removing highjack heretofind

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by drinkingfish, Nov 25, 2004.

  1. drinkingfish

    drinkingfish Private E-2

    hello

    i first followed the guide on basic spyware removal etc and have gone through my hjt log (using the guide) fixing the ones that i can see shouldnt be there (they are the same ones adaware seems to remove) but still the heretofind highjack keeps coming back - every time i open IE

    help !!!
     
    drinkingfish, Nov 25, 2004
    #1
  2. PhilliePhan

    PhilliePhan Guest

    If you have gone through the Cleanup Tutorial, then please attach your log as per the HijackThis Sticky Post. Somebody should be able to take a look.

    Happy Thanksgiving :)

    PP
     
    PhilliePhan, Nov 25, 2004
    #2
  3. drinkingfish

    drinkingfish Private E-2

    hjt log as per request

    here is my hjt log as requested

    i can i indentify 9 lines that i should fix and have done so myself going by your instructions in the hjt guide but it still comes back. help!!
     

    Attached Files:

    drinkingfish, Nov 25, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: hjt log as per request

    You should have stayed in your original thread. I merge you back into that thread.
     
    chaslang, Nov 25, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: hjt log as per request

    You need to update your Windows OS and Internet Explorer. You are seriously out of date.

    Run this: Try running this: http://tools.zerosrealm.com/startchmfix.exe

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
    O9 - Extra button: Corel Network monitor worker - {2409C914-5F35-4379-A3EA-C92EBD34F987} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {2409C914-5F35-4379-A3EA-C92EBD34F987} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
    O9 - Extra button: Corel Network monitor worker - {2409C914-5F35-4379-A3EA-C92EBD34F987} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {2409C914-5F35-4379-A3EA-C92EBD34F987} - (no file) (HKCU)
    O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=

    Boot into safe mode and use Windows Explorer to delete (if found):
    C:\spe

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go
    back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files
    and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel),
    Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like
    www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Nov 25, 2004
    #5
  6. drinkingfish

    drinkingfish Private E-2

    i think that has done the trick - fixing the 09 lines stopped it from coming back and all seems to be generally ok. i am going to buy a new fish and name it chaslang!

    this may seem like a dumb question but how do i update my windows os and ie explorer - do i have to go to microsofts site and do it?
     

    Attached Files:

    drinkingfish, Nov 26, 2004
    #6
  7. drinkingfish

    drinkingfish Private E-2

    by the way i did fix all the lines you suggested not just the 09 ones - just that i was fixing the others before and it kept coming back.

    thanks again - any advice on keeping my windows os and ie explorer up to date would be really appreciated.
     
    drinkingfish, Nov 26, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your log is clean now. For info on updating your OS and protecting yourself see my thread titled: How to Protect yourself from malware!

    What kind of fish will be named after me? ;)
     
    chaslang, Nov 27, 2004
    #8
  9. drinkingfish

    drinkingfish Private E-2

    if you really want to know i was going to buy a black moor - they are a type of small coldwater fish - sure there are plenty of sites if you wanna see a picture - they are black with bug eyes. :)

    thanks for all your help and advice i have been really impressed with your site and speed and uselfulness of your replies and links

    i will be back if i have any future probs!

    thanks again
     
    drinkingfish, Nov 27, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. We aim to please. Send your friends here.

    Hmmm! Black moor...isn't that one of those chubby little goldfish? Bug eyes probably suits me. After all I get bug eyed looking at all the problems and logs here. :D
     
    chaslang, Nov 27, 2004
    #10
  11. PhilliePhan

    PhilliePhan Guest

    DRAT!!! Lost the picture!!!!
     
    Last edited by a moderator: Nov 28, 2004
    PhilliePhan, Nov 28, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot the attachment, you dingbat! :p

    Yeah and now you need to edit the post to put it in!!!!!
     
    chaslang, Nov 28, 2004
    #12
  13. PhilliePhan

    PhilliePhan Guest

    Don't know where I put the darn picture. And it would have suited you too! Drat!

    You win this time. . . . Mr. SmartyPants!!!

    I'll be back. . . MWUUUHAAAAAHAAAAA :D
     
    PhilliePhan, Nov 28, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yeah, yeah! Talk is cheap! I guess we have to expect as much from a Philly Fan!!!!!! :D
     
    chaslang, Nov 28, 2004
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds