Search bar and home page changing

Rube · Mar 29, 2005

I'm trying to get my mom's computer working properly again. She has XP Home. What started the whole thing is that I had installed Spybot a long time ago (last year I think). When I installed it, I also installed TeaTimer which alerts her any time a registry change is made. In the last couple weeks TeaTimer has been popping up almost constantly with something like:

searchbar change:
old data: txumkspgxe.org
new data: wolxiiybpcliu.com

Alarm bells were going off in my head that she has some kind of malware on her computer. I had her run HiJackThis and I noticed the following anomalies:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yxgjnkmedi.com/OD5nqv2E9uZ__PIrV5kzfC1Sdl3f1i7L5D7Wweq2gxO08oNty6GitLXt5f_UUGK9.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xauerqljycegegugcnzf.com/OD5nqv2E9uYJY8lvRvWdEdQOzkB4CvrDupBwy2Qe9Zc.htm

and further down:

O4 - HKCU\..\Run: [Oozecdrom] C:\DOCUME~1\VIRGIN~1\APPLIC~1\ThatDate\pure heck more.exe

I had her fix those two items. It appears (after just an hour of use) that TeaTimer has stopped popping up. However, those bogus Search Bar and Start Page URL's keep showing up in HiJackThis even after she reboots. I had her fix them twice and they came back again, although the second time it was:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rmkqeultrqseiju.com/OD5nqv2E9uZ__PIrV5kzfC1Sdl3f1i7L5D7Wweq2gxPRFdGAWQjIuLXt5f_UUGK9.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xauerqljycegegugcnzf.com/OD5nqv2E9uYJY8lvRvWdEdQOzkB4CvrDupBwy2Qe9Zc.htm

So, I have two questions:
1. Does anyone know what that "pure heck more.exe" is? I searched the net and couldn't find any references to it nor to "oozecdrom". It didn't show up again in HJT log, so I'm not terribly concerned about it, but I didn't have her delete it yet in case it is some new malware that someone wants to analyze.
2. What's causing the two changes to happen all the time? Does she just need to reset her home page and search page (whatever that is) and those two bogus URL's will go away?

Thanks,
Bryan Rubingh

chaslang · Mar 29, 2005

That's stuff is all malware and where there is one problem there is sure to be more. Please follow the steps below.

To help us to best help you, please follow the steps below closely and in the order given and do not skip anything. If you have any difficulty, please post back letting us know what steps you have completed, what you found while doing the scans if anything along with details about any problems you may have encountered in completing the steps. The more details you can provide the better. Don't be afraid to ask for additional help if you don't understand something!

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Log in or Sign up

Search bar and home page changing

Rube Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member