1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijacked home page-"http://youfindall.net/" & "coolwwwsearch"

Discussion in 'Virus & Other Malware Removal' started by ALF64, Jul 8, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. ALF64

    ALF64 Thread Starter

    Joined:
    Jul 8, 2003
    Messages:
    5
    I am having the hijacked home page problem that others are having. However, my hijacking started with the "coolwwwsearch" and then went to a "youfindall.net" page that, as described before, cannot and will not be changed to my regular homepage, "youfindall.net" is the page I'm currently stuck on. I have read some of the instructions about downloading the 'Hijack This' program for the 'coolwwwsearch' problem, is this where I start for 'youfindall.net' too? I am a novice to these forums and am quite computer stupid, but, I can follow easily understood instructions. If I do complete the 'Hijack this' instructions and save the log somewhere, (where?), how do I 'show you its contents'? Please be as basic and clear in your instructions as possible. Thanks for the help. ALF64
     
  2. Top Banana

    Top Banana

    Joined:
    Nov 10, 2002
    Messages:
    1,344
    Download HijackThis. Unzip, run, "Scan", "Scan" changes to "Save log". Save the log and copy and paste the HijackThis log into your next post.

    Do not fix anything in HijackThis. Most entries will be harmless.
     
  3. ALF64

    ALF64 Thread Starter

    Joined:
    Jul 8, 2003
    Messages:
    5
    Here is my log. Thanks for the help. Are you able to answer questions re: the hows, wheres, whys, and legalities of this hijacking 'parasite?' ALF64


    Logfile of HijackThis v1.95.0
    Scan saved at 10:22:49 AM, on 7/11/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\ESM2\STMS.EXE
    C:\ESM2\EBRR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e%63%67%69?%31%30%30
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%31%30%30 about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%31%30%30
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    O1 - Hosts: 1123694712 auto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [PCIMODEM] pcimodem.exe
    O4 - HKLM\..\Run: [Atikey] Atitask.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [sysPnP] C:\WINDOWS\SYSTEM\bootconf.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\SPYHUNTER\SPYHUNTER.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\PROGRAM FILES\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://www.americangreetings.com/cnp/Install/AxCtp.cab
    O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/action/NSupd9x.cab
    O19 - User stylesheet: C:\WINDOWS\default.css
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,397
    In Hijack This check ALL of the following items........ doublecheck so as to be sure not to miss one.
    next close all browser Windows, and have HT fix all checked.

    you MUST restart your computer when you're done.



    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e%63%67%69?%31%30%30
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%31%30%30 about :blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%31%30%30
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%30
    O4 - HKLM\..\Run: [sysPnP] C:\WINDOWS\SYSTEM\bootconf.exe
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://www.americangreetings.com/cnp/Install/AxCtp.cab
    O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/action/NSupd9x.cab
    O19 - User stylesheet: C:\WINDOWS\default.css


    After rebooting delete:
    C:\WINDOWS\System32\bootconf.exe
    C:\WINDOWS\default.css
     
  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    And this one:

    O1 - Hosts: 1123694712 auto.search.msn.com

    1123694712 translates to http://66.250.56.120/ , which is, yup, you guessed it... :rolleyes:
     
  6. ALF64

    ALF64 Thread Starter

    Joined:
    Jul 8, 2003
    Messages:
    5
    Mr. Klein,
    What does your last above comment "...which is, yup, you guessed it..." mean? Also, I take it that within this forum for technical questions, you don't discuss the whys & legalities of these parasites you so graciously assist in destroying? Is there some site I can go to to learn more about these quite annoying parasites? Thanks for the technical help anyway. I'm glad to know you are here. ALF64
     
  7. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
  8. ALF64

    ALF64 Thread Starter

    Joined:
    Jul 8, 2003
    Messages:
    5
    I completed the steps you informed me to take except I can't find C:\WINDOWS\System32\bootconf.exe. I did find C:WINDOWS\default.css but didn't delete that one yet since I couldn't find the other one I was hesitant to do so for fear of being in the wrong place. I am quite computer stupid as acknowledged earlier. To find these I went to My computer/C/Windows/System 32, & in here I have Adobe, Drivers, desktop.ini and folder.htt. I do not see a ...bootconf.exe to delete here. Am I in the wrong place? Next, Is it ok to delete the '...default.css' file I see later in the Windows menu? Will I have to re-do the Hijack This 'Fix it' again since I haven't deleted those 2 files yet?

    Lastly, does anyone or any website with the knowledge have the time to answer my semi-political questions? This forceful hijacking invasion of my freedom of choice really irks me & I would like some sort of resolution if only to know some info. about the unscrupulous people who write and send this garbage.
     
  9. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Yes, I would rather see law enforcement criminalizing spyware and hijackings more than junk email.

    Delete the default.css, and try searching the hard drive for bootconf.exe to see if you find it somewhere else.
    If not, dont worry about it.
    And no, you won't have to do Hijack This again because you didn't delete the files yet.
     
  10. ALF64

    ALF64 Thread Starter

    Joined:
    Jul 8, 2003
    Messages:
    5
    Please dumb it down for this dummy step by step. How do I search the hard drive for that file?
     
  11. tpb

    tpb

    Joined:
    Feb 27, 2001
    Messages:
    573
    To find those files, you will need to be able to view hidden files and folders:

    Open any folder.
    Click on the tools menu and select folder options.
    Then click on the view tab.
    Select 'Show hidden files and folders'.
    Click OK.
     
  12. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
  13. RogerW

    RogerW

    Joined:
    Jul 13, 2003
    Messages:
    13
    I just downloaded Hijackthis.exe. When I tried to run it I got the message "A required .DLL file MSVBVM60.DLL was not found"

    Any help would be greatly appreciated.
     
  14. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
  15. fuzzyky

    fuzzyky

    Joined:
    Jul 9, 2003
    Messages:
    6
    i too have been hijacked... i followed the instructiions and got most of it ,.... but some must remain because 1) the page scroll is still jerky as hell, & 2) the yellow box still pops up when i hit my porn pages ; ) ..... but at least my home page stays the same....... I guess i'll run the hijack this program and post it later. I really wanted to weigh in to say again how angry ( and i do mean steamin' pissed ) i am at these pond scum. Is there nothing that can be done about this. Isn't it somehow illegal. Are we powerless to fight back?????????? I assume that their motovation is money... how do they make it... who pays them.... what can i do.......... Thanks for the help.... you people really are a great bunch for helping and sharing w/ us.... thanks again!!!!!!!!!!




    Fuzzy
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/145261

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice