• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
Gmorgan

http://jksearch.biz/redir.php has taken over IE

7 posts in this topic

The home page of this machine has been hijacked to display the following URL http://jksearch.biz/redir.php. This then chooses to display one of the following two pages http://school-fuck.com/ or http://virgins-fuck.com/. I am sorry for the offensive language but that is what the URLs say. If I netstat I see that there are many connections pending for http://ruworld.com, another unsavoury site/sight :o

 

I have checked this forum as I see some other posts about this specific issue; I have tried bits from many but all to no avail.

 

I have run Adaware and have the latest virus defs.

 

I have now run hijack this and have my log to display below. I do not understand how this can happen. If all the settings are set to blank page how when IE is launched do they swap without any processes running?

 

I would really appreciate your help on this. Cheers

 

the log is below

 

Logfile of HijackThis v1.97.7

Scan saved at 02:31:36, on 20/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\oracle\products\92010\Apache\Apache\apache.exe

C:\oracle\products\92010\BIN\TNSLSNR.exe

C:\WINDOWS\System32\r_server.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\oracle\products\92010\Apache\Apache\apache.exe

C:\oracle\products\92010\jdk\bin\java.exe

C:\oracle\products\92010\jdk\bin\java.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

C:\WINDOWS\System32\atiptaxx.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\DvzCommon\DvzMsgr.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

c:\oracle\products\92010\bin\ORACLE.EXE

C:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php

O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\udpmod.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: domain VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Global Startup: SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter Utility.lnk = C:\Program Files\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Intranet (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://domain.webex.com/client/late...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7F29A532-2A27-462F-94A8-E54C932C261B}: NameServer = x.x.x.x,x.x.x.x

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = domain.co.uk,

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = domain.co.uk,

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = domain.co.uk,

 

I believe i have gone through every process and verified it. The ones i cannot verify are Svchost also when i run netstat all the ones pointing to ruworld.com are owned by process 0.

 

Thanks in advance for your help

 

Cheers

 

G

Edited by Gmorgan

Share this post


Link to post
Share on other sites

Hi Gmorgan. I am in the same boat as you with the same URLs. We have tried a number of anti-spyware programs which sweep thru our system, proclaim "All is clear", yet when we reconnect to the net, jksearch.biz is still there. It's Evil.

 

watch my previous inquiry and any responses. ( I'm above yours a few lines )

 

Please update if you find a solution

 

jpt

Share this post


Link to post
Share on other sites

Hi,

 

I also have the same problem and have asked for help through this forum. Still waiting to receive a reply. I have been looking at other posts and it seems like the same story, no matter what is tried there is no effect.

 

I'm at my wits end.

 

a

Share this post


Link to post
Share on other sites

Just to make this more complicated, it is not on my machine but on a user from our company. He is in Australia and I am in the UK. This makes troubleshooting slightly harder but anyway.

 

I just used Hijackthis to clear the settings for all that point to the jksearch.biz addresses. I have thoroughly checked the Hijackthis log and there does not seem to be anything wrong in there so I just used msconfig to set to start up in diagnostic mode and then go to internet properties after a reboot and the pages had been reset already.

 

I am not expert on these matters so… if no processes start to change the page and if all the plugins etc are correct then how can this happen? Is it possible to get your claws into IE another way??

 

I am looking to reinstall IE when time differences and his work load permit.

 

This is a real issue now as he cannot use this machine on customer site.

 

Any ideas would be most welcome, equally if people do not know what it is I would like to know that too so that I can gauge the level of the problem.

 

Thanks for all your time and efforts

Share this post


Link to post
Share on other sites

I am facing the same problem. I have been sitting at my computer for 4 hours flat now, trying to undo the problem.

I tried ad-aware, and many other tools. I found one tool, Browser Hijack Blaster, which prevents changes made to IE settings. But, it prompts you every 30 seconds, and gets really annoying.

 

I hope someone finds a solution pretty soon........I cannot seem to locate the process which is causing this problem...

Share this post


Link to post
Share on other sites

Okay all is well.

 

idiottoo is quite correct. PGPhantom's reply to Mag is the answer to our issue :D

The link below takes you to it

 

http://www.spywareinfoforum.com/index.php?showtopic=1058&hl=

 

I found the system32.dll file in c:\windows\system32\system32.dll

The strange thing was I could rename it, however the problem still persisted. If I tried to delete it however it would not allow me. I had to use a file in use tool to overwrite/delete it on reboot.

 

Reboot, run hiJackthis, set the URLs, reboot just for the sake of it and no more hassle form the browser hijacking. I now need to sort out the connections to RUworld that netstat show :) anyway that’s another day’s work so thanks to PGPhantom this quest is over.

 

Cheers

 

Gareth

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0