Cool Web Search 213.159.117.134 Hijacker

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Andries, Oct 9, 2004.

  1. Andries

    Andries Private E-2

    Hi,

    I see I am not the only one battleing with this one. I cleaned about 10 spyware / adware programs with Spybot, No adware and Spy sweeper. However, my IE is still being hijacked.

    As with Kissme729, I could not get to the sites to download Spybot and Spy sweeper. I assumed I was redirected by the adware and asked my sister to download it from her computer and used the CD.

    Spybot does not pick up the program. It was picked up with Spysweeper and "destroyed". Unfortunately it re appeared immediately thereafter.

    I also get an error message "Upddlg performed an illegal operation..." thought this might not me directly related.

    Could you please assist ?
     
    Andries, Oct 9, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This problem (not you) is starting to annoy me. I'm going to break protocol. Can you get Hijack This version 1.98.2 on this PC some how and run a scan and post it back here. Preferably as an attachment but if you have a problem doing that, just post it inline and I'll change it later.

    I'm expecting there will be lines similar to this:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    F1 - win.ini: load=,


    Also, I would like to see your hosts file but you did not say what OS you have. So choose the proper path below for your OS:

    Windows 95/98/Me:[font=Arial, Helvetica, sans-serif][font=Arial, Helvetica, sans-serif] [/font][/font]c:\windows\hosts
    Windows NT/2000/XP Pro[font=Arial, Helvetica, sans-serif][font=Arial, Helvetica, sans-serif]: [/font][/font]c:\winnt\system32\drivers\etc\hosts
    Windows XP Pro/Home:[font=Arial, Helvetica, sans-serif][font=Arial, Helvetica, sans-serif] [/font][/font]c:\windows\system32\drivers\etc\hosts

    Click Start, Run, and in the open box enter the following command:​
    notepad yourpathtohosts​

    Substitute in for yourpathtohosts the one for your OS. WinXP is usually in c:\windows but sometimes is in c:\winnt . That's why there are two examples for it.​

    Once the notepad file comes up. Click CTRL-A to copy everything in the file. Then paste the info into a message here.​
     
    chaslang, Oct 9, 2004
    #2
  3. Andries

    Andries Private E-2

    Thanks for the response. I am using windows 98 and therefore ran:

    notepad c:\windows\hosts

    Nothing happened after notepad was opened.

    I attach the log file for Hijack this. I have seen the expected lines and tried to fix it, but it remained the same. I also looked for the Windows manager file to see if there is an active program which had to be closed before corrected, but could not find it through the "find" function on the computer.
     

    Attached Files:

    Andries, Oct 10, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must remember to exit all browsers before running HijackThis and also only run on session of HJT. You had the below in your log:
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    Make sure you have viewing of hidden files enabled.

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it:
    SYSTIME.EXE (probably just shows as systime on your OS)

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://all-find.net/sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKCU\..\RunServices: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O15 - Trusted Zone: *.windupdates.com

    I don't know what this next line is for. Do you? Leave it alone unless you know it's bad.
    O4 - HKLM\..\Run: [SanQuoteSecurity.exe] C:\Program Files\Sanlam\SanQuote\Assemblies\SanQuote.Security.exe

    Boot in safe mode and delete:
    C:\WINDOWS\SYSTEM\SYSTIME.EXE
    While in safe mode Reset your web settings:
    Reset Web Settings by clicking Start, Control Panel (for some systems it may be Start, Settings, Control Panel) and select Internet Options. Then click Programs and click the Reset Web Settings button. Then go back to the General tab and set your home page back to what you like (i.e., www.majorgeeks.com). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log and tell me how things are working.
     
    chaslang, Oct 10, 2004
    #4
  5. Andries

    Andries Private E-2

    Yes!

    I can now visit my homepage for the first time in 2 weeks. I wish I had known about you then!

    The log file still shows the dreaded web site, but it does not seem to have an effect at the moment. I will let you know after more testing.

    Thanks
     

    Attached Files:

    Andries, Oct 11, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to fix these lines with HijackThis:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

    And then Reset your web settings:

    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    I would still like to know what the below is for. Do you know?

    O4 - HKLM\..\Run: [SanQuoteSecurity.exe] C:\Program Files\Sanlam\SanQuote\Assemblies\SanQuote.Security.exe
     
    chaslang, Oct 11, 2004
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds