Re: IE6 Search Hijack

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: PA Bear (PABear_at_mvps.org)
Date: 11/03/04 

Date: Wed, 3 Nov 2004 11:37:30 -0500

> I have try using HijackThis, removing suspicious entries without
> success.

See below.

Dealing with Trojans & Hijackware

A. Trojans

1. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

2. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html)
and follow *all* Removal steps, including editing the Registry if directed.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then:

    Disk Cleanup > More options > Delete all but the most recent Restore
Point.

B. Hijackware

Help with Hijackware
http://aumha.org/a/parasite.htm
   http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Run these tools in the following order with nothing else running in
background:

1. CWShredder v2,0 (Run "Fix", not "Scan)
    http://forum.aumha.org/downloads/cwshredder.zip

2. Ad-Aware SE (reconfigure per Post #2 in
http://aumha.org/forum/viewtopic.php?t=5877; fix all found)
    http://www.lavasoftusa.com/support/download/

3. Spybot (RTFM; Immunize then Scan; Generally fix everything in red)
    http://www.safer-networking.org/en/index.html

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7.

When all else fails...

HijackThis
http://forum.aumha.org/downloads/hijackthis.zip

...is the preferred tool to use. With advice from experts, it will help you
to both identify and remove any hijackware/spyware. Post your log to, e.g.,
http://forums.spywareinfo.com/, http://computercops.biz/forum67.html or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, **not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957 

-- 
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP
What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx
"There is no 'silver bullet' solution."
http://go.microsoft.com/fwlink/?LinkId=33131
Sun Chong Hong wrote:
> (Warning - readers are cautioned not to try to reach the URL mentioned
> in this post, especially the IP address unless they are sure of what
> they are doing.)
>
> There have been many similar posts about the search hijack. In my case
> I noticed that my IE6 browser search behaved differently following the
> RuneScape Windows Client download from the Internet to play the
> Web-based Active X control game. Since then my pc always try to
> connnect IP 69.26.170.37 whenever I am on line.
>
> I am not sure if RuneScape is the cause of the problem (it has a trust
> certificate to show), but my Zone Alarm Personal Internet Log shows
> that if I deny access to programs such as Internet Explorer or Windows
> Explorer, the ZA log will show that access to IP 69.26.170.37:80 is
> denied too.
>
> My computer had Spywareblaster installed. Scanning using resident
> Adaware and Spybot with latest undates produced negative results.
> Scanning with Antivirus Avast! (autoupdate) also revealed nothing.
>
> Free online scans provided by Pest Petrol and F-Secure removed some
> trojan key loggers, adware and dialers. Further online scan using
> Symantec and Yahoo Antispy showed that there is nothing left, but the
> problem remained.
>
> The effect of the problem is shown when I use the IE Address bar. For
> example, if I type uob and <enter>, I get a web page showing uob.com
> with links to other sites (the code appears to be java code). The
> address bar will show http://uob/.
>
> Similarly, if I type 69.29.170.37 in the Address Bar, I will get a
> bogus web page called Seek2.com, again with links to other sites.
> Sometimes a popup message asks me whether I want to set a bogus
> http://search.net as my home page. However, if there is a legitimate
> address such as dbs, the correct web page will be displayed. The
> behavior of the search has been changed since then and I can't get
> back the default.
>
> I have try using HijackThis, removing suspicious entries without
> success.
>
> CWShredder showed nothing.
>
> Scanning in the safe mode also turned up nothing.
>
> Newsgroups have similar postings on the seek2.com but they are not
> much of a help to me.
>
> Using WHOIS traced the IP to unknown.xeex.com. This is sometimes shown
> in my ZA internet log.
>
> I have included the IP in my hosts file. But I am not sure whether it
> works. In any case I learned that the hosts file can be hijacked too.
>
> I installed Sygate Personal Firewall which can block individual IP.
> With ZA deactivated and this IP blocked from all applications, I typed
> the IP in the address bar and got the message that "the message cannot
> be displayed....", with the status bar showing that I was in Local
> Intranet Zone!
>
> If I click on the Search button, it will trigger an attempt to connect
> to 69.26.170.37:80 via IE, in addition to Yahoo and MSN. But at least
> the Search functions appear to work according to the Advanced tab in
> the Internet Options.
>
> And now my Sygate Firewall Packet Log shows that practically every
> application that goes on line, and some window services are blocked
> trying to connect to 69.26.170.37. Examples are, besides IE, Avast
> Antivirus, WinWord, Windows Media Player, Realplayer, MSN Messenger,
> Spybot's TeaTimer, svchost.exe, ntoskrnl.exe, lsass.exe, services.exe,
> csrss.exe, etc.
>
> By the way, my internet access is through an ADSL Ethernet modem
> (Aztech DSL 305E) and a SMC 5 port switch. I wonder whether these can
> be exploited? I am using XP Professional SP1 with all the latest
> updates (SP2 uninstalled because of compatibility issue).
>
> After struggling to find a solution for over a month, I now find that
> my computer also tries to contact 64.15.205.xxx (svchost.exe) for no
> apparent reason.
>
> Any comments would be appreciated.
>
>
> Sun Chong Hong
Quantcast