103.nowfind.biz Hijack

I downloaded XoftSpy and registered it and ran it. I also ran Hijackthis using the tutorial in this forum. The newsoft.biz R1 items are always coming back to hijackthis. I run the program and delete the R1 items and I also deleted several others on the recomendation of the tutorial. Yet when I run my browser it goes to nowfind.biz and any url not typed with "http://" goes through nowfind. If I close the browser and rerun hijackthis the R1 items are back in the list.

I will post the log if you want. Any help would be greatly appreciated

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

 

I have followed everything in both the Hijackthis post and the other post twice. I have even downloaded norton internet security 2005 and tried to clean my computer with that.

the 103.nowfind.biz hijack is always coming up nomatter what I do. I have spent about 7 hours working on this computer since I got your last post.

The r1 and r0 and q1 and q13 items keep coming back every time I open my browser again.

I have tried everything I know of to get rid of this hijacker. Attached is my log named hijackthis.log

If you could help it would be greatly appreciated.
Thanks
crevevo12

 

Just so you know, there is a Keylogger installed on your machine. If you installed it then its ok but keep in mind just about everything will detect this.

Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the inetadpt.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move inetadpt.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file inetadpt.dll is already in the remove section, then just click FINISH.)



Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

clprotect.exe

clsecure.exe

iexplore.exe <-- End every instance of this process as previously requested!

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.characterlink.net:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *rjf.com*;*raymondjames.com*;*rjfbank.com*;172.16.*;*192.168.*.*;*127.0.0.1*;10.*.*.*;172.12.*;<local>;webmail.characterlink.net*;home.characterlink.net*;
characterlink.net*;198.92.206.137;*dialpad.com*;*exploresafe.com*;*questarcapital.com*;*awanacanv.org*;
66.135.195.87;www.edemery.com;*taxaudit.com*;www....58;*quotes.reutersdatalink.com*;*dm-tech.net*

O1 - Hosts: auto.search.msn.com 127.0.0.1

O4 - HKLM\..\Run: [clprotect] C:\WINDOWS\System32\clprotect.exe
O4 - Global Startup: CADIX Screen Saver Control.lnk = C:\cadix\screen saver\cssCtrl.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=

O16 - DPF: HushEncryptionEngine - https://mailserver3.hushmail.com/shared/HushEncryptionEngine.c
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\clprotect.exe

C:\WINDOWS\System32\inetadpt.dll

C:\WINDOWS\System32\clsecure.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing ALL of the above,
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

It did not work.

I have attached the new log and as you can see the 103.nowfind.biz entries are still there. I did everything exactly as it said on your post except for two things.

First I did install the keylogger on my computer. This was about a year back and it did not cause me any troubles. I had it scanned by norton antivirus 2004, 2005 and symantec antivirus corporate edition 8.0 as well as macafee and spyware doctor. it showed up clean on all of those so I installed it.

Second I did not delete the clprotect.exe nor the clsecure.exe these are programs that belong to an internet filter that I have running on my computer it is called Characterlink www.characterlink.com this is a filter that works on the principle of a whitelist.

other than those two things I followed your instructions to the letter. I do not have a clue where I got the hijacker or how to get it off my computer.

Thanks for your help
Crevevo12

 

You must close ALL browsers or this will be impossible to remove!

Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

NOW
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.characterlink.net:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *rjf.com*;*raymondjames.com*;*rjfbank.com*;172.16.*;*192.168.*.*;*127.0.0.1*;10.*.*.*;172.12.*;<local>;webmail.characterlink.net*;
home.characterlink.net*;characterlink.net*;198.92.206.137;*dialpad.com*;*exploresafe.com*;*questarcapital.com*;*awanacanv.org*;66.135.195.87;
www.edemery.com;*taxaudit.com*;www....58;*quotes.reutersdatalink.com*;*dm-tech.net*

O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Hate to say this but again nothing happened.

The nowfind hijack is still working as fine as ever.

Again I followed your instructions to the letter and as you can see the log is not changed.

Lets try again shall we?

 

Do you have System Restore disabled?

 

yes i do

 

Okay! I have asked Chaslang to assist with this hijack. Allow him a moment to check it out.

 

sure thing

 

I have spybot and spyware doctor on my computer. how do I disable the restriction? Do I uninstall the programs?

 

I did as you said and set the spybot options. I also uninstalled spyware doctor. Then I ran hijackthis and deleted all bad entries. The restriction did not show up. I then ran ccCleaner and the LDS Fix then the Hoster program(Reset Host File). These programs I ran in safe mode. I then rebooted into normal mode and reran hijacker. The 103.Nowfind.biz entries are still in the file. The restriction is also back. I did not attach the log as it is the same as the previos attachment.

Any other ideas? Is there a special nowfind removal tool? I searched on the internet and did not find one. I ran the aboutblaster just in case and it removed 8 entries but it still did not help.

 

Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates.

Now, Reboot into Safe Mode!

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and attach a fresh HJT log.

 

Thank you for the clarification. I unchecked every option in spybot as you requested this is what I meant. Sorry for not replying earlier. I installed a virus protection software called "Panda" and it interfered with my internet so I could not get on. Then it wouldnt uninstall so I had to manuelly undo every change the install did.

I just got my internet back about 5 minuits ago. I will download the spyware program you two suggested and do it.

Thanks for your help

 

Ok I followed your instructions with microsoft spyware. It did not help. Nowfind is still intact.

The hijack log is still the same as before. No change.