Help! Homepage hijacked

[neil f]

This is not strictly a virus I suppose, but just as damaging on a business
computer that can't get on with its work. I rashly let someone else surf on this
machine and now I get a redirect to www.therealsearch.com/hp.php every time I
load Explorer. This produces a stream of requests to open premium rate phone
lines, download files and agree to this, that and the other. The browser line is
greyed out during this process so I can't just redirect somewhere else. By
carefully clicking through various windows, without I hope agreeing to anything
further, I eventually arrive a screen I can regain control from. But only until
the next time I go online. It's making any Web work impossible! Resetting the
homepage only seems to work until the next cold restart. It also adds a set of
porn-type links to the Favourites list - thanks a bunch. History shows a visit
to 64.156.31.70 uk.php?ac=058563&LP=2, don't know if this means much.

Is this a known problem and is there a permanent solution? I've tried Adaware
and Spybot but they don't seem able to help with this particular problem. I also
run AVG. Any help appreciated.

-Neil F.

 

[neil f]

Just seen another post suggesting a log file for a hijack situation, so here's
mine. Is there anything else besides the mentions of therealsearch that I should
fix?

Logfile of HijackThis v1.97.7
Scan saved at 11:31:35, on 30/11/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\MIXER.EXE
C:\PROGRAM FILES\ASUS\PROBE\ASUSPROB.EXE
C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\ONE GUY CODING\AUTOMACHRON\ACHRON.EXE
C:\PROGRAM FILES\NORTON CRASHGUARD\CG16EH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\FREEZIP\ZIP.EXE
C:\MY DOCUMENTS\MY RECEIVED FILES\HIJACK~1\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.therealsearch.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.therealsearch.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.therealsearch.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.therealsearch.com/sp.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON
CRASHGUARD\CGMenu.EXE"
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton
Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [TClockEx] C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\QUICKEN.EXE
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program
Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton
Utilities\SYSDOC32.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Automachron.lnk = C:\Program Files\One Guy
Coding\Automachron\achron.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) -
http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) -
file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/UK/install.cab

 

[Alastair Smeaton]

Just seen another post suggesting a log file for a hijack situation, so here's
mine. Is there anything else besides the mentions of therealsearch that I should
fix?

google for therealsearch will find some links to help - including the
post you made to that forum using hijackthis

did you take their advice ?

 

[YoKenny]

Just seen another post suggesting a log file for a hijack situation,
so here's mine. Is there anything else besides the mentions of
therealsearch that I should fix?

MSIE: Internet Explorer v5.00 (5.00.2614.3500)

This version of IE is obsolete and has several vunerabilities. Upgrade to
at least IE V5.5.

With only HijackThis running check and remove:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.therealsearch.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.therealsearch.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.therealsearch.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.therealsearch.com/sp.php
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE

Read the following page to harden your system's defences:
http://forums.net-integration.net/index.php?showtopic=3051

 

[neil f]

Thanks for the advice guys. BTW YoKenny, did you really mean to include the last
line below (Microsoft Office etc). I've fixed the others but I'm wary of
'fixing' this line as it looks more official.

I guess it's time to upgrade to XP etc.

-Neil F.

 

[John Coutts]

Thanks for the advice guys. BTW YoKenny, did you really mean to include the last
line below (Microsoft Office etc). I've fixed the others but I'm wary of
'fixing' this line as it looks more official.

I guess it's time to upgrade to XP etc.

-Neil F.

****************** REPLY SEPARATER *******************
Yes, he did mean to remove the MS Office start link. It is totally unnecessary
and does not need to be loaded on start-up. When and if it is needed, it will
be loaded. Other than special hardware drivers, the only programs needed to run
Windows are Explorer and SysTray.

And no, you don't need to upgrade to XP. It is even more difficult to secure.
If however you do decide to upgrade, see the following:

http://www.yellowhead.com/xpcfg1.htm

J.A. Coutts

 

[Gabriele Neukam]

On that special day, neil f, ([email protected]) said...

BTW YoKenny, did you really mean to include the last
line below (Microsoft Office etc). I've fixed the others but I'm wary of
'fixing' this line as it looks more official.

I'll try to explain YoKennys opinion on OSA. The program does load the
Office tool bar at startup (and I think, an indexing service, too, which
is quite useless on small business machines).

OSA is a well known resource hog, and can slow your computer to a crawl,
even causing such alarming window messages like: "Youre resources are
getting seriously low. Please close some applications to free memory"
(that surely isn't the proper version, as I do only know the German
variant).

Without it, the reaction time of the computer will improve visibly, and
believe me, there is no reason to run such a bulky stuff right from boot
up. Even without it, Office works nicely, and Word will require just
five seconds more to load the *first* doc file, after that it will be as
fast as always.


Gabriele Neukam

(e-mail address removed)

 

[Sir_George]

neil f,

Yes, he did mean to include that line. See the following MS article for what
OSA is and how to remove it (there are other replies that state the reasons
for not using it);

http://support.microsoft.com/default.aspx?scid=kb;en-us;165071

 

[YoKenny]

****************** REPLY SEPARATER *******************
Yes, he did mean to remove the MS Office start link. It is totally
unnecessary and does not need to be loaded on start-up. When and if
it is needed, it will be loaded. Other than special hardware drivers,
the only programs needed to run Windows are Explorer and SysTray.

And no, you don't need to upgrade to XP. It is even more difficult to
secure.

It is more difficult because it is more secure than Win9x/ME.

If however you do decide to upgrade, see the following:
http://www.yellowhead.com/xpcfg1.htm

Good site. I don't agree with some of the settings but as usual this is
user preference.

Enable dragging and dropping should be off. Eye candy
Use Windows classic folders. Keeps the user stuck in the old Win95
paradigm.

 

[David W. Hodgins]

This is not strictly a virus I suppose, but just as damaging on a business
computer that can't get on with its work. I rashly let someone else surf on this
machine and now I get a redirect to www.therealsearch.com/hp.php every time I

From the uninstall page linked to from www.therealsearch.com,
http://66.250.130.194/re.htm
reinstall the window media player too. That page has a link
to http://www.microsoft.com/windows/windowsmedia/default.aspx
to get it.

I don't recommend trying his "deinst.exe". Somehow I find him a
little hard to trust<g>.

Regards, Dave Hodgins

 

[Gabriele Neukam]

On that special day, YoKenny, ([email protected]) said...

It is more difficult because it is more secure than Win9x/ME.

I heard people say, WinXp is by default running so many more services
(in Linuxoid we would say daemons) than the Win9xes, that it is
*unsafer* than any Win9x by its very nature.

It is like keeping a sieve watertight.


Gabriele Neukam

(e-mail address removed)

 

[YoKenny]

On that special day, YoKenny, ([email protected]) said...


I heard people say, WinXp is by default running so many more services
(in Linuxoid we would say daemons) than the Win9xes, that it is
*unsafer* than any Win9x by its very nature.

It is like keeping a sieve watertight.

With some good caulking even a sieve can be made to float.

Hearsay is great for pessimists as it gives them an excuse to not do
anything thus giving up before they even try.

 

[kurt wismer]

Gabriele Neukam wrote:
[snip]

I heard people say, WinXp is by default running so many more services
(in Linuxoid we would say daemons) than the Win9xes, that it is
*unsafer* than any Win9x by its very nature.

well, that would be because there wasn't any kind of native support for
services under win9x... services are an NT thing...

that doesn't mean that win9x is more secure than NT based OSes,
though... services are only a small part of the equation...

 

[neil f]

google for therealsearch will find some links to help - including the
post you made to that forum using hijackthis

(Actually that wasn't me, but it intriged me enough to go and see who it was.)

did you take their advice ?

Thanks for all the advice guys - all useful.

Apparently this is the latest variant of the coolwebsearch trojan, which is
being evolved faster than the usual cleaners can keep up with it. The answer is
to download and run the latest version of cwshredder from www.spywareinfo.com
and follow its instructions afterwards for a more permanent defence.

As for 98 vs XP, I'm going to use Partition Magic/Boot Magic to install both and
see which suits me best over an extended period.

-Neil F.