Home Page Hijacked!!

A

Anthony

My home page is hijacked by a search engine that gives me pop-ups of ad ware
and spy ware programs. There is a folder in the Windows directory called
"srchasst". I tried deleting the folder, it doesn't delete. I delete the
files in the folder only for them to appear 2 second later again. How the
heck is this possible??

I ran all the spy ware programs and nothing works.
CW-shredder
Ad-Aware SE
Spy bot
Hijack This
Spywarebusters

In the address box all it shows is "about:blank" and in the status bar it
shows "Downloading Pictures res://shdoclc.dll/flag.gif... I tried using
spyware programs in "safe mode" for some reason the mouse wont work, which
makes it very hard to move around.

I need help!!
Thanks,
Anthony
 
A

Andre Da Costa

Did you disable System Restore (Right click My Computer > Properties >
System Restore (tab), restart the computer in Safe Mode then run the
solutions you mentioned in Safe Mode?

Andre
 
P

Paul Heslop

Anthony said:
My home page is hijacked by a search engine that gives me pop-ups of ad ware
and spy ware programs. There is a folder in the Windows directory called
"srchasst". I tried deleting the folder, it doesn't delete. I delete the
files in the folder only for them to appear 2 second later again. How the
heck is this possible??

I ran all the spy ware programs and nothing works.
CW-shredder
Ad-Aware SE
Spy bot
Hijack This
Spywarebusters

In the address box all it shows is "about:blank" and in the status bar it
shows "Downloading Pictures res://shdoclc.dll/flag.gif... I tried using
spyware programs in "safe mode" for some reason the mouse wont work, which
makes it very hard to move around.

I need help!!
Thanks,
Anthony
Click to expand...

something in the registry? If you drop srchasst into google it says it
is the windows search assistant and apparently yours has been
hijacked. Maybe one of the many googled replies has the answer but my
connection is running too slow for me to check them out for you.
 
P

PA Bear

1. From your headers: "Microsoft Outlook Express 6.00.2600.0000"

No wonder you were hijacked. You're running very outdated and much
less-secure versions of OE, IE and Windows. Get your hijackware problem
sorted first and then take care of *everything* here:

Before You Connect a New Computer to the Internet
http://www.cert.org/tech_tips/before_you_plug_in.html

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

2. See below. You will need to post your HijackThis log to an appropriate
forum for help.

Dealing with Trojans & Hijackware

A. Trojans

1. Check in at Windows Update and install all critical updates & reboot.

2. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

3. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background. Note the files identified and
removed then find the corresponding page for the file at your AV maker's
online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html)
and follow *all* Removal steps, including editing the Registry if directed.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then:

Disk Cleanup > More options > Delete all but the most recent Restore
Point.

B. Hijackware

Help with Hijackware (MS MVP sites all)
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder v1.59.1 (no updates available currently; fix all found)

2. Ad-Aware SE (reconfigure per Post #2 in
http://aumha.org/forum/viewtopic.php?t=5877; fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

WinXP SP2: What's New for Internet Explorer and Outlook Express
http://www.microsoft.com/windowsxp/sp2/ieoeoverview.mspx

What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/default.mspx

There is no 'silver bullet' solution to hijackware
http://go.microsoft.com/fwlink/?LinkId=33131
 
A

Anthony

Thanks guys,

I just found out this hijack program is called "Home Search"

What next??
Thanks,
Anthony
 
P

PA Bear

See previous reply. (Please always include previous message in your replies
here, Anthony.)

Clue: http://www.pchell.com/support/onlythebest.shtml
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

WinXP SP2: What's New for Internet Explorer and Outlook Express
http://www.microsoft.com/windowsxp/sp2/ieoeoverview.mspx

What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/default.mspx

There is no 'silver bullet' solution to hijackware
http://go.microsoft.com/fwlink/?LinkId=33131
 
A

Anthony

oops sorry about that, I know for next time.
Thanks for the link PA Bear, it worked :)

Anthony
 
D

David H. Lipman

I see you have learned NOTHING. As I have previously stated, Stinger is NOT an
investigational tool since it ONLY targets ~45 infectors (and their bariants) while Trend
Sysclean is a tool based around standard Trend Pattern Files. Trend Sysclean is a
broad-spectrum virus, worm and Trojan removal tool. The number of infectors targeted by
Sysclean grows as a function of the release of new Pattern Files and the number of infectors
addded to the Pattern Files. It should also be noted that the sysclean Damage Cleanup
Engine is updated periodically

You have Stinger listed under the header of Trojans. The majority of infectors that Stinger
targets just so happens to be Internet worms. The Trojans that Stingers targets are Trojans
that are "associated" or work in companion with Internet worms.

BackDoor-AQJ -- Trojan -- http://vil.nai.com/vil/content/v_101702.htm
BackDoor-CFB -- Trojan -- http://vil.nai.com/vil/content/v_126106.htm
BackDoor-CHR -- Trojan -- http://vil.nai.com/vil/content/v_127617.htm
BackDoor-JZ -- Trojan -- http://vil.nai.com/vil/content/v_98963.htm
Bat/Mumu.worm -- worm -- http://vil.nai.com/vil/content/v_100349.htm
Exploit-DcomRpc -- Trojan -- http://vil.nai.com/vil/content/v_100516.htm
IPCScan -- Trojan -- http://vil.nai.com/vil/content/v_108749.htm
IRC/Flood.ap -- Trojan -- http://vil.nai.com/vil/content/v_111930.htm
IRC/Flood.bi -- Trojan -- http://vil.nai.com/vil/content/v_100023.htm
IRC/Flood.cd -- Trojan -- http://vil.nai.com/vil/content/v_100327.htm
NTServiceLoader -- Program -- http://vil.nai.com/vil/content/v_116783.htm
PWS-Narod -- Trojan -- http://vil.nai.com/vil/content/v_100477.htm
PWS-Sincom.dll -- Trojan -- http://vil.nai.com/vil/content/v_117412.htm
W32/Anig.worm -- worm -- http://vil.nai.com/vil/content/v_100990.htm
W32/Bagle@MM -- worm -- http://vil.nai.com/vil/content/v_101164.htm
W32/Blaster.worm (Lovsan) -- worm -- http://vil.nai.com/vil/content/v_100547.htm
W32/Bugbear@MM -- worm -- http://vil.nai.com/vil/content/v_99728.htm
W32/Deborm.worm.gen -- worm -- http://vil.nai.com/vil/content/v_100143.htm
W32/Doomjuice.worm -- worm -- http://vil.nai.com/vil/content/v_101002.htm
W32/Dumaru -- worm -- http://vil.nai.com/vil/content/v_100560.htm
W32/Elkern.cav --
W32/Fizzer.gen@MM --
W32/FunLove --
W32/Klez --
W32/Korgo.worm --
W32/Lirva --
W32/Lovgate --
W32/Mimail --
W32/MoFei.worm --
W32/Mumu.b.worm --
W32/MyDoom --
W32/Nachi.worm --
W32/Netsky --
W32/Nimda --
W32/Pate --
W32/Polybot --
W32/Sasser.worm --
W32/SirCam@MM --
W32/Sober --
W32/Sobig --
W32/SQLSlammer.worm --
W32/Swen@MM --
W32/Yaha@MM --
W32/Zafi --
W32/Zindos.worm --




If you can not provide current and proper virus and parasite removal information, please
send the OP to those who do at:

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus


Dave



| A. Trojans
|
| 1. Check in at Windows Update and install all critical updates & reboot.
|
| 2. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...
 
D

David H. Lipman

Hit the wrong key, I was not done, sorry... ;-(

You have Stinger listed under the header of Trojans. The majority of infectors that Stinger
targets just so happen to be worms. The majority of Trojans that Stingers targets are
Trojans
that are "associated" or work in companion with worms

Below are the infectors that Stinger targets are McAfee's classification.

Trojans - 11
BackDoor-AQJ -- Trojan -- http://vil.nai.com/vil/content/v_101702.htm -- Companion worm,
Lovgate
BackDoor-CHR -- Trojan -- http://vil.nai.com/vil/content/v_127617.htm -- Companion worm,
Mydoom
BackDoor-JZ -- Trojan -- http://vil.nai.com/vil/content/v_98963.htm -- Companion worm,
deborm
Exploit-DcomRpc -- Trojan -- http://vil.nai.com/vil/content/v_100516.htm -- Associated worm,
Lovsan/Blaster
IPCScan -- Trojan -- http://vil.nai.com/vil/content/v_108749.htm -- Companion worm, Mumu
IRC/Flood.ap -- Trojan -- http://vil.nai.com/vil/content/v_111930.htm -- Companion worm,
Randon
PWS-Narod -- Trojan -- http://vil.nai.com/vil/content/v_100477.htm -- Companion worm, Dumaru
BackDoor-CFB -- Trojan -- http://vil.nai.com/vil/content/v_126106.htm
IRC/Flood.bi -- Trojan -- http://vil.nai.com/vil/content/v_100023.htm
IRC/Flood.cd -- Trojan -- http://vil.nai.com/vil/content/v_100327.htm
PWS-Sincom.dll -- Trojan -- http://vil.nai.com/vil/content/v_117412.htm

Worms - 25
Bat/Mumu.worm -- worm -- http://vil.nai.com/vil/content/v_100349.htm
W32/Anig.worm -- worm -- http://vil.nai.com/vil/content/v_100990.htm
W32/Bagle@MM -- worm -- http://vil.nai.com/vil/content/v_101164.htm
W32/Blaster.worm (Lovsan) -- worm -- http://vil.nai.com/vil/content/v_100547.htm
W32/Bugbear@MM -- worm -- http://vil.nai.com/vil/content/v_99728.htm
W32/Deborm.worm.gen -- worm -- http://vil.nai.com/vil/content/v_100143.htm
W32/Doomjuice.worm -- worm -- http://vil.nai.com/vil/content/v_101002.htm
W32/Dumaru -- worm -- http://vil.nai.com/vil/content/v_100560.htm
W32/Klez -- worm -- http://vil.nai.com/vil/content/v_99237.htm
W32/Korgo.worm -- worm --- http://vil.nai.com/vil/content/v_125932.htm
W32/Lovgate -- worm -- http://vil.nai.com/vil/content/v_100072.htm
W32/Mimail -- worm -- http://vil.nai.com/vil/content/v_100523.htm
W32/MoFei.worm -- worm -- http://vil.nai.com/vil/content/v_100357.htm
W32/Mumu.b.worm -- worm -- http://vil.nai.com/vil/content/v_100530.htm
W32/Nachi.worm -- worm -- http://vil.nai.com/vil/content/v_100559.htm
W32/Netsky -- worm -- http://vil.nai.com/vil/content/v_101027.htm
W32/Nimda -- worm -- http://vil.nai.com/vil/content/v_99209.htm
W32/Pate -- worm -- http://vil.nai.com/vil/content/v_99690.htm
W32/Polybot -- worm -- http://vil.nai.com/vil/content/v_101090.htm
W32/Sasser.worm -- worm -- http://vil.nai.com/vil/content/v_125007.htm
W32/Sober -- worm -- http://vil.nai.com/vil/content/v_100778.htm
W32/Sobig -- worm -- http://vil.nai.com/vil/content/v_99950.htm
W32/SQLSlammer.worm -- worm -- http://vil.nai.com/vil/content/v_99992.htm
W32/Yaha@MM -- worm -- http://vil.nai.com/vil/content/v_99362.htm
W32/Zindos.worm -- worm -- http://vil.nai.com/vil/content/v_127038.htm

Virus, other - 9
W32/Elkern.cav -- file infector -- http://vil.nai.com/vil/content/v_99238.htm
NTServiceLoader -- Program -- http://vil.nai.com/vil/content/v_116783.htm
W32/Fizzer.gen@MM -- virus -- http://vil.nai.com/vil/content/v_100295.htm
W32/Lirva -- virus -- http://vil.nai.com/vil/content/v_99949.htm
W32/MyDoom -- virus -- http://vil.nai.com/vil/content/v_100988.htm
W32/Swen@MM -- virus -- http://vil.nai.com/vil/content/v_100662.htm
W32/FunLove -- virus -- http://vil.nai.com/vil/content/v_10419.htm
W32/Zafi -- virus -- http://vil.nai.com/vil/content/v_126242.htm
W32/SirCam@MM -- virus -- http://vil.nai.com/vil/content/v_99141.htm

Dave
 
A

Alex Nichol

Anthony said:
My home page is hijacked by a search engine that gives me pop-ups of ad ware
and spy ware programs. There is a folder in the Windows directory called
"srchasst". I tried deleting the folder, it doesn't delete. I delete the
files in the folder only for them to appear 2 second later again. How the
heck is this possible??
Click to expand...

srchasst is a standard folder for the Windows Search Assistant (Rover
and his ilk). Protected files, so they are restored if tampered with

Have you installed MSN Messenger Plus! ? - this sounds rather like the
C2Media which comes along sponsoring that. If so uninstall Plus! and
reboot; then reinstall it, this time making sure you do *not* agree to
the sponsorship
 
P

PA Bear

Give it a rest, please, David. We're here to help others, not criticize
those trying to offer help. If you want to append my posts with your
comments or alternate suggestions, please do so.

I find Stinger to be a useful, general tool to rule /out/ those Trojans. I
don't claim it to be an "investigational tool"; I recommend it to eliminate
some likely possibilities.

Furthermore, I've found most posters don't have the understanding to use
Sysclean correctly or effectively (or the patience to learn).
 
J

Joe

Anthony said:
My home page is hijacked by a search engine that gives me pop-ups of ad ware
and spy ware programs. There is a folder in the Windows directory called
"srchasst". I tried deleting the folder, it doesn't delete. I delete the
files in the folder only for them to appear 2 second later again. How the
heck is this possible??

I ran all the spy ware programs and nothing works.
CW-shredder
Ad-Aware SE
Spy bot
Hijack This
Spywarebusters

In the address box all it shows is "about:blank" and in the status bar it
shows "Downloading Pictures res://shdoclc.dll/flag.gif... I tried using
spyware programs in "safe mode" for some reason the mouse wont work, which
makes it very hard to move around.

I need help!!
Thanks,
Anthony
Click to expand...

It appears you have the about blank homepage hijacker. This is dificult to
remove but the instructions are here -->
http://www.securiteam.com/securityreviews/5RP0L0UD5U.html

Joe
 
D

David H. Lipman

I have greater respect that the reader "can handle it" as there is as much understanding in
using Sysclean as there is in Stinger. The only difference is they have to extract the
conents of a ZIP file in the same location as Sysclean.com and that is NOT hard to do.

You stated -- "...not criticize those trying to offer help." If the information needs
correction to *better* assist then I will comment. And I think if you really wanted to
help you would not think it as negative criticism but as feedback. Feedback needed to
improve the output of your posts to assist users.

The mere fact that you suggest a tool without knowing if that tool will even help means you
are using it in an investigational mode. The below are the only Trojans Stinger targets out
of many hundreds so it only rules out a very small percentage. hardly much of a help.
BackDoor-AQJ -- Trojan -- http://vil.nai.com/vil/content/v_101702.htm
BackDoor-CHR -- Trojan -- http://vil.nai.com/vil/content/v_127617.htm
BackDoor-JZ -- Trojan -- http://vil.nai.com/vil/content/v_98963.htm
Exploit-DcomRpc -- Trojan -- http://vil.nai.com/vil/content/v_100516.htm
IPCScan -- Trojan -- http://vil.nai.com/vil/content/v_108749.htm
IRC/Flood.ap -- Trojan -- http://vil.nai.com/vil/content/v_111930.htm
PWS-Narod -- Trojan -- http://vil.nai.com/vil/content/v_100477.htm
BackDoor-CFB -- Trojan -- http://vil.nai.com/vil/content/v_126106.htm
IRC/Flood.bi -- Trojan -- http://vil.nai.com/vil/content/v_100023.htm
IRC/Flood.cd -- Trojan -- http://vil.nai.com/vil/content/v_100327.htm
PWS-Sincom.dll -- Trojan -- http://vil.nai.com/vil/content/v_117412.htm

If you can not provide current and proper virus and parasite removal information, please
send the OP to those who can provide that information at:

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus


Dave






| Give it a rest, please, David. We're here to help others, not criticize
| those trying to offer help. If you want to append my posts with your
| comments or alternate suggestions, please do so.
|
| I find Stinger to be a useful, general tool to rule /out/ those Trojans. I
| don't claim it to be an "investigational tool"; I recommend it to eliminate
| some likely possibilities.
|
| Furthermore, I've found most posters don't have the understanding to use
| Sysclean correctly or effectively (or the patience to learn).
| --
| ~PA Bear
 
P

PA Bear

<yawn>
I have greater respect that the reader "can handle it" as there is as
much understanding in using Sysclean as there is in Stinger. The only
difference is they have to extract the conents of a ZIP file in the same
location as Sysclean.com and that is NOT hard to do.
Click to expand...
<snip>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Hijacked 9
Hijack This LOG Somebody please Help 1
Internet Explorer has encountered a problem 1
IE Hijacked by about:blank 2
Error Message- Error 126 1
possible spy ware 1
web rebates 7
File folders freeze, won't respond 1

Top