hijacked by YourSearcher.com

derning · 01-05-2005, 08:22 PM

Hi and thanks in advance for your help. My browser homepage has been hijacked by YourSearcher.com. I run Ad-Aware SE to clean it out, but everytime I reboot, my browser homepage gets reset back to YourSearcher.com.

I ran HijackThis, and then HijackThis Analyzer. Here are the results...

Any thoughts?

===================================================
Log was analyzed using HijackThis Analyzer - Updated on 1/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 8:13:04 PM, on 1/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\EditPadLite\EditPad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINNT\system32\BhoSSafe.dll
O4 - HKCU\..\Run: [kdyvvfj] c:\winnt\ynekmoc.exe
O4 - HKCU\..\Run: [vtkulde] c:\winnt\tucoioi.exe
O4 - HKCU\..\Run: [sxdrscq] c:\winnt\xrcolyg.exe
O4 - HKCU\..\Run: [rkkiqet] c:\winnt\cruinpo.exe
O4 - HKCU\..\Run: [xjpbvff] c:\winnt\cgvuasj.exe
O4 - HKCU\..\Run: [xeniqln] c:\winnt\wvumwux.exe
O4 - HKCU\..\Run: [pkrwqjt] c:\winnt\qnvatod.exe
O4 - HKCU\..\Run: [ymmxgme] c:\winnt\gimuogg.exe
O4 - HKCU\..\Run: [avkxbxr] c:\winnt\xwajlhs.exe
O4 - HKCU\..\Run: [mlqdghx] c:\winnt\hpiyqxo.exe
O4 - HKCU\..\Run: [cxhnsmh] c:\winnt\lwrlpgd.exe
O4 - HKCU\..\Run: [kjitlvq] c:\winnt\qfsebbr.exe
O4 - HKCU\..\Run: [lfxuwhj] c:\winnt\bmbvfme.exe
O4 - HKCU\..\Run: [bkgdsim] c:\winnt\gdmgawr.exe
O8 - Extra context menu item: &Highlight - C:\WINNT\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINNT\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINNT\WEB\zoomout.htm
O16 - DPF: ChatSpace Java Client 3.1.0.229 - http://incoming.gsm.uci.edu/ChatSpace/Java/cms31229.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud4.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab

End of HijackThis Analyzer Log.
===================================================

Thanks!

.

MicroBell · 01-05-2005, 10:39 PM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK..

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\Program Files\EditPadLite\EditPad.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINNT\system32\BhoSSafe.dll
O4 - HKCU\..\Run: [kdyvvfj] c:\winnt\ynekmoc.exe
O4 - HKCU\..\Run: [vtkulde] c:\winnt\tucoioi.exe
O4 - HKCU\..\Run: [sxdrscq] c:\winnt\xrcolyg.exe
O4 - HKCU\..\Run: [rkkiqet] c:\winnt\cruinpo.exe
O4 - HKCU\..\Run: [xjpbvff] c:\winnt\cgvuasj.exe
O4 - HKCU\..\Run: [xeniqln] c:\winnt\wvumwux.exe
O4 - HKCU\..\Run: [pkrwqjt] c:\winnt\qnvatod.exe
O4 - HKCU\..\Run: [ymmxgme] c:\winnt\gimuogg.exe
O4 - HKCU\..\Run: [avkxbxr] c:\winnt\xwajlhs.exe
O4 - HKCU\..\Run: [mlqdghx] c:\winnt\hpiyqxo.exe
O4 - HKCU\..\Run: [cxhnsmh] c:\winnt\lwrlpgd.exe
O4 - HKCU\..\Run: [kjitlvq] c:\winnt\qfsebbr.exe
O4 - HKCU\..\Run: [lfxuwhj] c:\winnt\bmbvfme.exe
O4 - HKCU\..\Run: [bkgdsim] c:\winnt\gdmgawr.exe

Delete the following Files/Folders in RED (delete folders if no filename is specified or they are RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

C:\Program Files\EditPadLite\EditPad.exe
C:\WINNT\system32\BhoSSafe.dll
c:\winnt\ynekmoc.exe
c:\winnt\tucoioi.exe
c:\winnt\xrcolyg.exe
c:\winnt\cruinpo.exe
c:\winnt\cgvuasj.exe
c:\winnt\wvumwux.exe
c:\winnt\qnvatod.exe
c:\winnt\gimuogg.exe
c:\winnt\xwajlhs.exe
c:\winnt\hpiyqxo.exe
c:\winnt\lwrlpgd.exe
c:\winnt\qfsebbr.exe
c:\winnt\bmbvfme.exe
c:\winnt\gdmgawr.exe

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not

01-05-2005, 08:22 PM	#1 (permalink)
derning Registered User Join Date: Jan 2005 Posts: 1 OS: Win2000	hijacked by YourSearcher.com Hi and thanks in advance for your help. My browser homepage has been hijacked by YourSearcher.com. I run Ad-Aware SE to clean it out, but everytime I reboot, my browser homepage gets reset back to YourSearcher.com. I ran HijackThis, and then HijackThis Analyzer. Here are the results... Any thoughts? =================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.98.2 Scan saved at 8:13:04 PM, on 1/5/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\EditPadLite\EditPad.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINNT\system32\BhoSSafe.dll O4 - HKCU\..\Run: [kdyvvfj] c:\winnt\ynekmoc.exe O4 - HKCU\..\Run: [vtkulde] c:\winnt\tucoioi.exe O4 - HKCU\..\Run: [sxdrscq] c:\winnt\xrcolyg.exe O4 - HKCU\..\Run: [rkkiqet] c:\winnt\cruinpo.exe O4 - HKCU\..\Run: [xjpbvff] c:\winnt\cgvuasj.exe O4 - HKCU\..\Run: [xeniqln] c:\winnt\wvumwux.exe O4 - HKCU\..\Run: [pkrwqjt] c:\winnt\qnvatod.exe O4 - HKCU\..\Run: [ymmxgme] c:\winnt\gimuogg.exe O4 - HKCU\..\Run: [avkxbxr] c:\winnt\xwajlhs.exe O4 - HKCU\..\Run: [mlqdghx] c:\winnt\hpiyqxo.exe O4 - HKCU\..\Run: [cxhnsmh] c:\winnt\lwrlpgd.exe O4 - HKCU\..\Run: [kjitlvq] c:\winnt\qfsebbr.exe O4 - HKCU\..\Run: [lfxuwhj] c:\winnt\bmbvfme.exe O4 - HKCU\..\Run: [bkgdsim] c:\winnt\gdmgawr.exe O8 - Extra context menu item: &Highlight - C:\WINNT\WEB\highlight.htm O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\WEB\frm2new.htm O8 - Extra context menu item: Zoom &In - C:\WINNT\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINNT\WEB\zoomout.htm O16 - DPF: ChatSpace Java Client 3.1.0.229 - http://incoming.gsm.uci.edu/ChatSpace/Java/cms31229.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab O16 - DPF: Yahoo! MLB StatTracker - http://aud4.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab End of HijackThis Analyzer Log. =================================================== Thanks! . Last edited by derning : 01-05-2005 at 08:34 PM.

01-05-2005, 10:39 PM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,954 OS: Windows XP-Pro SP2	Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK.. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\Program Files\EditPadLite\EditPad.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINNT\system32\BhoSSafe.dll O4 - HKCU\..\Run: [kdyvvfj] c:\winnt\ynekmoc.exe O4 - HKCU\..\Run: [vtkulde] c:\winnt\tucoioi.exe O4 - HKCU\..\Run: [sxdrscq] c:\winnt\xrcolyg.exe O4 - HKCU\..\Run: [rkkiqet] c:\winnt\cruinpo.exe O4 - HKCU\..\Run: [xjpbvff] c:\winnt\cgvuasj.exe O4 - HKCU\..\Run: [xeniqln] c:\winnt\wvumwux.exe O4 - HKCU\..\Run: [pkrwqjt] c:\winnt\qnvatod.exe O4 - HKCU\..\Run: [ymmxgme] c:\winnt\gimuogg.exe O4 - HKCU\..\Run: [avkxbxr] c:\winnt\xwajlhs.exe O4 - HKCU\..\Run: [mlqdghx] c:\winnt\hpiyqxo.exe O4 - HKCU\..\Run: [cxhnsmh] c:\winnt\lwrlpgd.exe O4 - HKCU\..\Run: [kjitlvq] c:\winnt\qfsebbr.exe O4 - HKCU\..\Run: [lfxuwhj] c:\winnt\bmbvfme.exe O4 - HKCU\..\Run: [bkgdsim] c:\winnt\gdmgawr.exe Delete the following Files/Folders in RED (delete folders if no filename is specified or they are RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) C:\Program Files\EditPadLite\EditPad.exe C:\WINNT\system32\BhoSSafe.dll c:\winnt\ynekmoc.exe c:\winnt\tucoioi.exe c:\winnt\xrcolyg.exe c:\winnt\cruinpo.exe c:\winnt\cgvuasj.exe c:\winnt\wvumwux.exe c:\winnt\qnvatod.exe c:\winnt\gimuogg.exe c:\winnt\xwajlhs.exe c:\winnt\hpiyqxo.exe c:\winnt\lwrlpgd.exe c:\winnt\qfsebbr.exe c:\winnt\bmbvfme.exe c:\winnt\gdmgawr.exe In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder