as streaming real-time stock
quotes), the application will not work. I later restored
two of the three BHO's I had disabled. (Several of the
BHO's are associated with toolbars or search engines.
googletoolbar1.dll is an example.)

I have tried to duplicate my URL-diversion-to-search-
engine as I type this message. I could not duplicate it
at this time. Possibly the one remaining disabled BHO is
the culprit.

That BHO is something like 'opncst.dll' (OpenCast?). Does
anyone have experience with OpenCast?

The above BHO name is vague because I've just opened
BHODemon again and this time it sees only 7 BHO's, not
10. opncst.dll (?) is missing, as are two that are
supposed to be enabled. We'll see if I have any browser
applications that don't work.

Does anyone have experience with Browser hi-jacking? Am
I on the right track to correct it??
Click to expand...

Secure your system and keep it protected/updated by following these tips:

Popups and Home Page Hijacks come in several flavors.. However, if
you use most of the items in the list I am about to give you, you will
lessen your popups, security holes and spam all with one list. Your
problem may be Messenger Popups (you should follow the firewall
advice and do a Google search on 'disable messenger service in
windows xp' to fix this) or web page popups (you should follow the
Google Toolbar advice section for these.) You may have
spyware/adware infesting your machine, follow the appropriate
section for that, making sure you use at least THREE of the tools
I list to scan and clean your machine AFTER updating them.
Cleaning up spyware/adware/malware usually solves home page
hijackers as well.

Please Notice that if you use AOL, you should at least upgrade to 9.0 or
greater before doing any of the fixes. I know you can get AOL 9.0 at almost
any convenience store, gas station, super market or other retail outlet in
the world, so this should not be a problem.


Turn on that firewall...
http://www.microsoft.com/WindowsXP/home/using/howto/homenet/icf.asp
(It has been reported that it now works with AOL 9.0+)


Make sure you have all the updates (critical) installed from:
http://windowsupdate.microsoft.com/
(Scan for updates, Review and Install)


Get rid of the spy/ad/mal-ware..
(Yes - using MORE than one of these..
I recommend at least the first three. Also..
UPDATE the definitions for them before using.)

Spybot Search and Destroy
http://www.safer-networking.net/

Lavasoft AdAware
http://www.lavasoft.de

CWSShredder
http://www.spywareinfo.com/~merijn/downloads.html

Hijack This!
http://mjc1.com/mirror/hjt/

I also like "The Cleaner" and "SpywareBlaster" and "SpywareGuard".
- http://www.moosoft.com/
- http://www.javacoolsoftware.com/

The first is a PAY product, but useable for 30 days - it has found and
eliminated problems in the past the others did not. The latter two are
prevention mechanisms. I like SpywareGuard for those with enough processor
to have something running like antivirus software - and it prevents browser
hijacking quite well.

And Assortment of Others:
http://www.merijn.org/downloads.html


After you cleanup your PC somewhat of spy/ad/mal-ware, verify your antivirus
software is updated and run a full scan of your computer. If you have no
antivirus software - get one NOW! Grisoft AntiVirus:
http://www.grisoft.com/us/us_dwnl_free.php


Empty your Temporary Internet Files and shrink the size it stores to about
80 to 120MB (seems to be an optimal size for the normal user)

- Open ONE copy of Internet Explorer.
- Select TOOLS -> Internet Options.
- Under the General tab in the "Temporary Internet Files" section,
do the following:
- Click on "Delete Cookies" (click OK)
- Click on "Settings" and change the
"Amount of disk space to use:" to something between 80MB
and 120MB. (Betting it is MUCH larger right now.)
- Click OK.
- Click on "Delete Files" and select to
"Delete all offline contents" (the checkbox) and click
OK. (If you had a LOT, this could take 2-10 minutes or
more.)
- Once it is done, click OK, close Internet Explorer
- Re-open Internet Explorer.


Uninstall any software you do not use often/ever. (If you have something
installed but never use it, uninstall it.) If you go through Control
Panel -> Add/Remove Programs and see things you seldom if ever use, it is to
your advantage to remove it.


Also, if you are tired of Web Page Pop-Ups/Unders.. You could try the
Google Toolbar.
http://toolbar.google.com/


Stop loading applications at logon.. run MSCONFIG and look under the startup
tab for things you DON'T want to startup! Search the Internet with Google
to discover what things are safe to remove and what things may even be
malware infecting your computer.


Better control your email and lessen the amount of time you spend dealing
with SPAM:
SpamBayes
http://spambayes.sourceforge.net
or
Spamihilator.
http://www.spamihilator.com
 
H

H Leboeuf

CoolWebSearch - CWS http://www.spywareinfo.com/articles/cws/
More: Complete list by variant with up-to-date information.
http://www.spywareinfo.com/~merijn/cwschronicles.html
More: Removal tool: http://www.spywareinfo.com/~merijn/files/cwshredder.zip
--

Also run these utilities.
This may be caused by a third-party program (adware, spyware, parasite).
Get AdAware and SpyBot and run them both. Keep them up to date.
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

If all fails as I cannot find any reference to 'opncst.dll' get Hijackthis
and get help from the expert.

Go to http://www.spywareinfo.com/downloads.php#det
Download "Hijack This!" [freeware] or download direct (below):
http://www.merijn.org/files/hijackthis.zip

If you get a 404 error or Access denied, try:
http://216.180.252.218/~spywareinfo.com/downloads/tools/hijackthis.zip

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates "hijackthis.log")

Next, HijackThis | Config [button] | Misc Tools [button]
Click: Generate StartupList log [button] (generates "startuplist.txt")

Next, go to the below location:
http://www.spywareinfo.com/forums/

Sign in, then copy and paste both files in your message.

HijackThis Quick Start Help
http://www.tomcoyote.org/hjt/

The Tutorial if you want to know more about the results or the .log file.
http://www.merijn.org/htlogtutorial.html
_______________________________________
Source: Mike Burgess http://www.mvps.org/winhelp2002/



Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
** NOTE NEW ADDRESS **
Pages at generation.net will no longer be updated.
===
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Hi-jacked 2
BHO 1
Adobe Reader BHO help/question 3
Need help in removing nasty Adaware (BHO) from my Win XP 6
Browser home page trying to be hijacked but I cannot find source. Thanks for help... 1
Adding NOLOAD before a BHO key 1
IE6 Hi-jacked? 4
hi-jacked browser 6

Top