Browser Hijacked - countere.com

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Xorcism, Aug 10, 2004.

  1. Xorcism

    Xorcism Private E-2

    I'm having a big problem getting my browser back under control. My homepage is being repeatedly set to http://countere.com/?b=hc, which immediately redirects to realsearcher.com (some horrible farce of a "search engine").

    I believe I've tried everything mentioned in the READ ME FIRST: Basic Spyware, Trojan And Virus Removal , to no avail so far. I have not yet found much other mention of this particular problem elsewhere, either, so I've had just no luck dealing with it.

    Here are the main problems I'm having, which may or may not be interrelated, I don't know, but they've all been very resistant to Ad-Aware and such:

    1) the above-mentioned resetting of my homepage to countere.com
    2) many Internet Explorer bookmarks relating to incest, bestiality, ****, which come back after I delete them
    3) unwanted pitstops at www.ads234.com to load advertising in my browser when I type in an ordinary URL

    Has anyone else experienced this crap, and what will fix it? I'll post logs when/if asked...
     
    Xorcism, Aug 10, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Did you use the new Ad-Aware releaesed yesterday? If so, I would like to see a Hijack This log, please attach it.
     
    Major Attitude, Aug 10, 2004
    #2
  3. Xorcism

    Xorcism Private E-2

    Yes, I used the newest Ad-Aware update. Attached is my Hijack This log.
     

    Attached Files:

    Xorcism, Aug 10, 2004
    #3
  4. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    I will make some suggestions. Get into safe mode and do a Trojan scan with A2 or similar in our antivirus section. Clean your temporary files with CCleaner, couple of the trojans are in your temp folders. Check your startup items for anything odd, especially the names below. THEN, re-scan Ad-Aware from safe mode for kicks, remove these:

    Remove:

    C:\WINDOWS\system32\SPmshh.exe
    C:\documents and settings\jeremy f elliot\local settings\temp\tLTw.exe
    C:\documents and settings\jeremy f elliot\local settings\temp\1ekkp.exe
    C:\WINDOWS\system32\winmm64.exe
    C:\WINDOWS\System32\ctlmsnap.exe
    C:\WINDOWS\System32\ipxaysvr.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countere.com/?b=hc
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc
    O4 - HKLM\..\Run: [SPmshh] C:\WINDOWS\system32\SPmshh.exe
    O4 - HKLM\..\Run: [tLTw] C:\documents and settings\jeremy f elliot\local settings\temp\tLTw.exe
    O4 - HKLM\..\Run: [1ekkp] C:\documents and settings\jeremy f elliot\local settings\temp\1ekkp.exe
    O4 - HKLM\..\Run: [s39Q34V] ctlmsnap.exe
    O4 - HKCU\..\Run: [SPmshh] C:\WINDOWS\system32\SPmshh.exe
    O4 - HKCU\..\Run: [d0q4RQZ3Q] ipxaysvr.exe

    Reboot and cross your fingers.
     
    Major Attitude, Aug 10, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To make sure you are clear on MA's instructions let me add my two cents. After running the trojan scans, CCleaner, and Ad-aware, if those lines are still present in a new HijackThis scan then have HijackThis fix (don't click fix until you close all Internet Explorer sessions) all the R0, R1, and O4 lines MA indicated.

    Then boot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
    Enable viewing of hidden files and folders: http://forums.majorgeeks.com/showthread.php?t=37650
    And use Windows Explorer to find the following and delete them (if they still exist):
    C:\WINDOWS\system32\SPmshh.exe
    C:\documents and settings\jeremy f elliot\local settings\temp\tLTw.exe
    C:\documents and settings\jeremy f elliot\local settings\temp\1ekkp.exe
    C:\WINDOWS\system32\winmm64.exe
    C:\WINDOWS\System32\ctlmsnap.exe
    C:\WINDOWS\System32\ipxaysvr.exe

    Then reboot in normal mode and let us know how things look.
     
    chaslang, Aug 11, 2004
    #5
  6. Xorcism

    Xorcism Private E-2

    Thanks, sounds good, will try these things when I get home to my computer & let you know.
     
    Xorcism, Aug 11, 2004
    #6
  7. Xorcism

    Xorcism Private E-2

    Well, I'm almost afraid to say it but I think - knock on wood - we may have finally fixed the problem. (I thought that several times before but the crap kept coming back again and again.)

    Getting rid of C:\WINDOWS\system32\SPmshh.exe was hard, as it kept returning after reboots, but I think that was key, and it's gone now. I followed all the instructions: went into Safe Mode, scanned with A2, cleaned up a lot of junk with CCleaner, re-scanned with Ad-Aware, scanned with Hijack This and had it fix the indicated R1, RO, O4 files. Then on booting into normal mode, there was SPmshh.exe running again, and of course it wouldn't let me delete it while it was running. I did ctrl+alt+del to look at the processes running, did End Process for that one, then deleted its executable file from System32 folder and that seems to finally have done it.

    Anyway, thanks a lot guys for all the help, sure couldn't have done it without you. CCleaner is a great program too btw, that turned out to really help a lot I think.

    Cheers
     
    Xorcism, Aug 15, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Great news! Happy we could help!
     
    chaslang, Aug 16, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds