changing my homepage

[scriptkiddie18]

Ok...Extacy might be right and so might be Mittens but if i dont say this right now then its gonna be all a big deal about this little post, people post like crazy in non-sensical and they could very well be called post whores so lets not make a big deal about this little shitty post, right?

[smif123]

well, as nice as it is to see this thread turned into a theological debate on peoples rights to point out the obvious, my origional problem remains. today when i went into internet explorer, once again, i was sent to hot-searches.com. but this time, the page didnt load, i got the old, 'The page cannot be displayed' error message.
ill run hijackThis again and post the log file here.


Logfile of HijackThis v1.97.7
Scan saved at 11:16:47 AM, on 3/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DaRkWiNg\My Documents\prgms\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-searches.com/search.php?v=6&aff=2848728
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=2848728
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-searches.com/index.php?v=6&aff=2848728
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

thankyou again for any help you can give

[SwordFish_13]

hi

Use CWShredder it will take care of the Cool Web Search Trojan hot-searches.com.

AD-Aware and Norton are not able to detect CWS Trojans well most of the time at least they never did that for me

Now can we continue with the thread hijakang thing j/k

[edit]

Nihil has already Advised it; have you tried it should have worked

[MrLinus]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-searches.com/search.php?v=6&aff=2848728
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=2848728
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-searches.com/index.php?v=6&aff=2848728

Perhaps deleting these three would be good?

[PuReExcTacy]

I'm sorry we took your thread off topic earlier. Did SwordFish_13's advice fix your problem?

If not, try this:

If you have had your Internet Explorer's clicks hijacked by an invisible toolbar that installs itself and keeps changing your homepage to hot-searches.com and steals your clicks to lender-search.com, then do the following to remove it. Follow these steps only if you feel comfortable working with regedit. Warning: Don't edit your registry if you haven't done this before (I'd hate to be responsible for you having to reinstall your OS.)

First copy these instuctions and close out IE if that's what your using. Delete xplugin.dll it's in the \system32\ folder. Also delete the files tmksrvu.exe and tksrv98.exe (IE being closed, if you can't delete xplugin.dll, cut and paste somewhere else and then delete)

Open registry, do find and delete all "hot-searches.com" and "lender-search.com" keys (that I found were in folders located UNDER Explorer Bars or a similar name for toolbars), delete the folders there.

Also using "hot-searches.com" and "lender-search.com", find, open and rename strings under Internet Explorer (rename these to your favoite hompage, search page, etc).

Do the same with finding and deleting all "81.211.105.69" and "81.211.105.68" (last one not found for me) keys.

You should be rid of it now. Hope this helps you out.


--PuRe

[Tedob1]

cwshredder will not work against the latest browser hi-jacks and although removing the reg entries is necessary it will not prevent them from being re-written on the next re-boot.

i ran accross this friday at a remote location. after running adaware which removed 50 items most of which where not cookies i found the browser to be hi-jacked. ran cwshredder and hi-jackthis and removed all offending entries but they kept coming back. i promptly ran pslist on the next reboot and found a process ???2 (can't remember the letters) running. i did a search for it and found an exe with that name in winnt\temp after killing the process i deleted it. their were a few other exes with most of the names beginning with "~*.exe" they were not temp files. there was alse an index.html file which when opened in ascci mode (C:\>type index.htm |more /*just love cli */) contained the offending address that were poping up with the js discription of the pop-up windows, etc. i deleted them and the corresponding directories. when i opened ie i got an error and the browser had to be closed but when it re-opened the pop-ups seem to be gone. i re-booted and tryed again and this seemed to work. guess i'll see monday. wether it did or didn't fix it ill be installing trojanremover from moosoft just for the excellant reg protection it provides and if something does try to write to the registry ill be able to see what it is and not have to run regedit to remove it.

[sumdumguy]

let me add my little bit here.. you really shouldn't need to search through the registry and delete the keys as PuRe suggested.. hijackthis will find/remove them.. but I suppose it wouldn't hurt to check and see. a few things that others haven't mentioned is that you need to have windows explorer set to allow viewing of hidden files.. hijackthis sometimes won't see them if it isn't set that way.. under windows explorer, go to tools, folder options, view tab and make sure that "show hidden files" is check marked. the other thing is that this location is NOT the normal location of a hosts file.
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

look at these posts/threads

I would look at what else is in that nsdb folder

[meeeeeee]

Delete the following with HJT (make sure all browser windows are closed when you do the fix) as well as the ones recomended by Ms. Mittens:

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

Also, looking at your 04's it appears perhaps you have edited some out?? Or you are running in selective startup mode?? Either way you may be masking some problems - just make sure you know that what is omitted is ok.

With your hosts file - look at the link that sumdumguy gave you - from a quick look through it appears that Spybot S&D will eliminate that from the log. Always a good idea to run SPybot when haing problems of this nature anyway - just be sure to update it.

And just to set the record straight on CWShredder: It works just fine when it is a CWS hijacking. This is not. For CWS hijackings it's a wonderful tool - elimates the need to peruse the registry manually.

[smif123]

its been two days since i did what you guys suggested, and my problem has not returned.
thank you all very much for your time and help
-smif123

[Tedob1]

hey meeeeeee just to set the records straight it is the best tool ive seen so far but is still not effective against the latest variants

http://www.spywareinfo.com/~merijn/index.html

March 24, 2004:

[Update] If your browser has been hijacked to drxcount.biz, real-yellow-page.com, list2004.com or linklist.cc:

We are working on a fix for this one and drawing near to an automated solution. This is by far the most sophisticated CWS variant seen to date, and it will take some time before CWShredder will be able to remove it.