Help with shopnav drsn seach hijacking

Discussion in 'adware, spyware & hijack cleaning' started by rcky mntere, May 28, 2004.

Thread Status:
Not open for further replies.
  1. rcky mntere

    rcky mntere Registered Member

    Joined:
    May 28, 2004
    Posts:
    1
    Just yesterday I was bitten by the Hijack search DRSN.
    However, it appears that unlike the others that have posted a similar situation, I have searched my computer for the *.dll files referenced in the removal processes AND
    have not found ANY files/or folders with *SRNG*.

    I have used the regedit to delete the registries with anything pointing to the drsn search engine but they reappear after I've rebooted and restarted IE.

    I have used the IE tools optioins to reset the settings to default. THis seems to work only for that browser setting, assuming I close and reopen my IE Search (which I want to default to msnsearch.com with the previews in the right hand content pane. If I open an additional IE browser session (with the first one "fixed"), and I open the search tool, BOTH IE sessions becomes hijacked to drsn search...
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi rcky mntere,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

    O4 - Startup: PowerReg Scheduler.exe

    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19106/flash.cab

    Then reboot into safe mode and delete:
    C:\Program Files\WebSavingsfromEbates <= entire folder
    C:\WINDOWS\wupdt.exe

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.