[Resolved] google hijacked by hotsearchbox

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

kiwi77

Thread Starter
Joined
Oct 8, 2003
Messages
10
Hi folks...like similar posts here it seems my browser search capabilities have been hijacked by 'hotsearchbox'. I downloaded and ran HiJackThis and here is the generated log file. I'd appreciate any help with the next step...

Logfile of HijackThis v1.97.2
Scan saved at 8:36:34 AM, on 10/8/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Downloads\AIM\aim.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Downloads\Eyedrop\Eyedrop\EyeDropper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alcoholedu.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotsearchbox.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.outsidetheclassroom.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Outside the Classroom
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [AIM] C:\Downloads\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Vizija EyeDropper] C:\Downloads\Eyedrop\Eyedrop\EyeDropper.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: Microsoft Office.lnk = Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.outsidetheclassroom.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D588CBC-995B-4103-AFCB-694B0C5AACD3} (SmartXUpload.XUpload) - http://www.aspsmart.com/SmartXUpload/liblocal/demo/SmartXUpload.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.6610416667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
O17 - HKLM\System\CS1\Services\VxD\MSCTP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
O17 - HKLM\System\CS2\Services\VxD\MSCTP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Run CWshredder from
http://www.spywareinfo.com/~merijn/files/cwshredder.zip

then it looks like you have been hit by the qhosts trojan/virus so follow advice in this link
http://forums.techguy.org/t169476/s.html
then download AdAware 6 181
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it.

then
Download Spybot - Search & Destroy from http://security.kolla.de


After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then post a new hijackthis log to check what is left
 

kiwi77

Thread Starter
Joined
Oct 8, 2003
Messages
10
Thanks dvk01! I'm currently downloading and running the scans as you suggested. I'll re-post the HiJackThis log when I've completed all of the steps.
 

kiwi77

Thread Starter
Joined
Oct 8, 2003
Messages
10
Derek, I've just run AdAware 6 and it 'found' 264 items. Most of them are labeled 'Tracking Cookies' but there are also a couple of items labeled 'Possible Browser HiJack Attempt'. Should I check and then delete all 264 items...just a little nervous about inadverdently deleting something useful...thanks!
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Nothing adaware finds is even remotely useful and can always be safely deleted
 
Joined
Dec 9, 2000
Messages
45,855
I would also check and remove all of these:

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
O17 - HKLM\System\CS1\Services\VxD\MSCTP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
O17 - HKLM\System\CS2\Services\VxD\MSCTP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175

I don't think any of them associate to your actual ISP. The My Domain entry is clearly a hijack, and duplicated entries are always suspicious. Some resolve to "everyones internet" which seems to be host for a lot of these hijacks.
 

kiwi77

Thread Starter
Joined
Oct 8, 2003
Messages
10
OK, I've followed all of the steps and have just re-run HiJackThis. Here is the latest log file:

Logfile of HijackThis v1.97.2
Scan saved at 12:00:49 PM, on 10/8/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Downloads\AIM\aim.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Downloads\Eyedrop\Eyedrop\EyeDropper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\notepad.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alcoholedu.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.outsidetheclassroom.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Outside the Classroom
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [AIM] C:\Downloads\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Vizija EyeDropper] C:\Downloads\Eyedrop\Eyedrop\EyeDropper.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: Microsoft Office.lnk = Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.outsidetheclassroom.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D588CBC-995B-4103-AFCB-694B0C5AACD3} (SmartXUpload.XUpload) - http://www.aspsmart.com/SmartXUpload/liblocal/demo/SmartXUpload.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.6610416667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = outsidetheclassroom.com
O17 - HKLM\System\CS2\Services\VxD\MSCTP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
 
Joined
Dec 9, 2000
Messages
45,855
Checking further, it seems that outsidetheclassroom.com is quite legit and a part of your chosen setup.
 

kiwi77

Thread Starter
Joined
Oct 8, 2003
Messages
10
OK, I'll leave the outsidetheclassroom.com entries as is. I just re-tried Google but I still can't navigate there so what do you suggest I have HiJackThis remove from the last posted log? Thanks!
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
fix thse 2

O17 - HKLM\System\CS2\Services\VxD\MSCTP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175

then see if there is a file C:\windows\help\hosts

if it exists delete it

You might also have been attacked by the qhost virus follow instruction here
http://forums.techguy.org/t169476/s.html
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top