Cannot get Hijack this changes to stay at reboot

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sydneydog, Aug 15, 2004.

  1. sydneydog

    sydneydog Private E-2

    My IE browswer was victim to a hijack. It automatically gets redirected to a site www.thenewsearch.com and then redirected to a site www.casinopalazzo.com. I read your tutorial and downloaded and ran Ccleaner, Adaware, CWshredder, Kill2Me, and Hijackthis 1.98.2. This cleaned up many problems and half of the browser hijack. The browswer still goes to www.thenewsearch.com but not through to casino palazzo. I have run Hijack this and sent the log for analysis, however, when I select the identified problems to be fixed and rerun the log the fixes don't stay if I reboot. I even went into regedit and tried manually deleting these entries which didn't work on reboot, I also tried changing the data value to www.google.com which again didn't save if I rebooted. Do you know how I can permanently make the changes?

    Thanks for any help you can provide
     
    sydneydog, Aug 15, 2004
    #1
  2. PhilliePhan

    PhilliePhan Guest

    Hi Sydney,

    Your problem may lie in System Restore. Check THIS out. Best luck,

    PP
     
    PhilliePhan, Aug 15, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Without telling us an OS, we have no idea whether you have a System Restore or not.

    Did you also run two online scans mentioned (TrendMicro and PandaSoftware)? If not, please run them and then post your HijackThis log (as a text attachment). See this tutorial thread on HijackThis and pay attention to the bold print in that thread.

    http://forums.majorgeeks.com/showthread.php?t=38752
     
    chaslang, Aug 15, 2004
    #3
  4. sydneydog

    sydneydog Private E-2

    Hi, Thanks for your help. I am running Windows XP for OS. When I run TrendMicro is identifies the virus JS_DIALOGARG.A it says the infected file is uncleanable but when I delete the file, remove all the R0, R1, and 01 lines from hijackthis and restart the changes still don't stay. I have attached my log log for review. Any suggestions would be great.

    SD
     

    Attached Files:

    sydneydog, Aug 17, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First you need to read the HijackThis tutorial again. It specially said do not put HijackThis is a temp directory. Here is where you have it:
    C:\Documents and Settings\Faraci\Local Settings\Temp\Temporary Directory 1 for hijackthis_198.zip\HijackThis.exe

    This is a temp directory because you are running it directly from the ZIP file. HJT will not be able to save its backups this way. Fix this before doing anything else.

    This link from TrendMicro explains how to remove the JS_DIALOGARG.A virus:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_DIALOGARG.A

    You also appear to have StartPage-DB problems. I'm surprised that TrendMicro did not detect this. Are your definitions for TrendMicro upto date?

    It does not look like you ran the Panda scan. If you did, it would have showed in the O16 lines of your HJT log. Please follow directions! This makes me wonder whether all the steps from the 35407 link have been followed as per the tutorial (that you said you read).

    Download and run these too:
    avast! Virus Cleaner Tool: http://www.majorgeeks.com/download4188.html
    McAfee Avert Stinger: http://www.majorgeeks.com/download4063.html

    Bring up Task Manager by hitting CTRL-ALT-DEL and select Processes. Look for the below two processes and end them if found:
    winupd.exe
    d2.1.exe

    Now run HijackThis and put checks on the following lines but DO NOT click fix yet: HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thenewsearch.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html
    O1 - Hosts: 69.50.173.250 auto.search.msn.com
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
    O4 - HKLM\..\Run: [nstat] C:\WINDOWS\d2.1.exe

    Now exit all browsers (Internet Explorer, FireFox, etc) and click Fix in HijackThis.

    Reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    Enable viewing of hidden files: http://forums.majorgeeks.com/showthread.php?t=37650

    And now use Windows Explorer to locate and delete:
    C:\WINDOWS\System32\winupd.exe
    C:\WINDOWS\d2.1.exe

    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. (If you do not have an Internet Explore icon on you Desktop, just run IE and click Tools, Internet Options, Programs etc)

    Additional info, this Trojan uses the following registry key to track how many times it has been run:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Yun "C"
    The following shortcut will be added to the Favorites list:

    • TheNewSearch.url
    You should look for those items and fix them too.

    Reboot in normal mode and tell me how all these steps went and how things look now and post a new HJT log attachment.
     
    Last edited: Aug 17, 2004
    chaslang, Aug 17, 2004
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds