Solved

Home Page Hijacker

Posted on 2004-10-24
11,283 Views
Last Modified: 2008-01-09
I have downloaded pretty well all the detection programs available and updated them. Hijack this shows the first 2 entries as:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=6537659
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-searches.com/index.php?v=6&aff=6537659

I think this may be a MySearchNow variant. Nothing I can do will remove them. Any ideas?
0
Question by:sablog
    23 Comments
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    Hello sablog =)

    Sure u are disabling System Restore before cleaning the system if its WinXP\ME ??
    and are u doing the cleaning in Safemode ??
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    check our EE Official Link on How to Troubleshoot Spywares\Adwares and Browser Hijacking Issues,
    http://www.experts-exchange.com/Q_20975384.html

    May be u can get the idea from there that what to do to kick it out from the system :)
    0
     
    LVL 17

    Expert Comment

    by:Lobo042399
    Hi sablog,

    Here's an easy fix for hot-searches. Print this page for reference while doing the removal and disabel System Restore:

    - Close IE and preferably disconnect the machine from the Net.

    - Using Windows Explorer navigate to your \system32\ folder. Look for files with the names: xplugin.dll; tmksrvu.exe; and tksrv98.exe; and delete them. If xplugin.dll can't be deleted you can use KillBox to remove it. (KillBox can be downloaded from http://www.gatesofdelirium.com/ee/tools/)

    - Also look for the following files and delete them: check-privacy.exe; kaza.dll; kaza2.dll; hosts; hosts.2; d1k.exe; and d1ki.exe; ole32ws.dll; Q80164935.exe; Q80635352.exe; d.cmd. They may NOT be there, which is okay. Delete them if you find them.

    - Open your Registry and run a Find fo all keys mentioning "hot-searches.com" and "lender-search.com" keys and delete them except the keys found under Internet Explorer. For those, you can replace them with your favourite home page, or you can delete the value and leave the key empty.

    - Run another Find in the Registry and find and delte all entries with "81.211.105.69" and "81.211.105.68"

    - Reboot your machine.

    You should be clear now.

    Good Vibes!

    Lobo
    0
     

    Author Comment

    by:sablog
    Hi guys
    I'm not sure if these fixes have made things better or worse! First item now reads:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    It's W2000 by the way.
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    did u run adaware+spybot+CWShredder in safemode ??
    u can get them from the link above of EE Official Link :)
    0
     

    Author Comment

    by:sablog
    Yes I did. I ran them all in safe mode and they seemed to work. But on reboot the mysearchnow line comes back again. I can't understand how they do it!
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    ok can u plzz get the HijackThis v1.98.2 from here,
    http://tools.radiosplace.com/HijackThis.exe

    Then Post its log at this site >> http://www.hijackthis.de/index.php?langselect=english
    analyse it, and then plzz post here the address of that analysed page !! :)
    0
     

    Author Comment

    by:sablog
    http://www.hijackthis.de/logfiles/48f13f55a1c067580d80ebbd030c4eb3.html

    Some comments about the logfile (in order of issue raised, yellow and red items only):
    Qwik Fix - Qwik-Fix Pro・uses Active System Hardening・to protect Windows desktops and servers against new threats by blocking the underlying vulnerabilities exploited by worms and viruses.

    IHateSpam: SPAM detector and eliminator for Outlook and Outlook Express

    Sygate: Home Networking application

    Sophos Sweep: Sophos Virus Detection

    Traybar: Freeware application Launcher for Windows (http://www.nimation.nl/traybar/) been using trouble free for years

    Wheres James Startup manager: WheresJames Startup Manager will allow you to view the programs that start with Windows and disable or delete them if you like.(http://www.wheresjames.com/index.php?page=startupmgr) Again been using trouble free for years.

    WordWeb: English Dictionary

    DigiGuide: DigiGuide is a powerful and flexible TV guide for your Windows PC.(http://www.digiguide.com/)

    R3 Don't know

    O2 Unnecessary items - don't know. NAV Helper relates to Norton antivirus remnants not uninstalled completely

    O3 Norton Antivirus same as above. Norton antivirus wouldn't uninstall completely so am using Sophos instead now.

    O4 hpqqpk.exe - cannot delete nor locate in system32 folder

    O8 Roboform - RoboForm is a free password manager and one-click web form filler( http://www.roboform.com/)

    O8 Copernic Agent - Search agent

    O10 Don't know

    O16 Content AuditX Control - Don't know but am getting warnings that 'current security settings prohibit running ActiveX controls on this page' although this isn't true!

    O16 Logitech - don't know but may relate to a previous mouse installation

    Good Luck!



    0
     
    LVL 29

    Expert Comment

    by:blue_zee

    Try the latest version of CoolWebShredder (V. 2.0):

    http://www.intermute.com/spysubtract/cwshredder_download.html

    Zee

    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    U have three entries which are not good,,,,

    >> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.com/passthrough/index.html?http://www.microsoft.com/isapi/red ir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    (its listed as SAFE, but its not)

    >> R3 - Default URLSearchHook is missing

    >> O4 - HKLM\..\Run: [settings byte] C:\PROGRA~1\GramWarn\Bind Online Barb.exe
    (what is this, i cannot recognise this program, do u ?? )

    and here is another one >> O10 - Broken Internet access because of LSP provider 'c:\program files\netsonic\netsonic.dll' missing

    to fix this u will have to use LSPFix >> http://www.spychecker.com/program/lspfix.html
    0
     

    Author Comment

    by:sablog
    LSP Fix worked fine for 010
    I agree mysearchnow is the problem and don't know what Bind online Barb is. Any ideas on removal? thanks
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    >> don't know what Bind online Barb is

    whatever it is, its present in C:\Program Files\GramWarn folder
    fix the entry in hijackthis and then delete this folder in safemode to recycle bin,,,, restart back and check if its gone or not ??
    and the R0 entry.... its popping up again and again when u fix it..... right ??
    have u for once tries fixing it in safemode instead in normal mode ??
    0
     

    Author Comment

    by:sablog
    It may be present in C:\Program Files\GramWarn folder but I can't find it there! Not even from the DOS prompt. So it's pretty clever to disguise itself in this way. I may be approaching the point of reformatting soon as several others with this problem have not succeeded either.
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    try enabling the show hidden files and protected system files from folder options and then check if its visible now ??
    0
     

    Author Comment

    by:sablog
    I'm afraid I've already checked for that possibility.
    0
     
    LVL 17

    Expert Comment

    by:Lobo042399
    Ho sablog,

    the Barb.exe malady has several forms, from what I can gather from research. I have not seen a fix for it yet so let's try and be creative here.

    First, download Process Explorer from my Tools link. Run it and look for all the running processes. Double-clicking on a Process will open a window with more info on it, like Registry keys, linked programs, TCP/IP connections a Process may be using and where it's connecting, and other info. Lok for the xxxxx_Barb.exe file in there and write down every bit of info you find about it and post it here. Let's see if we can be the first to come up with a cleaning method for that parasite.

    Good Vibes!

    Lobo
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    sablog, just confirming..... zee asked to run the CWShredder v2.0.... have u run it already in safemode ?? :)
    0
     
    LVL 13

    Expert Comment

    by:gonzal13
    Try 'zGiant Antispyware'  I just download the free fully functional 15 day trial program. It picked up items that others missed. It was quite surprising.

    www.giantantispyware.com

    gonzal13(joe)
    0
     
    LVL 13

    Expert Comment

    by:gonzal13
    Spybot Search & Destroy can avoid home page hijacking to some extent:

    page=download">http://www.safer-networking.org/index.php?page=download
    Install, UPDATE and run.
    You may need to reboot and run again to clean all the nasties that cannot be deleted at once (“in use”).
    You should also apply the "immunize" function, since it blocks roughly 1700 known 'bad' runs/apis/apps.

    Start Spybot S&D. Now go to Mode and select "Advanced Mode".

    Click "Tools" on the left hand pane. Now click IE Tweaks.

    On the right hand pane you can now select "Lock IE start page setting against user changes (current user)"

    Hope this may help.

    If you want to cleanup the mess in those PC's, it must be done through HijackThis.
    0
     

    Author Comment

    by:sablog
    I'm still working through your ideas!

    CWShredder and Giant Antispyware detect the problem but don't eradicate it even in Safe Mode.  Nor Spybot S&D. Hijackthis in safe mode says it isn't there. When you reboot in Normal mode and run Hijackthis, it's back again! Am currently running Firefox which seems to be much better and not yet attacked.
    0
     
    LVL 65

    Accepted Solution

    by:
    take out the hard drive and hook it as slave drive in another system and then run the removal tools.... =\
    0
     
    LVL 17

    Assisted Solution

    by:Lobo042399
    Hi sablog,

    did you try running Process Explorer?

    Cheers,

    Lobo
    0
     

    Author Comment

    by:sablog
    I have worked through all of the ideas above except for taking out the hard drive (Not had time yet!) None of the above have worked so far although the problem is less now i'm using firefox. Process explorer data follows:

    Process      PID      CPU      Description      Company Name
    System Idle Process      0      80            
     Interrupts      n/a            Hardware Interrupts      
     DPCs      n/a            Deferred Procedure Calls      
     System      8                  
      smss.exe      144            Windows NT Session Manager      Microsoft Corporation
       csrss.exe      176      1      Client Server Runtime Process      Microsoft Corporation
       winlogon.exe      172      1      Windows NT Logon Application      Microsoft Corporation
        services.exe      224      1      Services and Controller app      Microsoft Corporation
         smc.exe      364      2      Sygate Agent Firewall      Sygate Technologies, Inc.
         svchost.exe      420            Generic Host Process for Win32 Services      Microsoft Corporation
         spoolsv.exe      440            Spooler SubSystem App      Microsoft Corporation
         DkService.exe      468            DKSERVICE.EXE      Executive Software International, Inc.
         svchost.exe      480            Generic Host Process for Win32 Services      Microsoft Corporation
         qfloadsvc.exe      552            qfloadsvc Application      PivX Solutions, Inc.
         MSTask.exe      624            Task Scheduler Engine      Microsoft Corporation
         SWNETSUP.EXE      680            Sophos Anti-Virus network support service      Sophos Plc
         SWEEPSRV.SYS      756            Sophos Anti-Virus detection system service      Sophos Plc
         WinMgmt.exe      864            Windows Management Instrumentation      Microsoft Corporation
         svchost.exe      900            Generic Host Process for Win32 Services      Microsoft Corporation
         sgserv.exe      1028      3      Sygate Internet Sharing Service For NT      Sygate technologies Inc.
        lsass.exe      236            LSA Executable and Server DLL (Export Version)      Microsoft Corporation
    Explorer.EXE      1092            Windows Explorer      Microsoft Corporation
     Sygate.exe      1384      4      Sygate - Internet Sharing Software      Sygate Technologies, Inc.
     siService.exe      1388                  GIANT Company Software, inc.
      siMailProxyServ      1564                  GIANT Company Software inc.
      siSpamFilterEng      1452                  GIANT Company Software
     Ad-Watch.exe      1408      4      Ad-Watch System Protector      Lavasoft Sweden
     qttask.exe      1412                  Apple Computer, Inc.
     Traybar.exe      1448                  
      procexp.exe      1692      4      Sysinternals Process Explorer      Sysinternals
     StartupMgr.exe      1484            Control startup applications.      WheresJames Software (www.wheresjames.com)
     RoboTaskBarIcon      1504            RoboForm TaskBar Icon      Siber Systems
     ctfmon.exe      1516            Cicero Loader      Microsoft Corporation
     AUTOCHK.EXE      1540            ConfigSafe Auto Check Program      imagine LAN, Inc.
     wweb32.exe      1432            WordWeb thesaurus/dictionary      Antony Lewis
     SpySub.exe      1576            SpySubtract Program EXE      InterMute, Inc.
     ICMON.EXE      528      1      Sophos Anti-Virus InterCheck activity monitor (ENG)      Sophos Plc
     qfui.exe      1600            Qwik-Fix Pro - Home Edition      PivX Solutions, Inc.
    PMCTray.exe      1608            Ridoc IO Navi Module      RICOH COMPANY,LTD.

    Process: PMCTray.exe Pid: 1608

    Type      Name
    Desktop      \Default
    Directory      \KnownDlls
    Directory      \Windows
    Directory      \BaseNamedObjects
    Event      \BaseNamedObjects\userenv:  User Profile setup event
    File      C:\Program Files\RMClient
    File      \Device\Tcp
    File      \Device\Tcp
    File      \Device\Ip
    File      \Device\Ip
    File      \Device\Ip
    File      \Device\Afd\Endpoint
    File      \Device\WS2IFSL\NifsPvd
    File      \Device\WS2IFSL\NifsSct
    File      \Device\Udp
    File      \Device\KsecDD
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Windows
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM\SOFTWARE\MICROSOFT\Tracing\RASAPI32
    Key      HKLM\SYSTEM\ControlSet002\Services\Tcpip\Linkage
    Key      HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters
    Key      HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters\Interfaces
    Key      HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\Net98
    Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
    Key      HKLM
    Key      HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
    Key      HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
    Key      HKLM\SYSTEM\ControlSet002\Control\NetworkProvider\HwOrder
    Key      HKCU
    Key      HKCU\Software\Classes
    Mutant      \BaseNamedObjects\PMMUTEX_192.168.101.20
    Mutant      \BaseNamedObjects\PMPSAPI-192.168.101.20
    Mutant      \BaseNamedObjects\RasPbFile
    Mutant      \BaseNamedObjects\DBWinMutex
    Mutant      \BaseNamedObjects\PMClient
    Mutant      \BaseNamedObjects\MSUIM.GlobalLangBarEventSink.Mutex
    Mutant      \BaseNamedObjects\MSUIM.GlobalCompartment.Mutex
    Mutant      \BaseNamedObjects\MSUIM.Assembly.Mutex
    Mutant      \BaseNamedObjects\MSUIM.Layouts.Mutex
    Mutant      \BaseNamedObjects\MSUIM.MarshalInterfaceMutex.TMD
    Mutant      \BaseNamedObjects\MSCTF.TimListMUTEX.
    Section      \BaseNamedObjects\PMSHMEM_MAPNAME_192.168.101.20
    Section      \BaseNamedObjects\CiceroSharedMem Default
    Section      \BaseNamedObjects\MSCTF.TimListSFM.
    Semaphore      \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
    Semaphore      \BaseNamedObjects\RICOH_PM_PMWsock_SOCTBL_1608
    Semaphore      \BaseNamedObjects\RICOH_PM_PMWsock_IPXTBL_1608
    Semaphore      \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
    Semaphore      \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
    Thread      PMCTray.exe(1608): 1604
    Thread      PMCTray.exe(1608): 1556
    Thread      PMCTray.exe(1608): 1772
    Thread      PMCTray.exe(1608): 1772
    Thread      PMCTray.exe(1608): 1772
    Thread      PMCTray.exe(1608): 1780
    Thread      PMCTray.exe(1608): 1604
    WindowStation      \Windows\WindowStations\WinSta0
    WindowStation      \Windows\WindowStations\WinSta0
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
    HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
    This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
    Want to pick and choose which updates you receive? Feel free to check out this quick video on how to manage your email notifications.

    857 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now