View Full Version : hijacks
prince rupert
07-19-04, 11:12 AM
I have recently been hijacked by Home Search Assistant, which took over my homepage and has since placed endless popups on screen. It also overides my chosen homepage (Google). Today I thought I would just try the Internet Tools Set Homepage route again and...It worked! No idea why. Though I still have the overiding problem. After trying to remove the HSA programme from Add Remove Programmes and failing (message was "unable to open http://looking-for.cc/uninstall/HomeSearchAssistant.html") I typed this address into the address bar, which came up with a page which asked me to download an uninstall programme. I did't dare try it in case it was a trap to get me even deper into this nightmare! Though it is tempting.
I have on PCStats advice downloaded AdAware and if nothing else am learning a lot about computer :confused: things in general.
Any easy hints regarding HSA or shared experiences anybody?
Thanks
Adaware and Spybot S&D should do it. If not look for a basic guide on it on the pcstats homepage. I think there is one on hijaking...
therealwesty
07-19-04, 01:04 PM
Browser hijacks can be a real pain. I have seen a few cases that Ad-Aware or Spybot wouldn't correct and actually ended up formatting the re-installing windows. If you can't get rid of the hijack I'd suggest you download and install a different web browser. I've been using Mozilla FireFox lately, same kinda layout as IE but it's not a suseptable to Spyware.
prince rupert
07-19-04, 02:17 PM
Thanks guys
Any more information on Mozilla? Sounds interesting.
I must admit I had considered a clean sweep and reload but obviously I'd rather not!
Doc Timbo
07-20-04, 09:24 PM
used mozilla for a few weeks. pretty similar in usage to IE, one thing i did love was that it doesn't just say ''downloading from site''...it also says ''waiting for site to do something..'' when it is waiting. I love extra information
Well, this could be a long shot, but try deleting the Temporary Internet Files after you scan with Ad Aware, and see if it helps.
Edit: Haha, nice sig by the way Timbo, I get it! I get it! If that's all the A+ training taught me I'm happy :P.
prince rupert
07-22-04, 02:30 AM
Perhaps you guys could help on this one:
I now have my default homepage back but still getting the popups. After scanning with AdAware I am told that Cool Web Search (the offending SpyWare) is in the following places:
obj(1)=RegKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstal l\HSA
there are 3 of these with endings: HSA SE and SW and then:
obj(4) = File C:windows\system\etbsh.dll
What is the answer to finding these and getting rid of them. Every time AdAware finds them they keep coming back!
Any help gratefully received
Thanks
chris0000001
07-22-04, 10:12 AM
Firefox is awesome i use it at work, and the thing i love most about it is that its completly customizable, you jus add the plugs in you want when you want...its great, as for the spyware, if adaware isnt workin try windows washer, theres a free trial, you can get it from webroot.com its pretty good at cleaning the registry, be sure to go in the settings and turn on clean with bleach
Perhaps you guys could help on this one:
I now have my default homepage back but still getting the popups. After scanning with AdAware I am told that Cool Web Search (the offending SpyWare) is in the following places:
obj(1)=RegKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstal l\HSA
there are 3 of these with endings: HSA SE and SW and then:
obj(4) = File C:windows\system\etbsh.dll
What is the answer to finding these and getting rid of them. Every time AdAware finds them they keep coming back!
Any help gratefully received
Thanks
I had the same problem with AdAware once upon a time. It would find the offending registry entries, seemingly delete them, then as soon as I started IE up again they would be back.
Here's how I fixed it: make a note of the offending locations that AdAware tells you. Download a program called "Hijackthis" and do a scan. Be careful, because Hijackthis shows both good and bad programs that access the internet in its scan, so you have to weed out which are good and which are bad, hence the notes you took from AdAware on malicious registry entries.
The authors of Hijackthis recommend that you post the scan results in their forum so that they can tell you which entries to delete and which to leave, so that would be a safer way to do it. All of this info can be found in PCStats' browser hijack fix guide.
:confused: Hi I'm a computer beginner and just downloaded Spybot S&D and I purged something called IE plugins by mistake. Arrgh, can anyone help. I don't even know what plugins are. If they are important, does anyone know how to get it back.
deadcow
12-02-04, 03:27 PM
hellow to all! i'm new on this forum. i have the same problem as some of you ->"homesearchassistant" "search extender" and "shopping wizard", i can't get rid of it =( i i have used "Stinger","spyware S&D", "adaware(latest version)"but i still get those anoying popups, browser faults, and my RAM is getting very f*cked up.
here is my hijackthis log file:
Logfile of HijackThis v1.97.7
Scan saved at 21:16:50, on 2/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\NETQF.EXE
C:\WINDOWS\SYSTEM\ADDKO.EXE
C:\WINDOWS\NETTR32.EXE
C:\WINDOWS\SYSTEM\WINYV.EXE
C:\WINDOWS\MFCBJ.EXE
C:\WINDOWS\SYSTEM\ATLZR32.EXE
C:\WINDOWS\CRLX32.EXE
C:\WINDOWS\JAVAFG32.EXE
C:\WINDOWS\CREB32.EXE
C:\WINDOWS\SYSTEM\ATLBK32.EXE
C:\WINDOWS\IEYF32.EXE
C:\WINDOWS\SYSTEM\MFCCE.EXE
C:\WINDOWS\MFCOM32.EXE
C:\WINDOWS\SYSTEM\APIHA.EXE
C:\WINDOWS\SYSTEM\JAVAQR.EXE
C:\WINDOWS\ADDBZ32.EXE
C:\WINDOWS\SDKNC.EXE
C:\WINDOWS\MFCOQ32.EXE
C:\WINDOWS\SDKAV.EXE
C:\WINDOWS\APPZL.EXE
C:\WINDOWS\SYSTEM\MSYK.EXE
C:\WINDOWS\SYSTEM\MSAA.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\D3VE32.EXE
C:\WINDOWS\SYSTEM\APIXG.EXE
C:\WINDOWS\SYSTEM\SYSRX.EXE
C:\WINDOWS\SYSTEM\MFCVJ32.EXE
C:\WINDOWS\SYSTEM\MFCUD.EXE
C:\WINDOWS\MSAV32.EXE
C:\WINDOWS\CRGJ.EXE
C:\WINDOWS\SYSTEM\ADDCA.EXE
C:\WINDOWS\SYSGL32.EXE
C:\WINDOWS\SYSTEM\JAVALA32.EXE
C:\WINDOWS\ATLAE.EXE
C:\WINDOWS\SYSTEM\APIHL.EXE
C:\WINDOWS\MSQH.EXE
C:\WINDOWS\SYSTEM\CRFN32.EXE
C:\WINDOWS\SYSTEM\SDKYY.EXE
C:\WINDOWS\SDKQQ32.EXE
C:\WINDOWS\SYSTEM\ADDHR.EXE
C:\WINDOWS\SYSTEM\SYSCL.EXE
C:\WINDOWS\JAVAXS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\DBSERVER.EXE
C:\PROGRAM FILES\LOOKNMEET\AGENT.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\TWAIN_32\A4S2_32\WATCH.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
C:\MSCAN\MSOFFICE\PANEL.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\MSFS.EXE
C:\WINDOWS\SYSTEM\ATLBK32.EXE
C:\WINDOWS\SYSTEM\ATLBK32.EXE
C:\WINDOWS\SYSTEM\ADDKO.EXE
C:\WINDOWS\SYSTEM\ATLBK32.EXE
C:\WINDOWS\SYSTEM\MSFW32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\MSFW32.EXE
C:\WINDOWS\ATLEH.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.linksummary.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\syfwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\syfwj.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.linksummary.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\syfwj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\syfwj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\syfwj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\syfwj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\syfwj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://pac.pandora.be:8000/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = http://www.google.be
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {148F2ECD-BC7D-66E0-FBCD-EE4535F4853A} - C:\WINDOWS\SYSTEM\ATLIK32.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Gravis AppAware Loader] C:\WINDOWS\SYSTEM\DBServer.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [MSFS.EXE] C:\WINDOWS\SYSTEM\MSFS.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [NETQF.EXE] C:\WINDOWS\SYSTEM\NETQF.EXE
O4 - HKLM\..\RunServices: [ATLBK32.EXE] C:\WINDOWS\SYSTEM\ATLBK32.EXE
O4 - HKLM\..\RunServices: [NETTR32.EXE] C:\WINDOWS\NETTR32.EXE
O4 - HKLM\..\RunServices: [JAVAFG32.EXE] C:\WINDOWS\JAVAFG32.EXE
O4 - HKLM\..\RunServices: [CREB32.EXE] C:\WINDOWS\CREB32.EXE
O4 - HKLM\..\RunServices: [IEYF32.EXE] C:\WINDOWS\IEYF32.EXE
O4 - HKLM\..\RunServices: [MFCOQ32.EXE] C:\WINDOWS\MFCOQ32.EXE
O4 - HKLM\..\RunServices: [MFCBJ.EXE] C:\WINDOWS\MFCBJ.EXE
O4 - HKLM\..\RunServices: [ADDKO.EXE] C:\WINDOWS\SYSTEM\ADDKO.EXE
O4 - HKLM\..\RunServices: [WINYV.EXE] C:\WINDOWS\SYSTEM\WINYV.EXE
O4 - HKLM\..\RunServices: [CRLX32.EXE] C:\WINDOWS\CRLX32.EXE
O4 - HKLM\..\RunServices: [MFCOM32.EXE] C:\WINDOWS\MFCOM32.EXE
O4 - HKLM\..\RunServices: [APIHA.EXE] C:\WINDOWS\SYSTEM\APIHA.EXE
O4 - HKLM\..\RunServices: [MFCCE.EXE] C:\WINDOWS\SYSTEM\MFCCE.EXE
O4 - HKLM\..\RunServices: [ATLZR32.EXE] C:\WINDOWS\SYSTEM\ATLZR32.EXE
O4 - HKLM\..\RunServices: [ADDBZ32.EXE] C:\WINDOWS\ADDBZ32.EXE
O4 - HKLM\..\RunServices: [SDKNC.EXE] C:\WINDOWS\SDKNC.EXE
O4 - HKLM\..\RunServices: [SDKAV.EXE] C:\WINDOWS\SDKAV.EXE
O4 - HKLM\..\RunServices: [JAVAQR.EXE] C:\WINDOWS\SYSTEM\JAVAQR.EXE
O4 - HKLM\..\RunServices: [APPZL.EXE] C:\WINDOWS\APPZL.EXE
O4 - HKLM\..\RunServices: [MSAA.EXE] C:\WINDOWS\SYSTEM\MSAA.EXE
O4 - HKLM\..\RunServices: [MSYK.EXE] C:\WINDOWS\SYSTEM\MSYK.EXE
O4 - HKLM\..\RunServices: [D3VE32.EXE] C:\WINDOWS\D3VE32.EXE
O4 - HKLM\..\RunServices: [MSAV32.EXE] C:\WINDOWS\MSAV32.EXE
O4 - HKLM\..\RunServices: [APIXG.EXE] C:\WINDOWS\SYSTEM\APIXG.EXE
O4 - HKLM\..\RunServices: [SYSRX.EXE] C:\WINDOWS\SYSTEM\SYSRX.EXE
O4 - HKLM\..\RunServices: [CRGJ.EXE] C:\WINDOWS\CRGJ.EXE
O4 - HKLM\..\RunServices: [MFCVJ32.EXE] C:\WINDOWS\SYSTEM\MFCVJ32.EXE
O4 - HKLM\..\RunServices: [ADDCA.EXE] C:\WINDOWS\SYSTEM\ADDCA.EXE
O4 - HKLM\..\RunServices: [MFCUD.EXE] C:\WINDOWS\SYSTEM\MFCUD.EXE
O4 - HKLM\..\RunServices: [JAVALA32.EXE] C:\WINDOWS\SYSTEM\JAVALA32.EXE
O4 - HKLM\..\RunServices: [SYSGL32.EXE] C:\WINDOWS\SYSGL32.EXE
O4 - HKLM\..\RunServices: [APIHL.EXE] C:\WINDOWS\SYSTEM\APIHL.EXE
O4 - HKLM\..\RunServices: [ATLAE.EXE] C:\WINDOWS\ATLAE.EXE
O4 - HKLM\..\RunServices: [MSQH.EXE] C:\WINDOWS\MSQH.EXE
O4 - HKLM\..\RunServices: [SDKQQ32.EXE] C:\WINDOWS\SDKQQ32.EXE
O4 - HKLM\..\RunServices: [ADDHR.EXE] C:\WINDOWS\SYSTEM\ADDHR.EXE
O4 - HKLM\..\RunServices: [CRFN32.EXE] C:\WINDOWS\SYSTEM\CRFN32.EXE
O4 - HKLM\..\RunServices: [SYSCL.EXE] C:\WINDOWS\SYSTEM\SYSCL.EXE
O4 - HKLM\..\RunServices: [SDKYY.EXE] C:\WINDOWS\SYSTEM\SDKYY.EXE
O4 - HKLM\..\RunServices: [JAVAXS.EXE] C:\WINDOWS\JAVAXS.EXE
O4 - HKLM\..\RunServices: [MSFW32.EXE] C:\WINDOWS\SYSTEM\MSFW32.EXE
O4 - HKLM\..\RunServices: [ATLEH.EXE] C:\WINDOWS\ATLEH.EXE
O4 - HKCU\..\Run: [LookNMeet] C:\Program Files\LookNMeet\Agent.exe
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_32\Watch.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMENU.EXE
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O9 - Extra button: LookNMeet (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {C9A703E2-3145-11D8-813C-005022E14DE2} (Installer Class) - http://www.looknmeet.be:8080/lnm_v4/agent/LNMAgentInstaller.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0477ade10d6a9bde6b14/netzip/RdxIE601.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38176.4397800926
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
can someone help me please?? because i don't understand all this...=s
greatings from belgium
vBulletin® v3.7.2, Copyright ©2000-2010, Jelsoft Enterprises Ltd.