1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] google hijacked by hotsearchbox

Discussion in 'Virus & Other Malware Removal' started by kiwi77, Oct 8, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. kiwi77

    kiwi77 Thread Starter

    Joined:
    Oct 8, 2003
    Messages:
    10
    Hi folks...like similar posts here it seems my browser search capabilities have been hijacked by 'hotsearchbox'. I downloaded and ran HiJackThis and here is the generated log file. I'd appreciate any help with the next step...

    Logfile of HijackThis v1.97.2
    Scan saved at 8:36:34 AM, on 10/8/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\WINNT\system32\SxgTkBar.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\Downloads\AIM\aim.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Downloads\Eyedrop\Eyedrop\EyeDropper.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Navnt\navapw32.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alcoholedu.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotsearchbox.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.outsidetheclassroom.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Outside the Classroom
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [AIM] C:\Downloads\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Vizija EyeDropper] C:\Downloads\Eyedrop\Eyedrop\EyeDropper.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - Startup: Microsoft Office.lnk = Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.outsidetheclassroom.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D588CBC-995B-4103-AFCB-694B0C5AACD3} (SmartXUpload.XUpload) - http://www.aspsmart.com/SmartXUpload/liblocal/demo/SmartXUpload.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.6610416667
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
    O17 - HKLM\System\CS1\Services\VxD\MSCTP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
    O17 - HKLM\System\CS2\Services\VxD\MSCTP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    Run CWshredder from
    http://www.spywareinfo.com/~merijn/files/cwshredder.zip

    then it looks like you have been hit by the qhosts trojan/virus so follow advice in this link
    http://forums.techguy.org/t169476/s.html
    then download AdAware 6 181
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it.

    then
    Download Spybot - Search & Destroy from http://security.kolla.de


    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then post a new hijackthis log to check what is left
     
  3. kiwi77

    kiwi77 Thread Starter

    Joined:
    Oct 8, 2003
    Messages:
    10
    Thanks dvk01! I'm currently downloading and running the scans as you suggested. I'll re-post the HiJackThis log when I've completed all of the steps.
     
  4. kiwi77

    kiwi77 Thread Starter

    Joined:
    Oct 8, 2003
    Messages:
    10
    Derek, I've just run AdAware 6 and it 'found' 264 items. Most of them are labeled 'Tracking Cookies' but there are also a couple of items labeled 'Possible Browser HiJack Attempt'. Should I check and then delete all 264 items...just a little nervous about inadverdently deleting something useful...thanks!
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    Nothing adaware finds is even remotely useful and can always be safely deleted
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I would also check and remove all of these:

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
    O17 - HKLM\System\CS1\Services\VxD\MSCTP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
    O17 - HKLM\System\CS2\Services\VxD\MSCTP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175

    I don't think any of them associate to your actual ISP. The My Domain entry is clearly a hijack, and duplicated entries are always suspicious. Some resolve to "everyones internet" which seems to be host for a lot of these hijacks.
     
  7. kiwi77

    kiwi77 Thread Starter

    Joined:
    Oct 8, 2003
    Messages:
    10
    OK, I've followed all of the steps and have just re-run HiJackThis. Here is the latest log file:

    Logfile of HijackThis v1.97.2
    Scan saved at 12:00:49 PM, on 10/8/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\WINNT\system32\SxgTkBar.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\Downloads\AIM\aim.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Downloads\Eyedrop\Eyedrop\EyeDropper.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Navnt\navapw32.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\notepad.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alcoholedu.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.outsidetheclassroom.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Outside the Classroom
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [AIM] C:\Downloads\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Vizija EyeDropper] C:\Downloads\Eyedrop\Eyedrop\EyeDropper.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - Startup: Microsoft Office.lnk = Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.outsidetheclassroom.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D588CBC-995B-4103-AFCB-694B0C5AACD3} (SmartXUpload.XUpload) - http://www.aspsmart.com/SmartXUpload/liblocal/demo/SmartXUpload.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.6610416667
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
    O17 - HKLM\System\CS2\Services\VxD\MSCTP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Checking further, it seems that outsidetheclassroom.com is quite legit and a part of your chosen setup.
     
  9. kiwi77

    kiwi77 Thread Starter

    Joined:
    Oct 8, 2003
    Messages:
    10
    OK, I'll leave the outsidetheclassroom.com entries as is. I just re-tried Google but I still can't navigate there so what do you suggest I have HiJackThis remove from the last posted log? Thanks!
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    fix thse 2

    O17 - HKLM\System\CS2\Services\VxD\MSCTP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175

    then see if there is a file C:\windows\help\hosts

    if it exists delete it

    You might also have been attacked by the qhost virus follow instruction here
    http://forums.techguy.org/t169476/s.html
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  12. kiwi77

    kiwi77 Thread Starter

    Joined:
    Oct 8, 2003
    Messages:
    10
    Google is back! Thanks for all your help!
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/170421

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice