Hi-Jacking

gerdcurli · 2004/05/21

Hi there folks,
Even after I've run cool web shredder, ad-aware, hi-jack this and spybot, somehow, I'm still having my homepage hi-jacked. The address keeps coming up as about:blank then below that it reads...Search for....

does anyone have any ideas on this one..pretty confusing.
Here's hoping,
G.

PeteC · 2004/05/21

Download HijackThis (exe version) from the link in my sig - save it to a folder on your HD - run it and post the log here. Fix nothing until advised to by one of the experts

Moving this to Security/Virus/Spyware

gerdcurli · 2004/05/21

hijack this log

Hi there, this is the log from the hi-jack this scan.
Hope it helps,
Gerd, Belfast:

Logfile of HijackThis v1.97.7
Scan saved at 15:06:52, on 21/05/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\PHOTOSHOP.EXE
C:\NEWHIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\NAKHBAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NAKHBAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\NAKHBAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\NAKHBAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NAKHBAA.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\NAKHBAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {98457448-AB33-11D8-AAD7-5254DA83DEC4} - C:\WINDOWS\SYSTEM\NAKHBAA.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

PeteC · 2004/05/21

This doesn't look like the complete log file - you may need split and post it in 2/3 posts.

Newt · 2004/05/21

We do need the entire hijackthis log file.

At a guess, res://C:\WINDOWS\SYSTEM\NAKHBAA.DLL/sp.html (obfuscated) indicates you have a cool web problem and the fact that nakhbaa.dll isn't showing up on a google search indicates you may have been unlucky enough to be the victim of a new variant.

Don't fix anything just yet and do post the entire log.

Lonny Jones · 2004/05/23

Still out there, any news ?

These CWS about blank hijacks are extremly difficult

I suggest you post the entire log (a new one) here and at spywareinfo
http://forums.spywareinfo.com/

Log in or Sign up

Hi-Jacking

gerdcurli Inactive Thread Starter

PeteC SuperGeek Staff

gerdcurli Inactive Thread Starter

PeteC SuperGeek Staff

Newt Inactive

Lonny Jones Inactive Alumni

Share This Page

Log in or Sign up

Hi-Jacking

gerdcurli Inactive Thread Starter

PeteC SuperGeek Staff

gerdcurli Inactive Thread Starter

PeteC SuperGeek Staff

Newt Inactive

Lonny Jones Inactive Alumni

Share This Page

Useful Searches