Solved

Incognito Search Page Hijacked my Browser to 213.159.117.235

Posted on 2004-03-26
15
1,161 Views
Last Modified: 2013-12-04
One of my network's machines has been Hijacked. I've tried spybot, ad-aware, HiJackThis and TrojanRemover: nothing. This thing is like chewing gum in your hair. Trojan Remover reports no infection but my HOSTS file indicates  127.0.0.1 localhost213.159.117.235 auto.search.msn.com. I've tried deleting the file, renaming it and emptying it, but it always regenerates to the same content. http://213.159.117.235 is a kind of search page but the address that appears in the browser is about:blank which it obviously isn't. Any ideas?
0
Comment
Question by:XelaQlito
  • 6
  • 5
  • 2
  • +2
15 Comments
 
LVL 44

Accepted Solution

by:
CrazyOne earned 500 total points
ID: 10693410
This little didy will get rid of some of the more well known Home page Hijackers.
CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html
here is a description of what it does
http://www.softpedia.com/public/cat/10/17/10-17-143.shtml
Features:

· Redirections to CoolWebSearch related pages
· Redirections when mistyping URLs
· Redirections when visiting Google
· Enormous IE slowdowns when typing
· IE start page/search page changing on reboot
· Sites in the IE Trusted Zone you didn't add
· Popups in Google and Yahoo when searching
· Errors at startup mentioning WIN.INI or IEDLL.EXE
· Unable to change or see certain items in IE Options
· Unable to access IE Options at all

download here
http://www.spychecker.com/download/download_coolwebshredder.html
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10693420
If windows 98 then

Sart > Run msconfig
Click on the tab marked "Startup"
unckeck all items except System Tray and Explorer.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.


If XP

Try this

Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.

If win2000 do the same but you need to dowload a utility that will do it

MSCONFIG for Win 2000
http://www.insideproject.com/showguide.cfm?guideid=31
http://www.insideproject.com/downloads/msconfig2k/msconfig.zip

StartupCop
http://www.pcmag.com/article2/0,4149,2173,00.asp

AutoRuns
http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns

Startup Control Panel
http://www.mlin.net/StartupCPL.shtml
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10693484
The best utility I have seen for fixing browser hijacking, spyware, and other nasty stuff along those lines is Spybot Search & Destroy, which is FREE.  http://www.safer-networking.org/
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10693499
Ummm visioneer XelaQlito said "I've tried spybot, ad-aware" :)
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10693531
That's what I get for reading too fast.  :)

How about these links for a better, more specific answer to this particular browser hijack?  

http://www.symantec.com/avcenter/venc/data/pf/adware.findemnow.html
http://www.sarc.com/avcenter/venc/data/pf/trojan.bookmarker.f.html
http://www.symantec.com/avcenter/venc/data/trojan.bookmarker.e.html

Each one of these trojans listed will redirect to 213.159.117.235, which is the nasty site in question.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10693540
Yeah that might works so might these

Double Check for viruses
Online Scanners

 Norton Web Services  
Go to this page and click on Scan for Viruses
http://security.symantec.com/ssc/vc_about.asp?j=1&langid=us&venid=sym&plfid=22&pkj=REODSKVYRMHCGVRVRMN

It needs to download a few file so as to activate the scan so you may see a message like this.

"The Scan for Viruses uses an ActiveX program to scan your computer. The download is approximately 1.5MB and can take about 10 minutes over a 28.8 modem.

The scan can take more than 20 minutes depending on the speed of your computer and the number of files that you have. Please do not browse away from this page unless you intend to abort the scan.
 
Downloading Scan for Viruses controls. Please wait...
 
During the download, you might see one or more messages asking if it is OK to download and run these programs. Click Yes when these messages appear.
 
Note: Scan for Viruses does not scan compressed files"

======================
 Trend Micro HouseCall        
www.housecall.antivirus.com
"Trend Micro's free online virus scanner
In order to better serve our customers, we ask HouseCall users to register before scanning their computer.  By registering, you will receive virus alerts from our team of Virus Doctors. You will be able to unsubscribe when you receive your first email. You can also scan without registering"
http://housecall.antivirus.com/housecall/start_corp.asp

======================
eTrust Online antivirus scanner
http://www3.ca.com/virusinfo/virusscan.aspx
======================

PC Pitstop Virus Scan
Our free Web-based virus scan uses Panda Software's award-winning technology and virus list. We're checking against the "wildlist," the roughly 200 viruses that are most prevalent in the world in a given month
http://www.pcpitstop.com/antivirus/default.asp
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10694145
Install a firewall to protect you ...

Getting a personal Firewall
http://www.zensecurity.co.uk/default.asp?URL=personal

Download the free version of Sygate personal firewall
http://smb.sygate.com/support/documents/spf/default.htm
http://smb.sygate.com/download/download.php?pid=spf

Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid.jsp?lid=ho_za

Comparative reviews of personal firewall software:
http://www.firewallguide.com/software.htm

Firewall Product Selector - Choose yourself which one to compare
http://www.spirit.com/cgi-new/report.pl?dbase=fw&function=view

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 12

Expert Comment

by:trywaredk
ID: 10694147
Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/

SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm

Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/

Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10694149
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://pestpatrol.com/Support/About/About_Ports_And_Trojans.asp#portlist

List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html

Internet Storm Center - Input portnumber and press GO
http://isc.incidents.org/port_details.html?port=

IPEye is a freeware TCP port scanner
http://www.ntsecurity.nu/toolbox/ipeye/
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10694151
Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan

How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10694180
Set up auditing of your hosts-file (read results in your eventlog), and at the same time use the sysinternal tools to identify the process.exe-file doing the writing to your hosts-file (Identify the time of the hosts-file and the process). Then open the exe-file with notepad, and view after readable text to identify the trojan/backdoor.

Enable and Apply Security Auditing in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300549

Diagnose System Problems with Event Viewer in Microsoft Windows 2000
http://support.microsoft.com/?kbid=302542

Ever wondered which program has a particular file or directory open?
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

PMon is a Windows NT device driver/GUI combination that logs and displays all process activity on a Windows NT 4.0 system.

Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry
http://www.sysinternals.com/ntw2k/source/regmon.shtml

DiskMon is an application that logs and displays all hard disk activity on a Windows system.
http://www.sysinternals.com/ntw2k/freeware/diskmon.shtml

0
 

Author Comment

by:XelaQlito
ID: 10694252
CrazyOne: CoolWebShredder worked perfectly. It's amazing how ingrained this hijacker is. Thanks a lot.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10694871
YOu are welcome :)
0
 

Expert Comment

by:TwinTurboDiamante
ID: 10971180
CrazyOne
It also worked for me..
Thanks alot for a simple no nonsense answer/fix for the problem.
Haydn
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10972447
:)
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now