Tech Support Forum - View Single Post - Nowfind.net Hijack

sUBs · 03-01-2006, 10:38 PM

Please read this post completely before begining the fix.

Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

SpywareBlaster 3.5.1
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/009/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/009/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/009/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/009/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/009/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/009/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/009/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nowfind.net/rand/gallery.php?url=www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/009/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/009/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/009/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/009/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/009/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/009/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/009/index.html
O1 - Hosts: auto.search.msn.com 127.0.0.1
O13 - DefaultPrefix: http://nowfind.net/rand/gallery.php?url=
O13 - WWW Prefix: http://nowfind.net/rand/gallery.php?url=
O13 - Home Prefix: http://nowfind.net/rand/gallery.php?url=
O13 - Mosaic Prefix: http://nowfind.net/rand/gallery.php?url=

* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.

* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

C:\Documents and Settings\Paul Potvin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-1b31a70d.zip
C:\Documents and Settings\Paul Potvin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1101e5-5ed269c0.zip
C:\Program Files\Common Files\System\MSMAPI\1033\a679a0.js
C:\Program Files\Common Files\System\MSMAPI\1033\as
C:\Program Files\Common Files\System\MSMAPI\1033\bad
C:\WINDOWS\system32\a679a0.js
C:\WINDOWS\system32\as Infected:
C:\WINDOWS\system32\bad

Delete the contents of this folder, leaving it empty:

C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
C:\Program Files\Yahoo!\YPSR(2)\Quarantine(2)\

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.

* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *

This will clear the System Volume Information folder
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

Tick on the checkbox - Turn off System Restore on all drives
Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

* * * * * *

Perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis log

Online Scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

03-01-2006, 10:38 PM	#5 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,500 OS: N/A	Please read this post completely before begining the fix. Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards. SpywareBlaster 3.5.1 Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain * * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * * Do a HijackThis scan & place a check next to these items and select "Fix checked": R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/009/index.html R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/009/index.html R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/009/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/009/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/009/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/009/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/009/index.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nowfind.net/rand/gallery.php?url=www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/009/index.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/009/index.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/009/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/009/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/009/index.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/009/index.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/009/index.html O1 - Hosts: auto.search.msn.com 127.0.0.1 O13 - DefaultPrefix: http://nowfind.net/rand/gallery.php?url= O13 - WWW Prefix: http://nowfind.net/rand/gallery.php?url= O13 - Home Prefix: http://nowfind.net/rand/gallery.php?url= O13 - Mosaic Prefix: http://nowfind.net/rand/gallery.php?url= * * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * * 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the option to run Windows in Safe Mode. * * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools -> Folder Options -> View tab. Tick - 'Show hidden files and folder' Untick - 'Hide file extensions for known types' Untick - 'Hide protected operating system files' Click Yes to confirm & then click OK Locate and delete the following files/folders: (let me know if you fail to find/delete any) C:\Documents and Settings\Paul Potvin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-1b31a70d.zip C:\Documents and Settings\Paul Potvin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1101e5-5ed269c0.zip C:\Program Files\Common Files\System\MSMAPI\1033\a679a0.js C:\Program Files\Common Files\System\MSMAPI\1033\as C:\Program Files\Common Files\System\MSMAPI\1033\bad C:\WINDOWS\system32\a679a0.js C:\WINDOWS\system32\as Infected: C:\WINDOWS\system32\bad Delete the contents of this folder, leaving it empty: C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ C:\Program Files\Yahoo!\YPSR(2)\Quarantine(2)\ * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. * * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * * This will clear the System Volume Information folder Go to Start >> Run - type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK * * * * * * Perform an online scan with Internet Explorer with Panda ActiveScan Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh logs from: HiJackThis log Online Scan Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today? Last edited by sUBs; 03-01-2006 at 10:39 PM.