Hello all, and thank you in advance for any replies :)

I have recently come accross a machine that has been hijacked!! Let me explain...

This is an XP Pro SP2 system, running IE7 with all the latest updates. Whenever a Google search is performed (.com + .co.uk, from the searchbar, google home page, or any other subsequent Google pages, the usual results are returned fine, but whenever i click on a link, (any result, any search) I am redirected to another (usually) search engine, such as LookSearch, or various advertisment sites.

This problem is exclusive to IE (have recently installed firefox as a work-around) and does not seem to affect any other search engine (Yahoo, Ask, Live etc work fine).

I have ran the usual Spyware/AV scans using SpyBot, Ad-Aware and Windows Defender, (all with latest updates, as of 19th July) none of which were much help.

In a last-ditch attempt at salvation, i grabbed a HijackThis! log, which i will attach to this post, in the hope that someone more knoweledgeable than myself can find the problem. There doesnt appear to be any new programs/toolbars etc so i really am stuck!

Please please please help, any posts will be geratly appreciated!!!

PS having spent hours searching the net, the closest thing i could find was a 3 year old thread on some random forum where the problem lay with an "sp.html" and some associated rogue dlls and exes, but having scoured the HDD could not find evidence of this.

Again, thanks in advance for any replies!

Recommended Answers

Answered by gerbil 216 in a post from

First, go to add/remove pgms and uninstall MyWebSearch, then delete the pgm folder of that name.
This is your main problem :
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
And then there is this, a pest:
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm021YYGB
-fix both with hijackthis, then …

Jump to Post

All 4 Replies

First, go to add/remove pgms and uninstall MyWebSearch, then delete the pgm folder of that name.
This is your main problem :
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
And then there is this, a pest:
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm021YYGB
-fix both with hijackthis, then delete the file C:\WINDOWS\Temp\startdrv.exe [you may have to do it in safe mode....]
Alternatively you could download Unlocker to delete it...
If it returns you could try Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Hey man, thanks a lot for the info, seriously i mean it, this ones been a real head-scratcher. Unfortunately though i will not be able to have another look at this machine until monday (owner away), BUT as soon as i can i will have a look and let you know how it goes!

Did you have the same problem? if so do you have any idea what could have caused this?

Thanks again mate, loads!


speak soon,

Rich

Me? No. It was late so I did not complete. Run ComboFix because it will remove files associated with that trojan, and add these few entries for fixing just to tidy up...

O2 - BHO: H - {4F862FBA-1E2B-4072-9EA8-1FD3FECB86A1} - somato.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - (no file)

Say how you get on.

hi again, thanks for the help its really appreciated. Unfortunately neither that file or registry entries exist, i did however run combofix, and i shall attatch the log file, as well as the quarentine log (i dunno if that helps, but ill up it neway :) )

Sorry for the late reply, work has been really busy this week.

thanks again,


rich

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.