Results 1 to 5 of 5

Thread: ok Im stumped!

  1. #1
    Senior Member
    Join Date
    Feb 2002
    Posts
    518

    Angry ok Im stumped!

    My brother in law got a hijacker installed somehow.
    Now what this particular one does is add to the host file:
    <IP address> auto.search.msn.com
    <IP address> search.msn.com
    <IP address> msn.com
    <IP address> www.msn.com
    The IP address is for royalsearch.net. Apon googling, I got symantec:

    (Full symantec reponse here)
    http://www.symantec.com/avcenter/ven....bootconf.html
    HOWEVER, when the instructions are followed, apon reboot it just redoes it all again.
    Virus defs are completely up to date. Its not finding it. Tried the cleaner and adaware, Adaware nailed some hijacking reg entires, only to have them come back on reboot. The cleaner produced nothing.
    Its getting executed from reboot somewhere, yet theres nothing in hklm/blah blah/run, or runonce, all the usual spots, noting in msconfig and notiing in startup.

    Also it changes the start page to coolwebsearch ... thats somethign NOT mentioned in symantec.


    So my guesses are its NOT bootconf, though it acts JUST like it, or its a variant of it that symantec hasnt got yet... or...????

    He is running a free 6 month trial from MS of windows 2003 server. I wish he would just buy XP.
    But I cant convince him otherwise since free is good...

    I think Ive gone all I can, google and all, and now I turn to you for help after spending hours on it.
    Thanks in advance.
    Avenger
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  2. #2
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    Have you checked the Autoexec.bat. It could be running from there. Also I would get winpatrol(http://www.winpatrol.com) for now to keep it at bay. That should at least let you tell it to not change the start page and everything. Also look into a registry monitor. I think there is one at www.systernals.com called regmon. If semantec had an entry did you try searching your computer for whatever semantec had the entry for and deleting suspicious files. You may want to try spybot search and destroy also, usually the combo of that and adaware catch almost anything.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Please try:

    http://www.spywareinfo.com/~merijn/index.html and get "HijackThis"

    It will show what is running, and allow you to kill it. The browser stuff is usually at the top of the list...................be careful...........it shows everything, not just the bad guys

    Some of this crap seems to get into the Windows "Hosts" file these days...........

    http://webattack.com/get/hostadmin.html

    This tool lets you manage your Hosts file

    Once you have it sorted out:

    http://www.wilderssecurity.com get "Browser Hijack Blaster"...............whilst you are there you might as well get Spyware Guard and Spyware Blaster as well?

    I would recommend running in "safe mode" incase the malware defends itself.

    Good Luck

  4. #4
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    Thank you, I will try it and if I dont find it in those places, Ill be back
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  5. #5
    right on top of it, nihil.. beat me to the hijackthis recommendation by far..

    I'm kinda shocked that avenger hadn't read THIS THREAD yet..

    avenger... .. jenjen

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •