Please help rid me of lucky search hijack

Discussion in 'adware, spyware & hijack cleaning' started by booshwah, Nov 22, 2003.

Thread Status:
Not open for further replies.
  1. booshwah

    booshwah Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    8
    I have the lucky search hijack. I have tried cwshredder and spybot to rid it, but have had no luck. Here is my Hijack this log file.
    Will you tell me what to remove? Thanks. You all are great!
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi booshwah,

    Welcome at Wilders. :)

    Did you create and implement C:\WINNT\Web\tips.ini as a stylesheet yourself?
    If not, could you please open that file in notepad and post it´s content in your next post please?

    Regards,

    Pieter
     
  3. booshwah

    booshwah Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    8
    I didn't create it. Here is the text. I hope this is what you are looking for. Thanks.
     

    Attached Files:

  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi booshwah,

    Thanks. There is another mistery in your log:
    C:\WINNT\System32\soundmx.exe
    Can you find that file and check it´s properties?

    For the time being in IE, click Tools > Internet-options > General tab > Accessability > uncheck the stylesheet option

    Regards,

    Pieter
     
  5. booshwah

    booshwah Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    8
    It looks like an older executable. I have attached a screenshot of its properties. Also I have unchecked stylesheet option.








    Made the attachment a bit smaller
     

    Attached Files:

  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi booshwah,

    Could you reboot and make a new HijackThis log please?
    And mail C:\WINNT\System32\soundmx.exe to the address in my profile please?

    Regards,

    Pieter
     
  7. booshwah

    booshwah Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    8
    Here is the new log file. The file you requested should be to your mail shortly. Thanks again.
     

    Attached Files:

  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi booshwah,

    Are you noticing what I´m noticing?

    I´m afraid we have discovered a new variant of CWS here.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?uyoqs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.webcounter.cc/---/?uyoqs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?uyoqs (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?uyoqs about:blank (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?uyoqs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?uyoqs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?uyoqs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?uyoqs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?uyoqs about:blank (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?uyoqs (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?uyoqs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?uyoqs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?uyoqs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?uyoqs (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?uyoqs (obfuscated)

    O4 - HKLM\..\Run: [Soundmx] C:\WINNT\System32\soundmx.exe

    O19 - User stylesheet: C:\WINNT\Web\tips.ini
    O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)

    Then reboot again and let me know if I guessed right.
    Please mail me C:\WINNT\hh.htt as well.

    Regards,

    Pieter
     
  9. booshwah

    booshwah Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    8
    You're good. That seems to have gotten rid of it. Thanks. You guys are great!!!!!!! ;
     
  10. booshwah

    booshwah Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    8
    Also I think you are probably right about the new variant thing. I had the global finder hijack not too long ago and cwshredder wiped it out and this time it didn't work. Tried many things that didn't work. I'm glad I stumbled across you guys. Thanks again. I can't believe your responses are so quick!!
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi booshwah,

    Glad we could help.
    When I smell CWS I'm faster then a leopard. ;)

    I have not received any files yet. You did send them, right?

    I would like to get this added to CWShredder as fast as possible.

    Regards,

    Pieter
     
  12. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    would like to say boos,
    wilders really is a place to get help to giv help.. i was seeing the post when i cam across new variant.. i just made a note of it... pieter is great in analysing hijack
    good luck yall
     
  13. booshwah

    booshwah Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    8
    I did send the soundmx.exe to your email several minutes ago. I can't find the C:\WINNT\hh.htt you requested though. I see a hh.exe and a "folder.hht" but thats it. When I run the C:\WINNT\hh.htt from the run command with notepad, I get some info there. Any advice on finding the file? Let me know if you didn't receive soundmx.exe and I will resend it as well. Thanks.
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I don´t think you can run a .htt that way.

    I think HijackThis destroyed it. No problem as long as I get soundmx.exe. I think I can generate as many hh.htt´s as I want.

    It could take a while until I receive it. I´ll report back if I haven´t got it in a half hour from now.

    Thanks for helping out.

    I have found two more people with the same hijack in the meantime. :mad:

    Regards,

    Pieter
     
  15. booshwah

    booshwah Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    8
    Pieter,

    If you are still looking for that soundmx file, it probably came to your email with a sender name of "Burm metcuf" instead of booshwah. Hope this helps. Thank you.
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi booshwah,

    I received it in the meantime and forwarded it to the anti-spyware industry.
    As far as CWS goes this one is relatively harmless. All it does is hijack the start- and search pages and add two stylesheets.
    Thank you for submitting that file. :)

    Regards,

    Pieter
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi booshwah,

    Could you please download, unzip and run CWShredder
    Make sure you have version 1.36.0
    This will remove anything we left behind.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.