Google Answers: Browser Hijack

View Question

Q: Browser Hijack ( Answered, 4 Comments )

Question

Subject: Browser Hijack
Category: Computers > Security
Asked by: tnsdan-ga
List Price: $5.00

Posted: 26 Apr 2005 13:04 PDT
Expires: 26 May 2005 13:04 PDT
Question ID: 514544

One of my office computers has been hijacked by "103.nowfind.biz." I have run all of the normal measures (Hijack This, Adaware, Spybot S&D, Symatec, NoAdware) and had no luck at all. They all find it, but after you delete it, it is still there. Very feisty bugger. In any case, we really need this taken care of. Any one beaten this yet?
Request for Question Clarification by livioflores-ga on 26 Apr 2005 13:13 PDT For a better knowledge of what is happening please post a HijackThis log, run HijackThis and let it scan your computer, then WITHOUT fixing anything generate a log and post it here as a clarification. With this info I will be able to give you a better assistance. You can find HijackThis tutorials in the following pages: "Bleeping Computer - HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware": http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 Follow the instructions on this part of the tutorial: http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse I will wait for your response. Regards. livioflores-ga
Request for Question Clarification by livioflores-ga on 27 Apr 2005 02:34 PDT Try this also: Scan your computer for virus or trojans, preferably an online scan (because the installed antivirus could be hijacked too!!). Try with one (or both) of the following free services: "Trend Micro - Free online virus Scan": http://housecall.trendmicro.com/ "Panda ActiveScan - Free online scanner": http://www.pandasoftware.com/activescan/com/activescan_principal.htm Good luck!!
Clarification of Question by tnsdan-ga on 27 Apr 2005 08:24 PDT Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe c:\windows\system32\sjxjux.exe C:\WINDOWS\System32\ctfmon.exe C:\Documents and Settings\Greg Troy\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O1 - Hosts: auto.search.msn.com 127.0.0.1 O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O4 - HKLM\..\Run: [gytnlar] c:\windows\system32\sjxjux.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url= O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url= O13 - Home Prefix: http://103.nowfind.biz/gall.php?url= O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url= O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Thanks!
Request for Question Clarification by livioflores-ga on 27 Apr 2005 23:16 PDT Hi!! Use the Ctrl+Alt+Del kestroke to run the Task Manager and stop the following process: c:\windows\system32\sjxjux.exe Then try to delete the following files: c:\windows\system32\sjxjux.exe C:\WINDOWS\Bolger.dll C:\WINDOWS\Nail.exe If you cannot do that at this point skip this, do the HJT fix and then reboot in Safe Mode and try to delete them. Then reboot in Normal Mode. Then close all your browser windows and also all other open windows and run HijackThis, perform a scan and check to fix the following items: R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O4 - HKLM\..\Run: [gytnlar] c:\windows\system32\sjxjux.exe O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url= O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url= O13 - Home Prefix: http://103.nowfind.biz/gall.php?url= O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url= Then click on the Fix Checked button, reboot the computer, cross your fingers and post a new log. I will wait for your new log and comments in order to post this as an official answer. Good luck!!
Clarification of Question by tnsdan-ga on 28 Apr 2005 08:23 PDT Thank you so much for your help so far. We were able to delete sjxjux.exe, but have not been able to delete nail.exe. We have tried deleting it in safe mode and everything. You can delete it, but if you close the folder and reopen it, it reappears. I get the impression the nail.exe also "produces" bolger.dll. We have tried deleting it both in safe mode and normal mode with no luck. As such, our HJT log still looks as follows: Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe c:\windows\system32\kfzsez.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\WebSiteViewer\125235.dlr C:\WINDOWS\System32\ctfmon.exe C:\Documents and Settings\Greg Troy\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O1 - Hosts: auto.search.msn.com 127.0.0.1 O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O4 - HKLM\..\Run: [ohwtftf] c:\windows\system32\kfzsez.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url= O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url= O13 - Home Prefix: http://103.nowfind.biz/gall.php?url= O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url= O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Thank you so much for your help so far. These things can be enormously frustrating. I'm glad that it's not my computer!
Request for Question Clarification by livioflores-ga on 29 Apr 2005 08:16 PDT Ok, do the following: Run HJT and check to fix the following items: R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O4 - HKLM\..\Run: [ohwtftf] c:\windows\system32\kfzsez.exe O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url= O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url= O13 - Home Prefix: http://103.nowfind.biz/gall.php?url= O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url= O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe Then without restart download, install, and run the Ewido Security Suite which you can download and try for free and post the log file it generates when its done. http://www.ewido.net/en/download/ Good luck!!
Request for Question Clarification by livioflores-ga on 29 Apr 2005 12:51 PDT Just a little modification: First download Ewido, then close all Browser instances and run HJT, fix the indicated items, then without restart and without open the browser run Ewido. (In other words do not open the browser after fix items with HJT).
Clarification of Question by tnsdan-ga on 03 May 2005 06:47 PDT Livioflores- We got it! Thanks for all of your help and feel free to post as an answer.

Answer

Subject: Re: Browser Hijack
Answered By: livioflores-ga on 03 May 2005 08:35 PDT

Hi!!

Thank you for giving me the opportunity to answer your question.

According to your last HJT log you must do the following:

First download Ewido:
http://www.ewido.net/en/download/

Then close all Browser instances and run HJT, fix the indicated items,
then without restart and without open the browser run Ewido. (In other
words do not open the browser after fix items with HJT).

Check to fix the following items in HJT:
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://103.nowfind.biz/pps.php
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} -
C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [ohwtftf] c:\windows\system32\kfzsez.exe
O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
O23 - Service: System Startup Service  (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe


I am so glad to know that your problem was solved.


Best regards.
livioflores-ga

Comments

Subject: Re: Browser Hijack
From: l337pf2-ga on 29 Apr 2005 16:00 PDT

did you try using the new microsoft spyware remover? 
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Subject: Re: Browser Hijack
From: bumpher-ga on 30 Apr 2005 14:47 PDT

I have done no research on this trojan but I thought I could throw in
3 very useful suggestions.

1. Try microsoft's anti-spyware. It is a very extensive product for
dealing with adware and spyware, but best of all it's free (this is
not an advertisement for microsoft by the way) and fully functional.

2. I have had my share of problems with these beasts. Something I have
seen no comments in here about is how they can hide files from
explorer. Meaning even with "view hidden and system files" being
allowed explorer does not show them.
Open a DOS prompt and check the start-up folder in the user-profile
and the start-up folder in the ALL-USERS profile (use dir cmd to do
this), it will show the file if it is there. You may even get lucky
and delete the file (if it's not running).

3. It is easy to hide processes from task manager. Try a third party
process viewer. There are others available from microsoft for download
free of charge that WILL show all the processes. I think the 1 I used
is available in the NT4 resource kit download. Once I killed the
process using the 3rd party viewer I was able to delete the file/files
that I found through the DOS Cmd window. Problem was solved.

Subject: Re: Browser Hijack
From: bumpher-ga on 30 Apr 2005 14:52 PDT

One other thing I failed to mention, search microsoft's knowledge base
for regsvr32.exe

here is one of the articles I've found

http://support.microsoft.com/default.aspx?scid=kb;en-us;249873

Regsvr32 is used for registering and unregistering DLL files. It may
be necessary in order to delete some of the files, to unregister them.

Subject: Re: Browser Hijack
From: arabianknight-ga on 02 May 2005 18:55 PDT

back up your important files to a cd. scan the cd for viruses/spyware
to make sure you didnt save it as well. then.... reformat your
computer, and put the important files back in!

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy