1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IE Browser hijacked

Discussion in 'Web & Email' started by cliff gress, Sep 5, 2004.

Thread Status:
Not open for further replies.
  1. cliff gress

    cliff gress Thread Starter

    Aug 5, 2004

    I hope someone here can help. My daughter's IE 6 homepage seems to be hijacked. She runs Win XP.

    When she opens her IE browser it does not go to her start page. The status bar shows this "c:res"//c:\winnt\system32\shdoclc.dll\dnserror.htm..."
    The page displayed is actually split and shows the top half of the "page cannot be displayed", then the look-today.com search page and then the remaining half of the "page cannot be displayed" page. When I try to enter a url nothing happens and it stays on the bad homepage.

    The address bar show this path "res://c:\documents and settings\owner\local settings\temp/one.res/error.htm#http://www pathwaynet.com/. pathwaynet.com is her normal start page. When I go to this folder on her C drive there is a file that always changes its name, JETAF1C.TMP, was the last name found. I have noticed this file disappears from the folder after about 1 minute.

    I can change the start page in the registry and in Internet options via the control panel, but I always see the above paths and bad opening page. My registry start page changes to "http://look-today.com/passthrough/index.html?http://www pathwaynet.com/ after I restart the PC. This is also what I see for the start page under Internet options.

    I have another PC and have copied & run the most current spybot, adaware and the current Norton anti-virus files to no avail.

    Below is the result of running hijackthis on her PC:

    Logfile of HijackThis v1.98.2
    Scan saved at 3:35:05 PM, on 9/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://look-today.com/passthrough/index.html?http://www.pathwaynet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pathwaynet.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =;<local>
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [APIMon] C:\WINNT\System32\Apimon.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [wipe free] C:\PROGRA~1\CURBJU~1\MORE DALE MODE.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by99fd.bay99.hotmail.msn.com/activex/HMAtchmt.ocx

    Any help would be appreciated.

    Cliff Gress
  2. Armonijones


    Sep 5, 2004
    Hey...This is my First Day finding this site.....I am able to Give you some Advice.....In spite of the Fact that I am Computer Iliterate.

    I had the same Problem about a Month ago......and the Only way to solve the Problem is to Reformat your Hard Drive and take it right down to Zero and re-Install every thing ..Right from Scratch!
    Save all of your Important Documents to a CD and then Just get your PC Redone for you, by some one that knows what they are doing, ..I can Now do mine on my own...BUT......once again.....My PC had to be Cleaned out entirely and have every thing Re-Installed....as if it was Brand New from the Shop!
    I would Highly Recommend Norton 2004 and other Anti-Virus Programs or Fire Walls be installed to Help elimanate any further Attacks from this Virus or any others.
    This will Fix it.
  3. cliff gress

    cliff gress Thread Starter

    Aug 5, 2004
    Thanks. I was hoping to avoid that. Is there someone else who might have a suggestion?

    Cliff Gress
  4. Armonijones


    Sep 5, 2004
    Hi again Cliff,

    Getting your PC Reformatted is NO BIG DEAL....and it should be Done at Least Every 6 months any ways .......Just for a Tune Up to make sure that it is running Clean and Bug Free......It takes about an Hour to do the First time.......and then it is a Breeze!
    Besides, if you do it on a regular Basis, you can then install all the latiest Up Dates that have Come in that Period of time.
    You mentioned that it is your Daughters Computer......."If" she is Browsing the Inter-Net constantly and Down Loading Music Files...As my Son does.........This is a Good way to have Hijacker invade your PC...Just ask me?
    Cleaning out your Hard Drive and Reinstalling your OS and other Programs....Is the only way to get rid of your Problem.
  5. cybertech

    cybertech Retired Moderator

    Apr 16, 2002
    Run HJT again and put a check in the following:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://look-today.com/passthrough/i...pathwaynet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pathwaynet.com

    Close all applications and browser windows before you click "fix checked".

    Go to Internet Options, Programs
    Click the "Reset Web Settings" Button to reset your home and search pages.
  6. Isaiah4031


    Sep 6, 2004
    it replaced my start up page with 1 of their own
    i believe it to be a form of spyware but syware removal programs wouldn't remove it

    i downloaded a free virus program AVG and it removed it for me......it was some type of downloader

  7. leeinaus


    Sep 28, 2004
    I noticed earlier someone suggesting a reload of the operating system and then an installation of NORTONS AV to keep the system looked after.

    I don't like to knock anyone who took the time to type a message here and tried to help someone in need. I think it is great that people do this. I would like to suggest that this may not however be the best course to take.

    I am currently working on a PC with the same problem. I may have to reload it, but I have often found in the past that once cracked, these problems are usually 5 minutes worth of work to solve (not always the case), but it is worthwile doing some investigation to see if a solution can be found. The more you learn the easier it is to fix in the future.

    NORTONS ANTIVIRUS on the other hand, I have to say it, is probably one of the worst programs ever distributed. I fix PCs for a living and have found a massive range of problems associated with NORTONS from major system slowdown to lockups, reboots and failing to load at all. Most of these problems subsiding when the NORTONS package is finally removed and replaced with VET or AVG (about the only 2 out of all the ones I have had experience with that I could recommend).

    Some people use it and love it, but from the point of view of a person who works on hundreds of different PC's every year, NORTONS hit ratio of smooth running is amazingly bad, so definately be aware.

    If I manage to find the solution to this prob, I will try to get back here and post.
  8. turipa


    Oct 3, 2002
    i have posted too about the same sort of problem and the problems happening here are more or less the same as mine so i am interested in how to fix it too, i was just copying all my needed files, getting the laptop ready to format......I dont really care if that is the only option.....the kids have been using it so it needs a good clean out....
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270442

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice