browser Hijacking

[Rainy]

Not me, my son just told me he is being redirected every time he puts
anything in search.. I suggested he download Hijack This.. but they have
changed the program so much, I have no idea how to use it.. Can anyone
suggest another free anti hijacking program i can suggest to my son.. One I
can help him with.. thanks Rainy

 

[Malke]

Not me, my son just told me he is being redirected every time he puts
anything in search.. I suggested he download Hijack This.. but they
have changed the program so much, I have no idea how to use it.. Can
anyone suggest another free anti hijacking program i can suggest to my
son.. One I
can help him with.. thanks Rainy

HijackThis has not been changed, but it is not recommended to use it
without expert oversight. HJT does not remove malware; just shows
registry entries.

Your son should go through the systematic virus/malware removal steps
here:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

He should make sure he does all the preparatory work.

If the procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - have your son take the machine to a
professional computer repair shop (not your local version of
BigStoreUSA).

Malke

 

[Rainy]

thanks for the response.. it does look very systematic... but I remember
hijackthis, from a few years back, and it scanned and showed every possible
hijacker.. now it seems to show everything.. and ask you the user, to pick
out what might be a hijacker.. Maybe I am not getting it.. but will look at
your site, and see if I can figure it out.. and explain it to my son..
thanks Rainy

Not me, my son just told me he is being redirected every time he puts
anything in search.. I suggested he download Hijack This.. but they
have changed the program so much, I have no idea how to use it.. Can
anyone suggest another free anti hijacking program i can suggest to my
son.. One I
can help him with.. thanks Rainy

HijackThis has not been changed, but it is not recommended to use it
without expert oversight. HJT does not remove malware; just shows
registry entries.

Your son should go through the systematic virus/malware removal steps
here:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

He should make sure he does all the preparatory work.

If the procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - have your son take the machine to a
professional computer repair shop (not your local version of
BigStoreUSA).

Malke

 

[Larry Gardner]

Rainy:

Where is he being redirected to? Dell computers come with this already
installed ... and I know where to look.

 

[Rainy]

I will have to ask him.. he is out right now.. but I will get back to you...
thanks Larry.. Rainy
Rainy:

Where is he being redirected to? Dell computers come with this already
installed ... and I know where to look.

 

[Chuck Davis]

Try this
1. Download hijackthis from http://www.tomcoyote.org/hjt/
2. Install hijackthis on your C: drive.
3. Open the program and click on Do a system scan and save a logfile.
4. Save the logfile.
5. Visit http://www.hijackthis.de/
6. Either copy and paste your logfile contents into the space provided, or
7. Click on the Browse button and locate your logfile.
8. Click on Analyze
9. Wait a few minutes and the results will be displayed.
10. Follow the instructions for the "Nasty" entries

 

[Curt Christianson]

Malke,
Can you drop me a quick e-mail at curtchristnsnATnospam yahoo.com
Many TIA,
--
Curt BD-MVBT

http://dundats.mvps.org/
http://dundats.proboards27.com/index.cgi
http://www.aumha.org/

 

[Malke]

Malke,
Can you drop me a quick e-mail at curtchristnsnATnospam yahoo.com
Many TIA,

I'm sorry Curt, but I don't answer emails from Usenet groups and as you
see, use a purposely false email address in newsgroups. Please don't
take this personally. For years I did accept email from Usenet groups
and got some really unpleasant and weird people contacting me. Again,
please do not take this personally or think I am casting aspersions on
your character.

Malke

 

[Malke]

Malke,
Can you drop me a quick e-mail at curtchristnsnATnospam yahoo.com
Many TIA,

Looking at your posts, it seems that you are an MVP. I missed your
signature before. If this is correct, you can get my email from the
private MS-MVP site and I would be happy to hear from you.

Malke

 

[Rainy]

I just spoke to my son, and soon as he has the time, he will download the
program and save the log, and send it to me.. thanks.. I'm still working on
it... Rainy
"Chuck Davis" <newsgroup at anthemwebs dot com> wrote in message
Try this
1. Download hijackthis from http://www.tomcoyote.org/hjt/
2. Install hijackthis on your C: drive.
3. Open the program and click on Do a system scan and save a logfile.
4. Save the logfile.
5. Visit http://www.hijackthis.de/
6. Either copy and paste your logfile contents into the space provided, or
7. Click on the Browse button and locate your logfile.
8. Click on Analyze
9. Wait a few minutes and the results will be displayed.
10. Follow the instructions for the "Nasty" entries

 

[Rainy]

it's not a dell computer...why would dell do that. if you are searching for
something.. you want the search results to display.. Rainy
Rainy:

Where is he being redirected to? Dell computers come with this already
installed ... and I know where to look.

 

[Rainy]

Hi sorry if this is a repeat, but this post has not shown all day.. hoping
you or someone can look at this and determine if something there is trash
...it's very much appreciated.. thanks Rainy

here is the results...

Logfile of HijackThis v1.99.1
Scan saved at 1:55:19 PM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\User\Local Settings\Temp\wz60ee\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmnfw.exe] C:\WINDOWS\system32\dmnfw.exe
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor]
"C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2005 version
7\monitor.exe"
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program
Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login -
{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -
C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136426920247
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies,
Inc. - C:\Program Files\Sygate\SPF\smc.exe


here is the answer from my tech group.. if you download hijackthis and the
n
run it, send me the copy and paste of what it finds, and I can send it to
the group.. it's not lop.com if it's doing that.. love ya Mom
----- Original Message -----
From: "Chuck Davis"
Newsgroups: microsoft.public.windowsxp.basics
Sent: Saturday, June 17, 2006 5:55 PM
Subject: Re: browser Hijacking


Try this
1. Download hijackthis from http://www.tomcoyote.org/hjt/
2. Install hijackthis on your C: drive.
3. Open the program and click on Do a system scan and save a logfile.
4. Save the logfile.
5. Visit http://www.hijackthis.de/
6. Either copy and paste your logfile contents into the space provided, or
7. Click on the Browse button and locate your logfile.
8. Click on Analyze
9. Wait a few minutes and the results will be displayed.
10. Follow the instructions for the "Nasty" entries
in message

I will have to ask him.. he is out right now.. but I will get back to
you...
thanks Larry.. Rainy
in message
Rainy:

Where is he being redirected to? Dell computers come with this already
installed ... and I know where to look.

in message

"Chuck Davis" <newsgroup at anthemwebs dot com> wrote in message

Try this
1. Download hijackthis from http://www.tomcoyote.org/hjt/
2. Install hijackthis on your C: drive.
3. Open the program and click on Do a system scan and save a logfile.
4. Save the logfile.
5. Visit http://www.hijackthis.de/
6. Either copy and paste your logfile contents into the space provided, or
7. Click on the Browse button and locate your logfile.
8. Click on Analyze
9. Wait a few minutes and the results will be displayed.
10. Follow the instructions for the "Nasty" entries

 

[Curt Christianson]

Hi Malke,
Most certainly no offense taken, and I can certainly understand your
reasons.

Sorry, but I'm not the Curt MVP by the same name. The mix-up has happened
quite a lot in the last few years, and I'm sure it's *not* due to my
overwhelming computer problem-solving skills, but I'm still learning!

Take care my friend,
--
Curt BD-MVBT

http://dundats.mvps.org/
http://dundats.proboards27.com/index.cgi
http://www.aumha.org/

 

[Rainy]

Hi for some reason I can't post the hijackthis log... if you or someone can
email me, I can show you what it says and I can get some help.. thanks Rainy
"Chuck Davis" <newsgroup at anthemwebs dot com> wrote in message
Try this
1. Download hijackthis from http://www.tomcoyote.org/hjt/
2. Install hijackthis on your C: drive.
3. Open the program and click on Do a system scan and save a logfile.
4. Save the logfile.
5. Visit http://www.hijackthis.de/
6. Either copy and paste your logfile contents into the space provided, or
7. Click on the Browse button and locate your logfile.
8. Click on Analyze
9. Wait a few minutes and the results will be displayed.
10. Follow the instructions for the "Nasty" entries

 

[Malke]

Hi for some reason I can't post the hijackthis log... if you or
someone can email me, I can show you what it says and I can get some
help.. thanks Rainy

Do not post HijackThis logs in the MS newsgroups. Instead, register and
post at one of these specialty forums where you will get the expert
help you need:

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

Malke

 

[Rainy]

I was told by the person ahead of you.. to do just this... sometimes in
this group.. non xp problems are posted, and get help.. and sometimes they
do not.. why is that?.. I am registering in one you mentioned
though..thanksRainy

Hi for some reason I can't post the hijackthis log... if you or
someone can email me, I can show you what it says and I can get some
help.. thanks Rainy

Do not post HijackThis logs in the MS newsgroups. Instead, register and
post at one of these specialty forums where you will get the expert
help you need:

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

Malke

 

[Malke]

I was told by the person ahead of you.. to do just this... sometimes
in this group.. non xp problems are posted, and get help.. and
sometimes they
do not.. why is that?.. I am registering in one you mentioned
though..thanksRainy

If you will do a Google Groups Advanced Search in
microsoft.public.windowsxp.general (and also in windowsxp.basics and
security.virus) you will see that there was a great deal of to-do over
this issue last year and you can see all the reasons in detail.

Briefly, here are some of the reasons why we ask you not to post HJT
logs here:

1. It takes a great deal of time and skill to properly analyze HJT logs.
A newsgroup is not a venue that lends itself to that.

2. People who analyze HJT logs in the forums I gave you are trained.
Only trained people are permitted to analyze HJT logs on those forums.
There is no like constraint in an unmoderated newsgroup such as the MS
newsgroups.

3. HJT requires expertise to use. You can hose your system irrevocably
if you remove the wrong thing(s). Working with HJT and removing malware
is something that must be done by people who do this every day and who
are up-to-the-minute current with malware behavior. In a newsgroup, you
have no assurance that the person telling you to remove "x" has any of
the necessary training and skills.

As for non-XP questions, they are not particularly encouraged either.
Usenet newsgroups have a focus specific to each group. Some groups
encourage off-topic postings and some do not. Most technical support
groups do not because it louses up the signal-to-noise ratio and
degrades the newsgroup.

Here are some links about Usenet which explain in more details about
newsgroup culture:

http://en.wikipedia.org/wiki/Usenet
http://groups.google.com/support/bin/static.py?page=basics.html - Basics
of Usenet
http://www.elephantboycomputers.com/page2.html#Usenet - a brief
explanation of newsgroups

http://www.plainfaqs.org/

Malke