IE Browser Hikjacked?

By sincap2
Sep 27, 2005
Topic Status:
Not open for further replies.
  1. I have recently been unable to view yahoo.com or email.yahoo.com due to what I think is my browser being hijacked. I am attaching a screenshot of the site that comes up when I go to yahoo.com, along with my HJT file. Please help me get rid of this.

    I have scanned my machine in safe mode using my Symantec antivirus, and Adaware SE, and Spybot. Nothing was found.

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    You work for Microshaft, go figure it out yourself or ask your boss!

    You guys open the holes in your software, you close them!
  3. sincap2

    sincap2 Newcomer, in training Topic Starter

    You sound bitter. That's quite harsh and not an accurate assumption. My job is in consulting and I spent two months inside their hive working on business documents for their services strategies.

    To get any foreign computer near, let alone inside their network, you are forced to succumb to their surgical procedures to incorporate their software and policies. Its not a clean process and when you leave they don't sanitize your machie on the way out either.

    This trouble I'm having w/ the hijacker is intermitten. It occurred for two days, and has now dissappeared. I'm sure its not fixed and will return. What are common symptoms of browser hijacks.
  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    C:\Documents and Settings\kevin.c.mcmenamin\Desktop\HijackThis.exe
    put HijackThis in e.g C:\Program Files\HJT and NOT on the Desktop!.

    You are the only one who can decide what to do with those entries between the dotted lines.
    I would TickMark every single one of them!
    Definitely fix the O18, O20 and O23.

    Boot in Safe Mode, see how here.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the process (if there) and click End Process for:
    acnupdatersvc.exe

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    acnupdatersvc.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, click on Start/Run and type in (followed by press Enter):
    regsvr32 /u C:\WINDOWS\SYSTEM32\WiNcLogon.dll

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.accenture.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = itgproxy.redmond.corp.microsoft.com:80
    O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com
    O15 - Trusted Zone: *.accenture.com
    O15 - Trusted Zone: *.accenture.com (HKLM)
    Fix ALL your O16 - DPF: entries
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = redmond.corp.microsoft.com
    O17 - HKLM\Software\..\Telephony: DomainName = redmond.corp.microsoft.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = redmond.corp.microsoft.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gsm1900.org,accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gsm1900.org,accenture.com,dir.svc.accenture.com
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WiNcLogon - C:\WINDOWS\SYSTEM32\WiNcLogon.dll
    O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    XP only: Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal. When all OK, switch System Restore back on.


    LSPFIX
    To fix, see Broken Internet access with xxx.dll
    and substitute xfire_lsp_8742.dll with "your" missing file name.
    Do NOT delete ANY other files!

    O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

    Uninstalling that M$-firewall should also solve it!

    Finally, go and install XP/SP2 and then go over to the Gates-Company and kick some serious A S S!
  5. sincap2

    sincap2 Newcomer, in training Topic Starter

    Just a few notes:

    Accenture is my company, so anything ACN is referring to their software and what not.

    WiNC is a wireless program (Cirond Company) that helps me sniff and stabilize my wireless networks when I use it.

    I did go through and now removed all the microsoft proxies, the firewall and E-trust, their antivirus software. I am using Symantec now and I use a firewall called Blackice. These are the Accenture preferred services.

    I will follow through your list of actions to work on my problem, but my question is. When you check a box in the HJT log file and tell it to "Fix it." What is it actually doing? Is it deleting or just turning that function, program, or sequence off?

    Thanks,
    Kevin
  6. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    In most cases, it removes registry entries for the item(s) concerned.
    HJT makes a backup first, so it can UNDO changes. It does not physically delete anything.
    BUT, this ONLY works if you put HJT in a proper directory. This last I cannot stress enough, but over 90% of people ignore this!

    Accenture should get its 'preferred' AV and Firewall problems sorted out!
    E-trust and BlackIceDefender are rather low on the totempole!

    To go back to your very first post, that Yahoo image is of a false portal, somehow you get redirected there.
    You run AIM, Messenger , Yahoo and perhaps other messengers, as well as a message-encrypter program.
    They may not all like each other. Save the data, then uninstall the lot, and reinstall only what you effectively use.

    And you still need to install SP2!
  7. sincap2

    sincap2 Newcomer, in training Topic Starter

    Company policy does dictate the AV and Firewall. Due to proprietary software used, SP2 really messes up our machines, so I have to keep it off for now.

    Thanks for all the tips and information. I appreciate your time and help on this.
  8. toffeapple

    toffeapple Newcomer, in training Posts: 216

    Try Downloading Mozilla Firefox..much beter than IE and download microsoft's antispyware beta available free from their site..I haven't heard many people saying much about on this site but I (i wouldnt usually champion ms products) reckon its very handy tool.
  9. sincap2

    sincap2 Newcomer, in training Topic Starter

    I have been told numerous times to get another browser. I'm sure I will one day. I was under the impression that some websites my company and clients use are not compatible w/ the secondary browsers. I might expirement and try it though.

    As for the MS anti-spyware software. I have been told by MS people themselves it runs best when put on a clean machine. It really helps keep the bugs off, but if you put it on an already infected machine. Don't expect it to be nearly as powerful as Ad-Aware or Spybot.
  10. toffeapple

    toffeapple Newcomer, in training Posts: 216

    Real Blacks method of cleaning is well proven..if you follow his steps you can't go wrong....Just making a point on how to protect your self in the future....Ms antispy ware has a great blocker which prompts you before every registery change etc but your right it is pretty weak at removal..you should deffo try Firefox..you wont look back
  11. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    I think the days of M$ AntiSpyware are numbered.
    Billy Gates & Co. have had the temerity, to declare Claria products (known to us as all that crap that comes from GAIN, the Gator Advertising Information Network, as not dangerous, in that MS Antispyware has downgraded Gator-junk from 'Quarantine' to 'Ignore'!
    Go figure!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.