HELP, My Homepage Was Hijacked Too!!

Hello Everyone,

I need some help please? I too, have a browser-hijack situation. Spybot & NAV can't delete it. I can manually find/delete some of the files. They just get rewritten, though...

When I open IE from the desktop icon. I get some unknown or wanted "Super Search" page. If I open IE from my keyboard's "My Home" key, though. My regular homepage loads. If any page takes too long to load, the search page loads instead. When I open other pages. I see[ https.//www.nkvd.us/1524/ ] inserted in front of the URL. The URL is http://searchpage.cc/1524/ . When it rewrites to other URLs by inserting nkvd.us/1524. I cannot find any such named files to delete.

This searchpage.cc site offers a removal program, but... Hey, call me a Cinic. That URL's: http://searchpage.cc/1524/uninstall.htm


I'm out of my league w/this problem. Any help will be greatly appreciated. Thank You.

P.S.: I've a P4 system, w/an Intel chipset. The OS is XP Home. I built the system myself.

 

http://www.majorgeeks.com/vb/showthread.php?t=25834

 

Thank You VERY MUCH, Chaslang!!

I'm in Nursing, not IT (also in Bergen Co.). I suspected that it was tracking software. Pretty slick, routing all my bookmarks through their servers. It also blocked my access to the spyware download sites. I've a few "Therapies & Procedures." I'd like to administer to whoever wrote the damn thing...

I already had SpyBot. It couldn't get any of it. The Ad-Aware nailed 81 files, mostly in the registry. I also downloaded & ran CWshredder, but it found nothing more. The only signs left are the rerouted URLs in IE's scroll down menu. I goofed though. Ad-Aware appeared to hang up when quarrentining the files. They were clearly spyware & malware, though. So I just nuked 'em. So I don't think there's any log to post.

Again, I thank you ;-}.
Kenny.

 

It's not uncommon for this hijacker to 'magically' reappear, so it would be a good idea to post that log...

 

Okay Guys,

Here's the log from Hijaak This. The initial log from Ad-Aware showed 81 files. I don't see how this later log will help. Here you go, though. Thanks again. (I actually live in Rockland. I work in Bergen.)

Logfile of HijackThis v1.97.7
Scan saved at 8:57:20 AM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ken Hughes\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Its the Quicktime Installer.

Its not spyware related.

 

While not related to spyware, remove these as well:

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - Global Startup: Image Transfer.lnk = ?

Hijack This! looks pretty clean.

Post the contents of your Hosts file.

Start, run, C:\windows\system32\drivers\etc\hosts

Click OK.

When it asks a program to open it with, choose notepad.

Copy and paste the contents in a post here.

 

He can open it manually and copy and paste it here with my instructions.

Not so with netstat.

 

Not when I am specifically asking to see the contents of his hosts file.

 

HUH?!

(Yeah, that's clear enough..)
Kenny

 

Kenny, do the above.

Seems pretty clear to me...

 

Yeah I know, I appear to be arguing with myself.

The person who I was posting to seems to have accomplished in getting himself deleted, along with his posts.

 

I guess I don't know how to do that. I tried running that file(s) a few times. When I select notepad, nothing happens. I tried opening that extension in notepad, too. Again, No Joy.

A related file hosts.sam, sure had a bunch of stuff.
Kenny.

 

HMMmmm... Look what I found when scanning w/Ad-Aware. The problem that started this is long gone. I guess tracking-ware is pretty pervasive nowadays, eh? ArchiveData(auto-quarantine- 07-06-2004 09-36-52.bckp)
======================================================

TRACKING COOKIE
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=File : c:\documents and settings\ken hughes\cookies\ken hughes@04_june_teen[1].txt
obj[1]=File : c:\documents and settings\ken hughes\cookies\ken hughes@2o7[1].txt
obj[2]=File : c:\documents and settings\ken hughes\cookies\ken hughes@advertising[1].txt
obj[3]=File : c:\documents and settings\ken hughes\cookies\ken hughes@atdmt[2].txt
obj[4]=File : c:\documents and settings\ken hughes\cookies\ken hughes@bluestreak[2].txt
obj[5]=File : c:\documents and settings\ken hughes\cookies\ken hughes@bravenet[2].txt
obj[6]=File : c:\documents and settings\ken hughes\cookies\ken hughes@counter3.sextracker[1].txt
obj[7]=File : c:\documents and settings\ken hughes\cookies\ken hughes@doubleclick[2].txt
obj[8]=File : c:\documents and settings\ken hughes\cookies\ken hughes@edge.ru4[2].txt
obj[9]=File : c:\documents and settings\ken hughes\cookies\ken hughes@ehg-bestbuy.hitbox[2].txt
obj[10]=File : c:\documents and settings\ken hughes\cookies\ken hughes@fastclick[2].txt
obj[11]=File : c:\documents and settings\ken hughes\cookies\ken hughes@hitbox[2].txt
obj[12]=File : c:\documents and settings\ken hughes\cookies\ken hughes@mediaplex[1].txt
obj[13]=File : c:\documents and settings\ken hughes\cookies\ken hughes@qksrv[2].txt
obj[14]=File : c:\documents and settings\ken hughes\cookies\ken hughes@servedby.advertising[1].txt
obj[15]=File : c:\documents and settings\ken hughes\cookies\ken hughes@sextracker[1].txt
obj[16]=File : c:\documents and settings\ken hughes\cookies\ken hughes@tmpad[1].txt
obj[17]=File : c:\documents and settings\ken hughes\cookies\ken hughes@trafficmp[2].txt
obj[18]=File : c:\documents and settings\ken hughes\cookies\ken hughes@tribalfusion[2].txt
obj[19]=File : c:\documents and settings\ken hughes\cookies\ken hughes@web4.realtracker[1].txt
obj[20]=File : c:\documents and settings\ken hughes\cookies\ken hughes@z1.adserver[1].txt
obj[21]=File : c:\documents and settings\ken hughes\cookies\ken hughes@zedo[2].txt

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ArchiveData(auto-quarantine- 05-06-2004 04-16-05.bckp)
======================================================
TRACKING COOKIE
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=File : c:\documents and settings\ken hughes\cookies\ken hughes@atdmt[2].txt
obj[1]=File : c:\documents and settings\ken hughes\cookies\ken hughes@counter4.sextracker[1].txt
obj[2]=File : c:\documents and settings\ken hughes\cookies\ken hughes@doubleclick[1].txt
obj[3]=File : c:\documents and settings\ken hughes\cookies\ken hughes@qksrv[2].txt
obj[4]=File : c:\documents and settings\ken hughes\cookies\ken hughes@sextracker[1].txt
obj[5]=File : c:\documents and settings\ken hughes\cookies\ken hughes@zedo[1].txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ArchiveData(auto-quarantine- 05-06-2004 02-38-52.bckp)
======================================================
TRACKING COOKIE
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=File : c:\documents and settings\ken hughes\cookies\ken hughes@atdmt[2].txt
obj[1]=File : c:\documents and settings\ken hughes\cookies\ken hughes@cgi-bin[2].txt
obj[2]=File : c:\documents and settings\ken hughes\cookies\ken hughes@commission-junction[1].txt
obj[3]=File : c:\documents and settings\ken hughes\cookies\ken hughes@doubleclick[1].txt
obj[4]=File : c:\documents and settings\ken hughes\cookies\ken hughes@edge.ru4[1].txt
obj[5]=File : c:\documents and settings\ken hughes\cookies\ken hughes@hg1.hitbox[1].txt
obj[6]=File : c:\documents and settings\ken hughes\cookies\ken hughes@hitbox[2].txt
obj[7]=File : c:\documents and settings\ken hughes\cookies\ken hughes@mediaplex[1].txt
obj[8]=File : c:\documents and settings\ken hughes\cookies\ken hughes@qksrv[1].txt
obj[9]=File : c:\documents and settings\ken hughes\cookies\ken hughes@tribalfusion[2].txt
obj[10]=File : c:\documents and settings\ken hughes\cookies\ken hughes@web4.realtracker[1].txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ArchiveData(auto-quarantine- 04-06-2004 00-21-37.bckp)
======================================================
TRACKING COOKIE
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=File : c:\documents and settings\ken hughes\cookies\ken hughes@advertising[1].txt
obj[1]=File : c:\documents and settings\ken hughes\cookies\ken hughes@atdmt[2].txt
obj[2]=File : c:\documents and settings\ken hughes\cookies\ken hughes@doubleclick[1].txt
obj[3]=File : c:\documents and settings\ken hughes\cookies\ken hughes@mediaplex[1].txt
obj[4]=File : c:\documents and settings\ken hughes\cookies\ken hughes@qksrv[2].txt
obj[5]=File : c:\documents and settings\ken hughes\cookies\ken hughes@questionmarket[1].txt
obj[6]=File : c:\documents and settings\ken hughes\cookies\ken hughes@servedby.advertising[1].txt
obj[7]=File : c:\documents and settings\ken hughes\cookies\ken hughes@tmpad[1].txt
obj[8]=File : c:\documents and settings\ken hughes\cookies\ken hughes@trafficmp[2].txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Kenny.