my IE 7 has had its search hijacked... I am desperate to fix it...

[Charles Lee]

when I visit google & search, I get a listing as expected, but it shows the
first 10... if I try to see later pages it doesnt, it just keeps showing me
the same first 10...

if I then pick any of the links offered, I get redirected through other
sites like copy-book.com etc instead...

ZA AV doesnt fix it....
Kaspersky doesnt fix it neither...
ad-aware doesnt help....

both of the AV's keep finding 'autorun.sys' files being added to the root of
my drives and quaranteens them, but they always come back....
as a work around, I have put empty folders in their place with the same
name, which seems to keep them at bay...

Hijackthis finds these following entries each time I check
in my registry, I keep getting these same 4 entries...

O17 -
HKLM\System\CCS\Services\Tcpip\..\{1D3D0139-3744-466F-8610-50402A9BEE5F}:
NameServer = 85.255.112.207;85.255.112.68
O17 -
HKLM\System\CCS\Services\Tcpip\..\{DBDD0775-9755-4642-9955-A2576A9B5C09}:
NameServer = 85.255.112.207;85.255.112.68
O17 -
HKLM\System\CS2\Services\Tcpip\..\{1D3D0139-3744-466F-8610-50402A9BEE5F}:
NameServer = 85.255.112.207;85.255.112.68
O17 -
HKLM\System\CS8\Services\Tcpip\..\{1D3D0139-3744-466F-8610-50402A9BEE5F}:
NameServer = 85.255.112.207;85.255.112.68


I keep deleting them, but something is replacing them....

I tried booting straight off a Kaspersky recovery disk with the latest
update instead of the xp system.... but the problem still remains...


something keeps being overlooked

any ideas how to fix this hijack completely

 

[PA Bear [MS MVP]]

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjunction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

=> Those with IE7-specific questions or comments are asked to post to and
seek support in this newsgroup: microsoft.public.internetexplorer.general

On the web:
http://www.microsoft.com/communitie...?dg=microsoft.public.internetexplorer.general

In your newsreader:
news://msnews.microsoft.com/microsoft.public.internetexplorer.general

 

[Kayman]

when I visit google & search, I get a listing as expected, but it shows the
first 10... if I try to see later pages it doesnt, it just keeps showing me
the same first 10...

if I then pick any of the links offered, I get redirected through other
sites like copy-book.com etc instead...

ZA AV doesnt fix it....

Yes, it's an inferior application

Kaspersky doesnt fix it neither...

Have you updated prior scanning?

ad-aware doesnt help....

No surprise here.

both of the AV's keep finding 'autorun.sys' files being added to the root of
my drives and quaranteens them, but they always come back....
as a work around, I have put empty folders in their place with the same
name, which seems to keep them at bay...

Hijackthis finds these following entries each time I check
in my registry, I keep getting these same 4 entries...

O17 -
HKLM\System\CCS\Services\Tcpip\..\{1D3D0139-3744-466F-8610-50402A9BEE5F}:
NameServer = 85.255.112.207;85.255.112.68
O17 -
HKLM\System\CCS\Services\Tcpip\..\{DBDD0775-9755-4642-9955-A2576A9B5C09}:
NameServer = 85.255.112.207;85.255.112.68
O17 -
HKLM\System\CS2\Services\Tcpip\..\{1D3D0139-3744-466F-8610-50402A9BEE5F}:
NameServer = 85.255.112.207;85.255.112.68
O17 -
HKLM\System\CS8\Services\Tcpip\..\{1D3D0139-3744-466F-8610-50402A9BEE5F}:
NameServer = 85.255.112.207;85.255.112.68

I keep deleting them, but something is replacing them....

Who told you to delete these items?

I tried booting straight off a Kaspersky recovery disk with the latest
update instead of the xp system.... but the problem still remains...

something keeps being overlooked
any ideas how to fix this hijack completely

You need to susbscribe to an expert forum and submit you HJT log!

Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

Try this as well:
1.Clear the (IE) temporary Internet files and the history cache.
Click Start==>Run... then type (or copy/paste) "inetcpl.cpl" (w/out
quotation marks) into the box, then click the 'OK' button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...'button then place a checkmark into the box beside 'Also delete files
and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

2.Clean HDD
Click Start==>Run... then type (or copy/paste) "cleanmgr" (w/out quotation
marks into the box, then click the 'OK' button. Select your drive
(presumably WinXP (C and click OK.

3.Download/execute:
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, it is suggested scanning the system in Safe
Mode.
How do you boot to Safe Mode?
By pressing/tabbing F8 (or F5 on some keyboards) during re-boot.
A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/default.aspx?scid=315222
Start your computer in safe mode (Vista)
http://windowshelp.microsoft.com/Windows/en-us/help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx
http://www.bleepingcomputer.com/tutorials/tutorial61.html

Alternatively:
Click Start==>Run... then type (or copy/paste) "msconfig" (without
quotation marks), click OK. Then click onto BOOT.INI tab and 'check'
/SAFEBOOT then OK and click Restart. To go back to Normal Mode, you must
access the System Configuration utility again and click the General tab
then click/check the radio button 'Normal Startup'- load all device drivers
and services'.

Good luck