Browser hijack

[Tony Pagett]

I have a virus that keeps on hijacking my browser.

It is called nowfind.net

I have run anti-virus programs and spyware removal programs and they find
the virus and remove it but it keeps coming back.

It also puts links to porn sites in my favourites.

Any ideas as to where this virus may be hiding on my PC?

Regards

 

[David H. Lipman]

From: "Tony Pagett" <[email protected]>

| I have a virus that keeps on hijacking my browser.
|
| It is called nowfind.net
|
| I have run anti-virus programs and spyware removal programs and they find
| the virus and remove it but it keeps coming back.
|
| It also puts links to porn sites in my favourites.
|
| Any ideas as to where this virus may be hiding on my PC?
|
| Regards
|

Please download and install BHODemon -- http://www.definitivesolutions.com/bhodemon.htm to
help identify and eliminate malware Browser Helper Objects.

In addition...


Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt486.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Update Ad-aware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible.
5) Using both the Trend Sysclean utility and Ad-aware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * Please report back your results * *

 

[Bill]

Any ideas as to where this virus may be hiding on my PC?

System restore? Just a guess.

 

[Tony Pagett]

I have done everything that you suggest and have found 59 cases of
malware/spyware on my PC. However the one that keeps taking over my home
page is still there.

From: "Tony Pagett" <[email protected]>

| I have a virus that keeps on hijacking my browser.
|
| It is called nowfind.net
|
| I have run anti-virus programs and spyware removal programs and they find
| the virus and remove it but it keeps coming back.
|
| It also puts links to porn sites in my favourites.
|
| Any ideas as to where this virus may be hiding on my PC?
|
| Regards
|

Please download and install BHODemon --

http://www.definitivesolutions.com/bhodemon.htm to

 

[Lew/+Silat]

Do all the following.
Do all this


http://www.javacoolsoftware.com/downloads.html - download and install :
SpywareBlaster and SpywareGuard FREE

http://www.safer-networking.org/index.php?page=download - Download and
install Spybot - Search & Destroy FREE

http://www.spywareinfo.com/~merijn/downloads.html - Download Hijackthis. Put
it in a new folder named "Hijackthis". Put the folder on c drive. This is
important for proper logging of info when you get hijacked. Do not use this
program unless you completely know what you are doing. FREE

http://www.intermute.com/products/cwshredder.html - CWShredder . Download
the standalone version. FREE

http://www.lavasoftusa.com/support/download/ - Download the free version of
Adaware and install. Or pay for the advanced version if you want. FREE

http://www.microsoft.com/athome/security/spyware/software/default.mspx -
Windows AntiSpyware (Beta) FREE

http://www.grisoft.com/us/us_dwnl_free.php - If you don't have an antivirus
program and don't want to pay for one then get AVG . It is free and good.
FREE
http://www.free-av.com/ - another antivirus FREE

http://www.ccleaner.com/ - Crap Cleaner. Windows system cleaner like Window
Washer FREE

If you dont have an antivirus you can do free scans at
Trend Micro - Free online virus Scan
http://housecall.trendmicro.com/
http://housecall.antivirus.com

McAfee Security - FreeScan
http://www.mcafee.com/myapps/mfs/default.asp

Panda ActiveScan - Free online scanner
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

DialogueScience:
http://www.antivir.ru/english/www_av/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html




All the downloaded programs need updating regularly.

If you have a problem, you can go to the
http://help.lockergnome.com/index.php?showforum=50 and click on the
"HIJACKTHIS LOGS" forums. Register and post your problem. An expert will get
to you within a few days to guide you to a clean machine

 

[David H. Lipman]

From: "Tony Pagett" <[email protected]>

| I have done everything that you suggest and have found 59 cases of
| malware/spyware on my PC. However the one that keeps taking over my home
| page is still there.

BHODemon found no Browser Helper objects ?

Ad-aware shows the PC is clean of malware ?

If the above is true...
Please use SpyBot Search & Destroy --
http://www.safer-networking.org/index.php?page=download

Use the same set of instructions for SpyBot S&D as you used for Ad-aware.

 

[Tony Pagett]

I have run SpyBot search & destroy. It did not list NOWFIND.NET as a problem
but when I look under the browser pages option in SpyBot there are 13
listings of NOWFIND.NET

 

[Tony Pagett]

I have now run seven different spyware/adware removal programs and registry
cleaners and they all find different problems but when I open explorer my
home page is still NOWFIND.NET
If I use tools/internet options and change my home page everything is ok but
when I re-open explorer NOWFIND.NET is back and so are the porn site links
in my favourites.

I have run SpyBot search & destroy. It did not list NOWFIND.NET as a problem
but when I look under the browser pages option in SpyBot there are 13
listings of NOWFIND.NET

 

[James Egan]

I have now run seven different spyware/adware removal programs and registry
cleaners and they all find different problems but when I open explorer my
home page is still NOWFIND.NET
If I use tools/internet options and change my home page everything is ok but
when I re-open explorer NOWFIND.NET is back and so are the porn site links
in my favourites.

Download autoruns and process explorer from sysinternals
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Run process explorer first and close down any offending running
processes, then run autoruns which monitors automatic startups. Be
sure you select "show explorer addons" from the view menu.

If you don't close down all the malware's running processes first you
might find that when you uncheck boxes in autoruns (to stop the
program loading next time) it is immediately changed back again by the
running process.

Often there are two processes which look after each other and need to
be closed simultaneously using the kill process tree option.


Jim.

 

[Tony Pagett]

I have run both of these programs and can account for everything on the
lists produced.

 

[James Egan]

I have run both of these programs and can account for everything on the
lists produced.

You might try regmon
http://www.sysinternals.com/ntw2k/source/regmon.shtml
to see what is writing to your registry. See if that sheds any light.


Jim.

 

[Tony Pagett]

I have tried regmon as suggested. I have found the dreaded NOWFIND.NET by
clicking on my homepage icon and then looking on regmon. it is shown as:
HKCU\software\microsoft\windows\currentversion\internetsettings\zonemap\doma
ins\nowfind.net

Any ideas now please?

Tony

 

[James Egan]

I have tried regmon as suggested. I have found the dreaded NOWFIND.NET by
clicking on my homepage icon and then looking on regmon. it is shown as:
HKCU\software\microsoft\windows\currentversion\internetsettings\zonemap\doma
ins\nowfind.net

Any ideas now please?

You need to delete the settings while regmon is moitoring that part of
the registry and look which process is writing them back.


Jim.