Jump to content


http://jksearch.biz/redir.php has taken over IE

  • This topic is locked This topic is locked
6 replies to this topic

#1 Gmorgan



  • Full Member
  • Pip
  • 5 posts

Posted 19 May 2004 - 12:06 PM

The home page of this machine has been hijacked to display the following URL http://jksearch.biz/redir.php. This then chooses to display one of the following two pages http://school-fuck.com/ or http://virgins-fuck.com/. I am sorry for the offensive language but that is what the URLs say. If I netstat I see that there are many connections pending for http://ruworld.com, another unsavoury site/sight :o

I have checked this forum as I see some other posts about this specific issue; I have tried bits from many but all to no avail.

I have run Adaware and have the latest virus defs.

I have now run hijack this and have my log to display below. I do not understand how this can happen. If all the settings are set to blank page how when IE is launched do they swap without any processes running?

I would really appreciate your help on this. Cheers

the log is below

Logfile of HijackThis v1.97.7
Scan saved at 02:31:36, on 20/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\udpmod.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: domain VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter Utility.lnk = C:\Program Files\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Intranet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://domain.webex...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F29A532-2A27-462F-94A8-E54C932C261B}: NameServer = x.x.x.x,x.x.x.x
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = domain.co.uk,
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = domain.co.uk,
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = domain.co.uk,

I believe i have gone through every process and verified it. The ones i cannot verify are Svchost also when i run netstat all the ones pointing to ruworld.com are owned by process 0.

Thanks in advance for your help



Edited by Gmorgan, 19 May 2004 - 12:10 PM.

#2 JPT



  • Full Member
  • Pip
  • 1 posts

Posted 19 May 2004 - 05:46 PM

Hi Gmorgan. I am in the same boat as you with the same URLs. We have tried a number of anti-spyware programs which sweep thru our system, proclaim "All is clear", yet when we reconnect to the net, jksearch.biz is still there. It's Evil.

watch my previous inquiry and any responses. ( I'm above yours a few lines )

Please update if you find a solution


#3 Smoker02



  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2004 - 07:30 PM


I also have the same problem and have asked for help through this forum. Still waiting to receive a reply. I have been looking at other posts and it seems like the same story, no matter what is tried there is no effect.

I'm at my wits end.


#4 Gmorgan



  • Full Member
  • Pip
  • 5 posts

Posted 20 May 2004 - 02:19 AM

Just to make this more complicated, it is not on my machine but on a user from our company. He is in Australia and I am in the UK. This makes troubleshooting slightly harder but anyway.

I just used Hijackthis to clear the settings for all that point to the jksearch.biz addresses. I have thoroughly checked the Hijackthis log and there does not seem to be anything wrong in there so I just used msconfig to set to start up in diagnostic mode and then go to internet properties after a reboot and the pages had been reset already.

I am not expert on these matters so… if no processes start to change the page and if all the plugins etc are correct then how can this happen? Is it possible to get your claws into IE another way??

I am looking to reinstall IE when time differences and his work load permit.

This is a real issue now as he cannot use this machine on customer site.

Any ideas would be most welcome, equally if people do not know what it is I would like to know that too so that I can gauge the level of the problem.

Thanks for all your time and efforts

#5 idiottoo



  • New Member
  • Pip
  • 3 posts

Posted 20 May 2004 - 03:03 AM

I am facing the same problem. I have been sitting at my computer for 4 hours flat now, trying to undo the problem.
I tried ad-aware, and many other tools. I found one tool, Browser Hijack Blaster, which prevents changes made to IE settings. But, it prompts you every 30 seconds, and gets really annoying.

I hope someone finds a solution pretty soon........I cannot seem to locate the process which is causing this problem...

#6 idiottoo



  • New Member
  • Pip
  • 3 posts

Posted 20 May 2004 - 03:37 AM

read the reply by PGPhantom to Mag's request on this topic. solved my problem!

#7 Gmorgan



  • Full Member
  • Pip
  • 5 posts

Posted 20 May 2004 - 08:39 AM

Okay all is well.

idiottoo is quite correct. PGPhantom's reply to Mag is the answer to our issue :D
The link below takes you to it


I found the system32.dll file in c:\windows\system32\system32.dll
The strange thing was I could rename it, however the problem still persisted. If I tried to delete it however it would not allow me. I had to use a file in use tool to overwrite/delete it on reboot.

Reboot, run hiJackthis, set the URLs, reboot just for the sake of it and no more hassle form the browser hijacking. I now need to sort out the connections to RUworld that netstat show :) anyway that’s another day’s work so thanks to PGPhantom this quest is over.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!