Results 1 to 9 of 9

Thread: browser hijacked by jksearch.biz

  1. #1
    Junior Member
    Join Date
    May 2004
    Posts
    2

    Red face browser hijacked by jksearch.biz

    Hi,
    My browser on 18th of may was hijacked. Whenever i open internet explorer jksearch.biz.php becomes the home page and it redirects to some xxx site. I tried deleting unknown entries from registry deleted all cookies refreshed everything but invain it comes back within seconds
    can anyone help me there.??
    pavan

  2. #2
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    alright,first of all get adaware,spybot and hijackthis(http://home.datacomm.ch/winzozz/hijackthis.zip)
    Post your HijackThis log here
    Best of luck

  3. #3
    Junior Member
    Join Date
    May 2004
    Posts
    2

    Unhappy hijacked by jksearch.biz.php

    Logfile of HijackThis v1.97.7
    Scan saved at 2:53:00 PM, on 21/05/04
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\hpb2ksrv.exe
    C:\WINNT\System32\hpbhksrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\ZipToA.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
    C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
    C:\WINNT\System32\hpstatus.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\WINNT\dl.exe
    C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
    C:\windows\program files\WZQKPICK.EXE
    C:\WINNT\System32\HPBSPSVR.EXE
    C:\WINNT\System32\HPBJDSNT.EXE
    C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe
    C:\Program Files\SAP\FrontEnd\SAPgui\sapfewgsrv.exe
    C:\WINNT\Explorer.exe
    C:\WINDOWS\PROGRA~1\winzip32.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://awebfind.biz/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Satyam Infoway Limited
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.1.22.156:6588
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
    O1 - Hosts: 129.1.30.97 PRD PRD
    O1 - Hosts: 129.1.30.63 NAVNT NAVNT
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
    O4 - HKLM\..\Run: [HP Status] C:\WINNT\System32\hpstatus.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
    O4 - HKLM\..\Run: [Dial32] C:\WINNT\dl.exe
    O4 - HKLM\..\Run: [Services Process] C:\WINNT\system32\config\services.exe
    O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\windows\program files\WZQKPICK.EXE
    O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.maalaimalar.com/wfplayer/tdserver.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O19 - User stylesheet: C:\WINNT\color.css
    pavan

  4. #4
    I don't get why people already request others to post the Hijack logfile (despite how much I hate that program to be recommended...).

    Have them learn the program, understand it, and RTFM. Not only will they then understand (and know google better) how to work the program, but how to prevent future jacking attempts. Solving the problem without any reason why or how does no more good than pulling out the top leaves of a deeply seated weed. The weed's roots (problem exists of why and how he got it anyways) still exists and thus can happen again.

    Answers == quick solutions
    Teaching how you got those answers and helping them find the answers rather than give it == a rock solid foundation to learn further on, and thus gaining experience.


    Hijack This tutorials, FAQ's, and guides

    http://www.bleepingcomputer.com/foru...42&client=html

    http://hjt.wizardsofwebsites.com/

    http://www.spywareinfo.com/~merijn/htlogtutorial.html

  5. #5
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    pooh sun tzu's right,try and google for all the entries and see if you can come up with some dirt..here's something I got from just browsing thru it O4 - HKLM\..\Run: [Dial32] C:\WINNT\dl.exe
    Take a look at the link here:
    http://www.symantec.com/avcenter/ven...or.nthack.html
    you've also got some stuff you dont need,google everything and see if you can make do without them

  6. #6
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    hi
    C:\WINNT\dl.exe
    This one could i recognised easily because i removed it recently and might be one of the problem. On my computer there were dl.exe and dl.htm in the winNT folder , the dl.exe it pops up this dl.htm file after a few 3 to 4 minutes.. Reboot to safe mode: delete "dl.exe ". everything else seems to be fine........or i am missing something

    --Good Luck--

  7. #7
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Ok please copy the contents of the quote box to notepad:



    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "System"=-
    [-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
    [-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
    [-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

    hit save as
    give it the name clear.reg
    under the filename set file types to all files.
    save it to the desktop.

    After done double click the clear.reg
    when asked to merge say yes

    reboot

    then find this file:
    system32.dll
    its probably in one of two locations:
    c:\windows\system32\system32.dll
    c:\windows\system\system32.dll
    and delete it.

    Secondly, you have a CWS infection. Please download the CWShredder from http://www.spywareinfo.com/~merijn/downloads.html

    Next, please boot into safe mode and run it.

    Please download, update and run (one at a time of course!) Spybot and Adaware. They are both available from this link.


    After that, run your pc through an online virus scanner. Here are a few:
    http://housecall.trendmicro.com/
    http://www.bitdefender.com/scan/licence.php
    http://www.ravantivirus.com/scan/
    http://us.mcafee.com/root/mfs/default.asp?affid=294

    After all that, either post your HijackThis log here and I will look through it again, or google the entries and fix the ones that don't belong.

    While for some infections RTFM is the correct approach, this poster has two VERY tricky infections to spot and treat. It could potentially take him forever to figure it out. Sometimes we just need to stop and give someone a helping hand!


  8. #8
    You just instructed him to delete Windows critical DLL's and registry keys..... if they are infected, they need to be fixed, not deleted.

  9. #9
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    I assure you that I didn't ask the poster to delete anything harmful on his pc. Here are some examples of this fix SUCCESSFULLY performed:

    http://forums.spywareinfo.com/index....=jksearch\.biz

    http://forums.spywareinfo.com/index....=jksearch\.biz

    http://forums.spywareinfo.com/index....=jksearch\.biz

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •