[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11349
  • Last Modified:

Home Page Hijacker

I have downloaded pretty well all the detection programs available and updated them. Hijack this shows the first 2 entries as:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=6537659
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-searches.com/index.php?v=6&aff=6537659

I think this may be a MySearchNow variant. Nothing I can do will remove them. Any ideas?
0
sablog
Asked:
sablog
  • 9
  • 8
  • 3
  • +2
2 Solutions
 
SheharyaarSaahilCommented:
Hello sablog =)

Sure u are disabling System Restore before cleaning the system if its WinXP\ME ??
and are u doing the cleaning in Safemode ??
0
 
SheharyaarSaahilCommented:
check our EE Official Link on How to Troubleshoot Spywares\Adwares and Browser Hijacking Issues,
http://www.experts-exchange.com/Q_20975384.html

May be u can get the idea from there that what to do to kick it out from the system :)
0
 
Lobo042399Commented:
Hi sablog,

Here's an easy fix for hot-searches. Print this page for reference while doing the removal and disabel System Restore:

- Close IE and preferably disconnect the machine from the Net.

- Using Windows Explorer navigate to your \system32\ folder. Look for files with the names: xplugin.dll; tmksrvu.exe; and tksrv98.exe; and delete them. If xplugin.dll can't be deleted you can use KillBox to remove it. (KillBox can be downloaded from http://www.gatesofdelirium.com/ee/tools/)

- Also look for the following files and delete them: check-privacy.exe; kaza.dll; kaza2.dll; hosts; hosts.2; d1k.exe; and d1ki.exe; ole32ws.dll; Q80164935.exe; Q80635352.exe; d.cmd. They may NOT be there, which is okay. Delete them if you find them.

- Open your Registry and run a Find fo all keys mentioning "hot-searches.com" and "lender-search.com" keys and delete them except the keys found under Internet Explorer. For those, you can replace them with your favourite home page, or you can delete the value and leave the key empty.

- Run another Find in the Registry and find and delte all entries with "81.211.105.69" and "81.211.105.68"

- Reboot your machine.

You should be clear now.

Good Vibes!

Lobo
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
sablogAuthor Commented:
Hi guys
I'm not sure if these fixes have made things better or worse! First item now reads:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
It's W2000 by the way.
0
 
SheharyaarSaahilCommented:
did u run adaware+spybot+CWShredder in safemode ??
u can get them from the link above of EE Official Link :)
0
 
sablogAuthor Commented:
Yes I did. I ran them all in safe mode and they seemed to work. But on reboot the mysearchnow line comes back again. I can't understand how they do it!
0
 
SheharyaarSaahilCommented:
ok can u plzz get the HijackThis v1.98.2 from here,
http://tools.radiosplace.com/HijackThis.exe

Then Post its log at this site >> http://www.hijackthis.de/index.php?langselect=english
analyse it, and then plzz post here the address of that analysed page !! :)
0
 
sablogAuthor Commented:
http://www.hijackthis.de/logfiles/48f13f55a1c067580d80ebbd030c4eb3.html

Some comments about the logfile (in order of issue raised, yellow and red items only):
Qwik Fix - Qwik-Fix Pro・uses Active System Hardening・to protect Windows desktops and servers against new threats by blocking the underlying vulnerabilities exploited by worms and viruses.

IHateSpam: SPAM detector and eliminator for Outlook and Outlook Express

Sygate: Home Networking application

Sophos Sweep: Sophos Virus Detection

Traybar: Freeware application Launcher for Windows (http://www.nimation.nl/traybar/) been using trouble free for years

Wheres James Startup manager: WheresJames Startup Manager will allow you to view the programs that start with Windows and disable or delete them if you like.(http://www.wheresjames.com/index.php?page=startupmgr) Again been using trouble free for years.

WordWeb: English Dictionary

DigiGuide: DigiGuide is a powerful and flexible TV guide for your Windows PC.(http://www.digiguide.com/)

R3 Don't know

O2 Unnecessary items - don't know. NAV Helper relates to Norton antivirus remnants not uninstalled completely

O3 Norton Antivirus same as above. Norton antivirus wouldn't uninstall completely so am using Sophos instead now.

O4 hpqqpk.exe - cannot delete nor locate in system32 folder

O8 Roboform - RoboForm is a free password manager and one-click web form filler( http://www.roboform.com/)

O8 Copernic Agent - Search agent

O10 Don't know

O16 Content AuditX Control - Don't know but am getting warnings that 'current security settings prohibit running ActiveX controls on this page' although this isn't true!

O16 Logitech - don't know but may relate to a previous mouse installation

Good Luck!



0
 
blue_zeeCommented:

Try the latest version of CoolWebShredder (V. 2.0):

http://www.intermute.com/spysubtract/cwshredder_download.html

Zee

0
 
SheharyaarSaahilCommented:
U have three entries which are not good,,,,

>> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.com/passthrough/index.html?http://www.microsoft.com/isapi/red ir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
(its listed as SAFE, but its not)

>> R3 - Default URLSearchHook is missing

>> O4 - HKLM\..\Run: [settings byte] C:\PROGRA~1\GramWarn\Bind Online Barb.exe
(what is this, i cannot recognise this program, do u ?? )

and here is another one >> O10 - Broken Internet access because of LSP provider 'c:\program files\netsonic\netsonic.dll' missing

to fix this u will have to use LSPFix >> http://www.spychecker.com/program/lspfix.html
0
 
sablogAuthor Commented:
LSP Fix worked fine for 010
I agree mysearchnow is the problem and don't know what Bind online Barb is. Any ideas on removal? thanks
0
 
SheharyaarSaahilCommented:
>> don't know what Bind online Barb is

whatever it is, its present in C:\Program Files\GramWarn folder
fix the entry in hijackthis and then delete this folder in safemode to recycle bin,,,, restart back and check if its gone or not ??
and the R0 entry.... its popping up again and again when u fix it..... right ??
have u for once tries fixing it in safemode instead in normal mode ??
0
 
sablogAuthor Commented:
It may be present in C:\Program Files\GramWarn folder but I can't find it there! Not even from the DOS prompt. So it's pretty clever to disguise itself in this way. I may be approaching the point of reformatting soon as several others with this problem have not succeeded either.
0
 
SheharyaarSaahilCommented:
try enabling the show hidden files and protected system files from folder options and then check if its visible now ??
0
 
sablogAuthor Commented:
I'm afraid I've already checked for that possibility.
0
 
Lobo042399Commented:
Ho sablog,

the Barb.exe malady has several forms, from what I can gather from research. I have not seen a fix for it yet so let's try and be creative here.

First, download Process Explorer from my Tools link. Run it and look for all the running processes. Double-clicking on a Process will open a window with more info on it, like Registry keys, linked programs, TCP/IP connections a Process may be using and where it's connecting, and other info. Lok for the xxxxx_Barb.exe file in there and write down every bit of info you find about it and post it here. Let's see if we can be the first to come up with a cleaning method for that parasite.

Good Vibes!

Lobo
0
 
SheharyaarSaahilCommented:
sablog, just confirming..... zee asked to run the CWShredder v2.0.... have u run it already in safemode ?? :)
0
 
gonzal13RetiredCommented:
Try 'zGiant Antispyware'  I just download the free fully functional 15 day trial program. It picked up items that others missed. It was quite surprising.

www.giantantispyware.com

gonzal13(joe)
0
 
gonzal13RetiredCommented:
Spybot Search & Destroy can avoid home page hijacking to some extent:

page=download">http://www.safer-networking.org/index.php?page=download
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once (“in use”).
You should also apply the "immunize" function, since it blocks roughly 1700 known 'bad' runs/apis/apps.

Start Spybot S&D. Now go to Mode and select "Advanced Mode".

Click "Tools" on the left hand pane. Now click IE Tweaks.

On the right hand pane you can now select "Lock IE start page setting against user changes (current user)"

Hope this may help.

If you want to cleanup the mess in those PC's, it must be done through HijackThis.
0
 
sablogAuthor Commented:
I'm still working through your ideas!

CWShredder and Giant Antispyware detect the problem but don't eradicate it even in Safe Mode.  Nor Spybot S&D. Hijackthis in safe mode says it isn't there. When you reboot in Normal mode and run Hijackthis, it's back again! Am currently running Firefox which seems to be much better and not yet attacked.
0
 
SheharyaarSaahilCommented:
take out the hard drive and hook it as slave drive in another system and then run the removal tools.... =\
0
 
Lobo042399Commented:
Hi sablog,

did you try running Process Explorer?

Cheers,

Lobo
0
 
sablogAuthor Commented:
I have worked through all of the ideas above except for taking out the hard drive (Not had time yet!) None of the above have worked so far although the problem is less now i'm using firefox. Process explorer data follows:

Process      PID      CPU      Description      Company Name
System Idle Process      0      80            
 Interrupts      n/a            Hardware Interrupts      
 DPCs      n/a            Deferred Procedure Calls      
 System      8                  
  smss.exe      144            Windows NT Session Manager      Microsoft Corporation
   csrss.exe      176      1      Client Server Runtime Process      Microsoft Corporation
   winlogon.exe      172      1      Windows NT Logon Application      Microsoft Corporation
    services.exe      224      1      Services and Controller app      Microsoft Corporation
     smc.exe      364      2      Sygate Agent Firewall      Sygate Technologies, Inc.
     svchost.exe      420            Generic Host Process for Win32 Services      Microsoft Corporation
     spoolsv.exe      440            Spooler SubSystem App      Microsoft Corporation
     DkService.exe      468            DKSERVICE.EXE      Executive Software International, Inc.
     svchost.exe      480            Generic Host Process for Win32 Services      Microsoft Corporation
     qfloadsvc.exe      552            qfloadsvc Application      PivX Solutions, Inc.
     MSTask.exe      624            Task Scheduler Engine      Microsoft Corporation
     SWNETSUP.EXE      680            Sophos Anti-Virus network support service      Sophos Plc
     SWEEPSRV.SYS      756            Sophos Anti-Virus detection system service      Sophos Plc
     WinMgmt.exe      864            Windows Management Instrumentation      Microsoft Corporation
     svchost.exe      900            Generic Host Process for Win32 Services      Microsoft Corporation
     sgserv.exe      1028      3      Sygate Internet Sharing Service For NT      Sygate technologies Inc.
    lsass.exe      236            LSA Executable and Server DLL (Export Version)      Microsoft Corporation
Explorer.EXE      1092            Windows Explorer      Microsoft Corporation
 Sygate.exe      1384      4      Sygate - Internet Sharing Software      Sygate Technologies, Inc.
 siService.exe      1388                  GIANT Company Software, inc.
  siMailProxyServ      1564                  GIANT Company Software inc.
  siSpamFilterEng      1452                  GIANT Company Software
 Ad-Watch.exe      1408      4      Ad-Watch System Protector      Lavasoft Sweden
 qttask.exe      1412                  Apple Computer, Inc.
 Traybar.exe      1448                  
  procexp.exe      1692      4      Sysinternals Process Explorer      Sysinternals
 StartupMgr.exe      1484            Control startup applications.      WheresJames Software (www.wheresjames.com)
 RoboTaskBarIcon      1504            RoboForm TaskBar Icon      Siber Systems
 ctfmon.exe      1516            Cicero Loader      Microsoft Corporation
 AUTOCHK.EXE      1540            ConfigSafe Auto Check Program      imagine LAN, Inc.
 wweb32.exe      1432            WordWeb thesaurus/dictionary      Antony Lewis
 SpySub.exe      1576            SpySubtract Program EXE      InterMute, Inc.
 ICMON.EXE      528      1      Sophos Anti-Virus InterCheck activity monitor (ENG)      Sophos Plc
 qfui.exe      1600            Qwik-Fix Pro - Home Edition      PivX Solutions, Inc.
PMCTray.exe      1608            Ridoc IO Navi Module      RICOH COMPANY,LTD.

Process: PMCTray.exe Pid: 1608

Type      Name
Desktop      \Default
Directory      \KnownDlls
Directory      \Windows
Directory      \BaseNamedObjects
Event      \BaseNamedObjects\userenv:  User Profile setup event
File      C:\Program Files\RMClient
File      \Device\Tcp
File      \Device\Tcp
File      \Device\Ip
File      \Device\Ip
File      \Device\Ip
File      \Device\Afd\Endpoint
File      \Device\WS2IFSL\NifsPvd
File      \Device\WS2IFSL\NifsSct
File      \Device\Udp
File      \Device\KsecDD
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Windows
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SOFTWARE\MICROSOFT\Tracing\RASAPI32
Key      HKLM\SYSTEM\ControlSet002\Services\Tcpip\Linkage
Key      HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters
Key      HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters\Interfaces
Key      HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\Net98
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM
Key      HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
Key      HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
Key      HKLM\SYSTEM\ControlSet002\Control\NetworkProvider\HwOrder
Key      HKCU
Key      HKCU\Software\Classes
Mutant      \BaseNamedObjects\PMMUTEX_192.168.101.20
Mutant      \BaseNamedObjects\PMPSAPI-192.168.101.20
Mutant      \BaseNamedObjects\RasPbFile
Mutant      \BaseNamedObjects\DBWinMutex
Mutant      \BaseNamedObjects\PMClient
Mutant      \BaseNamedObjects\MSUIM.GlobalLangBarEventSink.Mutex
Mutant      \BaseNamedObjects\MSUIM.GlobalCompartment.Mutex
Mutant      \BaseNamedObjects\MSUIM.Assembly.Mutex
Mutant      \BaseNamedObjects\MSUIM.Layouts.Mutex
Mutant      \BaseNamedObjects\MSUIM.MarshalInterfaceMutex.TMD
Mutant      \BaseNamedObjects\MSCTF.TimListMUTEX.
Section      \BaseNamedObjects\PMSHMEM_MAPNAME_192.168.101.20
Section      \BaseNamedObjects\CiceroSharedMem Default
Section      \BaseNamedObjects\MSCTF.TimListSFM.
Semaphore      \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
Semaphore      \BaseNamedObjects\RICOH_PM_PMWsock_SOCTBL_1608
Semaphore      \BaseNamedObjects\RICOH_PM_PMWsock_IPXTBL_1608
Semaphore      \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore      \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Thread      PMCTray.exe(1608): 1604
Thread      PMCTray.exe(1608): 1556
Thread      PMCTray.exe(1608): 1772
Thread      PMCTray.exe(1608): 1772
Thread      PMCTray.exe(1608): 1772
Thread      PMCTray.exe(1608): 1780
Thread      PMCTray.exe(1608): 1604
WindowStation      \Windows\WindowStations\WinSta0
WindowStation      \Windows\WindowStations\WinSta0
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 9
  • 8
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now