-
May 21st, 2004, 07:45 AM
#1
Junior Member
browser hijacked by jksearch.biz
Hi,
My browser on 18th of may was hijacked. Whenever i open internet explorer jksearch.biz.php becomes the home page and it redirects to some xxx site. I tried deleting unknown entries from registry deleted all cookies refreshed everything but invain it comes back within seconds
can anyone help me there.??
-
May 21st, 2004, 07:59 AM
#2
alright,first of all get adaware,spybot and hijackthis(http://home.datacomm.ch/winzozz/hijackthis.zip)
Post your HijackThis log here
Best of luck
-
May 21st, 2004, 09:59 AM
#3
Junior Member
hijacked by jksearch.biz.php
Logfile of HijackThis v1.97.7
Scan saved at 2:53:00 PM, on 21/05/04
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\hpb2ksrv.exe
C:\WINNT\System32\hpbhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\ZipToA.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\WINNT\System32\hpstatus.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\dl.exe
C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
C:\windows\program files\WZQKPICK.EXE
C:\WINNT\System32\HPBSPSVR.EXE
C:\WINNT\System32\HPBJDSNT.EXE
C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe
C:\Program Files\SAP\FrontEnd\SAPgui\sapfewgsrv.exe
C:\WINNT\Explorer.exe
C:\WINDOWS\PROGRA~1\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Satyam Infoway Limited
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.1.22.156:6588
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
O1 - Hosts: 129.1.30.97 PRD PRD
O1 - Hosts: 129.1.30.63 NAVNT NAVNT
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [HP Status] C:\WINNT\System32\hpstatus.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [Dial32] C:\WINNT\dl.exe
O4 - HKLM\..\Run: [Services Process] C:\WINNT\system32\config\services.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\windows\program files\WZQKPICK.EXE
O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.maalaimalar.com/wfplayer/tdserver.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O19 - User stylesheet: C:\WINNT\color.css
-
May 21st, 2004, 10:32 AM
#4
I don't get why people already request others to post the Hijack logfile (despite how much I hate that program to be recommended...).
Have them learn the program, understand it, and RTFM. Not only will they then understand (and know google better) how to work the program, but how to prevent future jacking attempts. Solving the problem without any reason why or how does no more good than pulling out the top leaves of a deeply seated weed. The weed's roots (problem exists of why and how he got it anyways) still exists and thus can happen again.
Answers == quick solutions
Teaching how you got those answers and helping them find the answers rather than give it == a rock solid foundation to learn further on, and thus gaining experience.
Hijack This tutorials, FAQ's, and guides
http://www.bleepingcomputer.com/foru...42&client=html
http://hjt.wizardsofwebsites.com/
http://www.spywareinfo.com/~merijn/htlogtutorial.html
-
May 21st, 2004, 11:01 AM
#5
pooh sun tzu's right,try and google for all the entries and see if you can come up with some dirt..here's something I got from just browsing thru it O4 - HKLM\..\Run: [Dial32] C:\WINNT\dl.exe
Take a look at the link here:
http://www.symantec.com/avcenter/ven...or.nthack.html
you've also got some stuff you dont need,google everything and see if you can make do without them
-
May 21st, 2004, 01:11 PM
#6
hi
This one could i recognised easily because i removed it recently and might be one of the problem. On my computer there were dl.exe and dl.htm in the winNT folder , the dl.exe it pops up this dl.htm file after a few 3 to 4 minutes.. Reboot to safe mode: delete "dl.exe ". everything else seems to be fine........or i am missing something
--Good Luck--
-
May 21st, 2004, 02:18 PM
#7
Ok please copy the contents of the quote box to notepad:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]
hit save as
give it the name clear.reg
under the filename set file types to all files.
save it to the desktop.
After done double click the clear.reg
when asked to merge say yes
reboot
then find this file:
system32.dll
its probably in one of two locations:
c:\windows\system32\system32.dll
c:\windows\system\system32.dll
and delete it.
Secondly, you have a CWS infection. Please download the CWShredder from http://www.spywareinfo.com/~merijn/downloads.html
Next, please boot into safe mode and run it.
Please download, update and run (one at a time of course!) Spybot and Adaware. They are both available from this link.
After that, run your pc through an online virus scanner. Here are a few:
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan/licence.php
http://www.ravantivirus.com/scan/
http://us.mcafee.com/root/mfs/default.asp?affid=294
After all that, either post your HijackThis log here and I will look through it again, or google the entries and fix the ones that don't belong.
While for some infections RTFM is the correct approach, this poster has two VERY tricky infections to spot and treat. It could potentially take him forever to figure it out. Sometimes we just need to stop and give someone a helping hand!
-
May 21st, 2004, 02:22 PM
#8
You just instructed him to delete Windows critical DLL's and registry keys..... if they are infected, they need to be fixed, not deleted.
-
May 21st, 2004, 02:43 PM
#9
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|