Homepage hijacked to your-searcher.com

Discussion in 'adware, spyware & hijack cleaning' started by Flight, May 22, 2004.

Thread Status:
Not open for further replies.
  1. Flight

    Flight Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    8
    Hi security experts.
    Every time I run IE, my homepage gets set to your-searcher.com. I'm certainly not a HiJackthis expert, but I ran HiJack and deleted all lines that have a mention of yoursearcher.com. They always reappear, and my homepage always get reset.
    Also, 'busy' hourglass icon starts to randomly appear next to the main cursor, even when I'm not running anything.
    In addition, I can't actually change my homepage. When I go to Tools/Internet Options and enter a new homepage, IE just locks up. At that point, I have to ctrl-alt-del, 'end task' on explorer, and then restore my active desktop. Since my homepage got hijacked, I also get a strange 'win min' error when I try and restart/shut down my computer, and I have to end task on that as well for my 'pute to actually shut off.
    A secondary problem is that I got hit about three weeks ago with troj.stillen.a, which gives me a bunch of popups, but I decided I could live with them. However, it's possible that, by not cleaning that, it led to my new problems. If you guys could help me clean my system altogether, it would be greatly appreciated.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:51:48 PM, on 5/22/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\REAL\REALONE PLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
    C:\WINDOWS\SYSTEM\E_S0BIC1.EXE
    C:\WINDOWS\SYSTEM\E_S0BIC1.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    C:\PROGRAM FILES\COMMON FILES\UPDMGR\UPDMGR.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MSREXE.EXE
    C:\WINDOWS\APPLICATION DATA\RERR.EXE
    C:\WINDOWS\CVCHOST.EXE
    C:\PROGRAM FILES\FIRSTAID 98\FAWGRD32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\FIRSTAID 98\FA_GD32.EXE
    C:\PROGRAM FILES\FIRSTAID 98\RTFIXM32.EXE
    C:\_WINBKUP\DESKTOP\MEEP1\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.199.13.190:8002
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com




    ;<local>
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: ohb - {086CEFD5-A88D-4981-8915-D51F04360ED1} - C:\WINDOWS\SYSTEM\WINALOT32.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE /s
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series-MackEd] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P30 "EPSON Stylus C62 Series-MackEd" /O5 "LPT1:" /M "Stylus C62"
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [6tjbd2t2] C:\WINDOWS\TEMP\6TJBD2T2.EXE
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [_QI021EE] C:\WINDOWS\SYSTEM\_QI021EE.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKCU\..\Run: [Alau] C:\WINDOWS\Application Data\rerr.exe
    O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
    O4 - Startup: Windows Guardian.lnk = C:\Program Files\FirstAid 98\Fawgrd32.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD0.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
     
    Flight, May 22, 2004
    #1
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Flight,

    Have only HijackThis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

    O2 - BHO: ohb - {086CEFD5-A88D-4981-8915-D51F04360ED1} - C:\WINDOWS\SYSTEM\WINALOT32.DLL

    O4 - HKLM\..\Run: [6tjbd2t2] C:\WINDOWS\TEMP\6TJBD2T2.EXE
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [_QI021EE] C:\WINDOWS\SYSTEM\_QI021EE.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
    O4 - HKCU\..\Run: [Alau] C:\WINDOWS\Application Data\rerr.exe
    O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe

    Make sure show hidden files/folders is enabled : Here's How

    Then restart PC in Safe Mode : Here's How and remove (if still present) :

    C:\WINDOWS\TEMP\6TJBD2T2.EXE <- this file
    C:\PROGRAM FILES\COMMON FILES\DPI\ <- this folder
    C:\Program Files\Common files\updmgr\ <- this folder
    C:\WINDOWS\ALCHEM.exe <- this file
    C:\WINDOWS\SYSTEM\_QI021EE.exe <- this file
    C:\WINDOWS\SYSTEM\MSREXE.EXE <- this file
    C:\WINDOWS\Application Data\rerr.exe <- this file
    c:\windows\cvchost.exe <- this file

    Clean temp internet files

    Restart again in normal mode

    Hope this helps

    Cheers,
     
    Unzy, May 23, 2004
    #2
  3. Flight

    Flight Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    8
    Ok, did as instructed (I couldn't find the _QI021ee.exe file anywhere on the computer, however). The your-searcher seems to be gone and I can reset my homepage without having my computer lock up. Here's my new hijack log, in case you can see something else amiss.

    As a side note, this is the second time you guys have helped me clear my computer, and I can't thank you enough. My old P2 is a piece of crap (which is why, I assume, it keeps getting infected, although I've gone to the thread on how to prevent infection and hopefully in the future it won't happen as much), but it's all I have, and when it doesn't run correctly I am sad. Thanks again! I appreciate it a great deal.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:35:03 AM, on 5/23/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\REAL\REALONE PLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
    C:\WINDOWS\SYSTEM\E_S0BIC1.EXE
    C:\WINDOWS\SYSTEM\E_S0BIC1.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\FIRSTAID 98\FAWGRD32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\FIRSTAID 98\FA_GD32.EXE
    C:\PROGRAM FILES\FIRSTAID 98\RTFIXM32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\_WINBKUP\DESKTOP\MEEP1\HIJACK\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.2wire.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.199.13.190:8002
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com




    ;<local>
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE /s
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series-MackEd] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P30 "EPSON Stylus C62 Series-MackEd" /O5 "LPT1:" /M "Stylus C62"
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - Startup: Windows Guardian.lnk = C:\Program Files\FirstAid 98\Fawgrd32.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD0.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
     
    Flight, May 23, 2004
    #3
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Flight,

    Your log is clean, but if every CPU cycle counts Fix this line as well:
    O4 - Startup: PowerReg SchedulerV2.exe

    Regards,

    Pieter
     
    Pieter_Arntz, May 23, 2004
    #4
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...