[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Home Page Hijacker

Posted on 2004-10-24
24
Medium Priority
?
11,341 Views
Last Modified: 2008-01-09
I have downloaded pretty well all the detection programs available and updated them. Hijack this shows the first 2 entries as:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=6537659
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-searches.com/index.php?v=6&aff=6537659

I think this may be a MySearchNow variant. Nothing I can do will remove them. Any ideas?
0
Comment
Question by:sablog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 3
  • +2
24 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12395582
Hello sablog =)

Sure u are disabling System Restore before cleaning the system if its WinXP\ME ??
and are u doing the cleaning in Safemode ??
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12395603
check our EE Official Link on How to Troubleshoot Spywares\Adwares and Browser Hijacking Issues,
http://www.experts-exchange.com/Q_20975384.html

May be u can get the idea from there that what to do to kick it out from the system :)
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12396035
Hi sablog,

Here's an easy fix for hot-searches. Print this page for reference while doing the removal and disabel System Restore:

- Close IE and preferably disconnect the machine from the Net.

- Using Windows Explorer navigate to your \system32\ folder. Look for files with the names: xplugin.dll; tmksrvu.exe; and tksrv98.exe; and delete them. If xplugin.dll can't be deleted you can use KillBox to remove it. (KillBox can be downloaded from http://www.gatesofdelirium.com/ee/tools/)

- Also look for the following files and delete them: check-privacy.exe; kaza.dll; kaza2.dll; hosts; hosts.2; d1k.exe; and d1ki.exe; ole32ws.dll; Q80164935.exe; Q80635352.exe; d.cmd. They may NOT be there, which is okay. Delete them if you find them.

- Open your Registry and run a Find fo all keys mentioning "hot-searches.com" and "lender-search.com" keys and delete them except the keys found under Internet Explorer. For those, you can replace them with your favourite home page, or you can delete the value and leave the key empty.

- Run another Find in the Registry and find and delte all entries with "81.211.105.69" and "81.211.105.68"

- Reboot your machine.

You should be clear now.

Good Vibes!

Lobo
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:sablog
ID: 12402874
Hi guys
I'm not sure if these fixes have made things better or worse! First item now reads:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
It's W2000 by the way.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12402905
did u run adaware+spybot+CWShredder in safemode ??
u can get them from the link above of EE Official Link :)
0
 

Author Comment

by:sablog
ID: 12404868
Yes I did. I ran them all in safe mode and they seemed to work. But on reboot the mysearchnow line comes back again. I can't understand how they do it!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12404920
ok can u plzz get the HijackThis v1.98.2 from here,
http://tools.radiosplace.com/HijackThis.exe

Then Post its log at this site >> http://www.hijackthis.de/index.php?langselect=english
analyse it, and then plzz post here the address of that analysed page !! :)
0
 

Author Comment

by:sablog
ID: 12415925
http://www.hijackthis.de/logfiles/48f13f55a1c067580d80ebbd030c4eb3.html

Some comments about the logfile (in order of issue raised, yellow and red items only):
Qwik Fix - Qwik-Fix Pro・uses Active System Hardening・to protect Windows desktops and servers against new threats by blocking the underlying vulnerabilities exploited by worms and viruses.

IHateSpam: SPAM detector and eliminator for Outlook and Outlook Express

Sygate: Home Networking application

Sophos Sweep: Sophos Virus Detection

Traybar: Freeware application Launcher for Windows (http://www.nimation.nl/traybar/) been using trouble free for years

Wheres James Startup manager: WheresJames Startup Manager will allow you to view the programs that start with Windows and disable or delete them if you like.(http://www.wheresjames.com/index.php?page=startupmgr) Again been using trouble free for years.

WordWeb: English Dictionary

DigiGuide: DigiGuide is a powerful and flexible TV guide for your Windows PC.(http://www.digiguide.com/)

R3 Don't know

O2 Unnecessary items - don't know. NAV Helper relates to Norton antivirus remnants not uninstalled completely

O3 Norton Antivirus same as above. Norton antivirus wouldn't uninstall completely so am using Sophos instead now.

O4 hpqqpk.exe - cannot delete nor locate in system32 folder

O8 Roboform - RoboForm is a free password manager and one-click web form filler( http://www.roboform.com/)

O8 Copernic Agent - Search agent

O10 Don't know

O16 Content AuditX Control - Don't know but am getting warnings that 'current security settings prohibit running ActiveX controls on this page' although this isn't true!

O16 Logitech - don't know but may relate to a previous mouse installation

Good Luck!



0
 
LVL 29

Expert Comment

by:blue_zee
ID: 12416379

Try the latest version of CoolWebShredder (V. 2.0):

http://www.intermute.com/spysubtract/cwshredder_download.html

Zee

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12416444
U have three entries which are not good,,,,

>> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.com/passthrough/index.html?http://www.microsoft.com/isapi/red ir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
(its listed as SAFE, but its not)

>> R3 - Default URLSearchHook is missing

>> O4 - HKLM\..\Run: [settings byte] C:\PROGRA~1\GramWarn\Bind Online Barb.exe
(what is this, i cannot recognise this program, do u ?? )

and here is another one >> O10 - Broken Internet access because of LSP provider 'c:\program files\netsonic\netsonic.dll' missing

to fix this u will have to use LSPFix >> http://www.spychecker.com/program/lspfix.html
0
 

Author Comment

by:sablog
ID: 12420258
LSP Fix worked fine for 010
I agree mysearchnow is the problem and don't know what Bind online Barb is. Any ideas on removal? thanks
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12424460
>> don't know what Bind online Barb is

whatever it is, its present in C:\Program Files\GramWarn folder
fix the entry in hijackthis and then delete this folder in safemode to recycle bin,,,, restart back and check if its gone or not ??
and the R0 entry.... its popping up again and again when u fix it..... right ??
have u for once tries fixing it in safemode instead in normal mode ??
0
 

Author Comment

by:sablog
ID: 12457120
It may be present in C:\Program Files\GramWarn folder but I can't find it there! Not even from the DOS prompt. So it's pretty clever to disguise itself in this way. I may be approaching the point of reformatting soon as several others with this problem have not succeeded either.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12458420
try enabling the show hidden files and protected system files from folder options and then check if its visible now ??
0
 

Author Comment

by:sablog
ID: 12458755
I'm afraid I've already checked for that possibility.
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12460896
Ho sablog,

the Barb.exe malady has several forms, from what I can gather from research. I have not seen a fix for it yet so let's try and be creative here.

First, download Process Explorer from my Tools link. Run it and look for all the running processes. Double-clicking on a Process will open a window with more info on it, like Registry keys, linked programs, TCP/IP connections a Process may be using and where it's connecting, and other info. Lok for the xxxxx_Barb.exe file in there and write down every bit of info you find about it and post it here. Let's see if we can be the first to come up with a cleaning method for that parasite.

Good Vibes!

Lobo
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12469869
sablog, just confirming..... zee asked to run the CWShredder v2.0.... have u run it already in safemode ?? :)
0
 
LVL 13

Expert Comment

by:gonzal13
ID: 12474711
Try 'zGiant Antispyware'  I just download the free fully functional 15 day trial program. It picked up items that others missed. It was quite surprising.

www.giantantispyware.com

gonzal13(joe)
0
 
LVL 13

Expert Comment

by:gonzal13
ID: 12499740
Spybot Search & Destroy can avoid home page hijacking to some extent:

page=download">http://www.safer-networking.org/index.php?page=download
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once (“in use”).
You should also apply the "immunize" function, since it blocks roughly 1700 known 'bad' runs/apis/apps.

Start Spybot S&D. Now go to Mode and select "Advanced Mode".

Click "Tools" on the left hand pane. Now click IE Tweaks.

On the right hand pane you can now select "Lock IE start page setting against user changes (current user)"

Hope this may help.

If you want to cleanup the mess in those PC's, it must be done through HijackThis.
0
 

Author Comment

by:sablog
ID: 12517932
I'm still working through your ideas!

CWShredder and Giant Antispyware detect the problem but don't eradicate it even in Safe Mode.  Nor Spybot S&D. Hijackthis in safe mode says it isn't there. When you reboot in Normal mode and run Hijackthis, it's back again! Am currently running Firefox which seems to be much better and not yet attacked.
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 300 total points
ID: 12517954
take out the hard drive and hook it as slave drive in another system and then run the removal tools.... =\
0
 
LVL 17

Assisted Solution

by:Lobo042399
Lobo042399 earned 300 total points
ID: 12518222
Hi sablog,

did you try running Process Explorer?

Cheers,

Lobo
0
 

Author Comment

by:sablog
ID: 12638742
I have worked through all of the ideas above except for taking out the hard drive (Not had time yet!) None of the above have worked so far although the problem is less now i'm using firefox. Process explorer data follows:

Process      PID      CPU      Description      Company Name
System Idle Process      0      80            
 Interrupts      n/a            Hardware Interrupts      
 DPCs      n/a            Deferred Procedure Calls      
 System      8                  
  smss.exe      144            Windows NT Session Manager      Microsoft Corporation
   csrss.exe      176      1      Client Server Runtime Process      Microsoft Corporation
   winlogon.exe      172      1      Windows NT Logon Application      Microsoft Corporation
    services.exe      224      1      Services and Controller app      Microsoft Corporation
     smc.exe      364      2      Sygate Agent Firewall      Sygate Technologies, Inc.
     svchost.exe      420            Generic Host Process for Win32 Services      Microsoft Corporation
     spoolsv.exe      440            Spooler SubSystem App      Microsoft Corporation
     DkService.exe      468            DKSERVICE.EXE      Executive Software International, Inc.
     svchost.exe      480            Generic Host Process for Win32 Services      Microsoft Corporation
     qfloadsvc.exe      552            qfloadsvc Application      PivX Solutions, Inc.
     MSTask.exe      624            Task Scheduler Engine      Microsoft Corporation
     SWNETSUP.EXE      680            Sophos Anti-Virus network support service      Sophos Plc
     SWEEPSRV.SYS      756            Sophos Anti-Virus detection system service      Sophos Plc
     WinMgmt.exe      864            Windows Management Instrumentation      Microsoft Corporation
     svchost.exe      900            Generic Host Process for Win32 Services      Microsoft Corporation
     sgserv.exe      1028      3      Sygate Internet Sharing Service For NT      Sygate technologies Inc.
    lsass.exe      236            LSA Executable and Server DLL (Export Version)      Microsoft Corporation
Explorer.EXE      1092            Windows Explorer      Microsoft Corporation
 Sygate.exe      1384      4      Sygate - Internet Sharing Software      Sygate Technologies, Inc.
 siService.exe      1388                  GIANT Company Software, inc.
  siMailProxyServ      1564                  GIANT Company Software inc.
  siSpamFilterEng      1452                  GIANT Company Software
 Ad-Watch.exe      1408      4      Ad-Watch System Protector      Lavasoft Sweden
 qttask.exe      1412                  Apple Computer, Inc.
 Traybar.exe      1448                  
  procexp.exe      1692      4      Sysinternals Process Explorer      Sysinternals
 StartupMgr.exe      1484            Control startup applications.      WheresJames Software (www.wheresjames.com)
 RoboTaskBarIcon      1504            RoboForm TaskBar Icon      Siber Systems
 ctfmon.exe      1516            Cicero Loader      Microsoft Corporation
 AUTOCHK.EXE      1540            ConfigSafe Auto Check Program      imagine LAN, Inc.
 wweb32.exe      1432            WordWeb thesaurus/dictionary      Antony Lewis
 SpySub.exe      1576            SpySubtract Program EXE      InterMute, Inc.
 ICMON.EXE      528      1      Sophos Anti-Virus InterCheck activity monitor (ENG)      Sophos Plc
 qfui.exe      1600            Qwik-Fix Pro - Home Edition      PivX Solutions, Inc.
PMCTray.exe      1608            Ridoc IO Navi Module      RICOH COMPANY,LTD.

Process: PMCTray.exe Pid: 1608

Type      Name
Desktop      \Default
Directory      \KnownDlls
Directory      \Windows
Directory      \BaseNamedObjects
Event      \BaseNamedObjects\userenv:  User Profile setup event
File      C:\Program Files\RMClient
File      \Device\Tcp
File      \Device\Tcp
File      \Device\Ip
File      \Device\Ip
File      \Device\Ip
File      \Device\Afd\Endpoint
File      \Device\WS2IFSL\NifsPvd
File      \Device\WS2IFSL\NifsSct
File      \Device\Udp
File      \Device\KsecDD
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Windows
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM\SOFTWARE\MICROSOFT\Tracing\RASAPI32
Key      HKLM\SYSTEM\ControlSet002\Services\Tcpip\Linkage
Key      HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters
Key      HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters\Interfaces
Key      HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\Net98
Key      HKLM\SYSTEM\ControlSet002\Control\SecurityProviders\NetSet\MSwcf\NSN
Key      HKLM
Key      HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
Key      HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
Key      HKLM\SYSTEM\ControlSet002\Control\NetworkProvider\HwOrder
Key      HKCU
Key      HKCU\Software\Classes
Mutant      \BaseNamedObjects\PMMUTEX_192.168.101.20
Mutant      \BaseNamedObjects\PMPSAPI-192.168.101.20
Mutant      \BaseNamedObjects\RasPbFile
Mutant      \BaseNamedObjects\DBWinMutex
Mutant      \BaseNamedObjects\PMClient
Mutant      \BaseNamedObjects\MSUIM.GlobalLangBarEventSink.Mutex
Mutant      \BaseNamedObjects\MSUIM.GlobalCompartment.Mutex
Mutant      \BaseNamedObjects\MSUIM.Assembly.Mutex
Mutant      \BaseNamedObjects\MSUIM.Layouts.Mutex
Mutant      \BaseNamedObjects\MSUIM.MarshalInterfaceMutex.TMD
Mutant      \BaseNamedObjects\MSCTF.TimListMUTEX.
Section      \BaseNamedObjects\PMSHMEM_MAPNAME_192.168.101.20
Section      \BaseNamedObjects\CiceroSharedMem Default
Section      \BaseNamedObjects\MSCTF.TimListSFM.
Semaphore      \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
Semaphore      \BaseNamedObjects\RICOH_PM_PMWsock_SOCTBL_1608
Semaphore      \BaseNamedObjects\RICOH_PM_PMWsock_IPXTBL_1608
Semaphore      \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore      \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Thread      PMCTray.exe(1608): 1604
Thread      PMCTray.exe(1608): 1556
Thread      PMCTray.exe(1608): 1772
Thread      PMCTray.exe(1608): 1772
Thread      PMCTray.exe(1608): 1772
Thread      PMCTray.exe(1608): 1780
Thread      PMCTray.exe(1608): 1604
WindowStation      \Windows\WindowStations\WinSta0
WindowStation      \Windows\WindowStations\WinSta0
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question