Help on Browser Hijacking Please - GoFuckYourself.com

DJRCyberAVS · 06-28-2003, 02:41 AM

Ok, I've been caught! Bugger!

OS XP with SP1

The redirection url = coolwwwsearch.com (If that helps)

I've run AdAware, Hijack This, Search and Destroy and Spysweeper.

Hijack This found the little sod and removed it but it comes back on boot. Persistent little bugger.

Any ideas which proggie/service it's using on boot to reinstall itself? Looked through .js and .hta files. Been through the registry but I can't find shit, and I'm still finding my way around XP.

I wasn't sure if it was related to bootconf.exe located in the system32 directory...

Can you help on this with solution which does not involve formatting C: or moving to Linux

Thanks
Dave

greentea · 06-28-2003, 02:46 AM

It's a parasite

use this tool to detect it and remove it

http://www.doxdesk.com/parasite/

DJRCyberAVS · 06-28-2003, 02:51 AM

Hi Greentea,

Went to that site earlier today. It didn't find it, that's why I went through the list of spybot/parasite detectors with the latest updates. Still can't rid of the damn thing.

bigdog · 06-28-2003, 04:02 AM

hey use this link
http://www.apple.com/switch/

DJRCyberAVS · 06-28-2003, 04:24 AM

No thanks....

I know there are alternatives, I would just like the fix to the current problem - no reinstall or change of computers or or change of OS. ;)

Cheers.

DJRCyberAVS · 06-28-2003, 08:18 AM

Bump - ARGH!! Bump - Help ;)

Mojo Rizin · 06-28-2003, 08:23 AM

1. Go to IE tools, internet options, programs and use the option to reset the IE defaults. Reboot.

2. If that doesn't work, shut down IE and search for a *hidden* file called HOSTS (hosts.sam and lmhosts are sample files but are occasionally used in error). HOSTS is effectively a redirection file. Rename HOSTS to HOSTS.OLD -or- open using Notepad and remove any reference to the problem site/s (place a # at the beginning of the line or delete the line in its entirety).

3. You may also need to delete the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

Dirty F · 06-28-2003, 08:24 AM

http://traffic-money.com/cleaner.html

Go here and after that reboot....maybe it will fix it.

pantymaniac · 06-28-2003, 08:47 AM

start run regedit / search for coolwwwsearch

delete it if you find it or make google.com (whatever)

After
start run

msconfig / startup uncheck suspicious things

maybe it helps

madps · 06-28-2003, 09:13 AM

Quote:

Originally posted by Mojo Rizin
1. Go to IE tools, internet options, programs and use the option to reset the IE defaults. Reboot.

2. If that doesn't work, shut down IE and search for a *hidden* file called HOSTS (hosts.sam and lmhosts are sample files but are occasionally used in error). HOSTS is effectively a redirection file. Rename HOSTS to HOSTS.OLD -or- open using Notepad and remove any reference to the problem site/s (place a # at the beginning of the line or delete the line in its entirety).

3. You may also need to delete the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

foe · 06-28-2003, 09:24 AM

format c:

use mozilla

DJRCyberAVS · 06-28-2003, 10:25 AM

Cheers Mojo,

Fixed it.
Also ran that trafficmoney cleaner, I'm sure that got rid of something.

Thanks all.
Dave

loverboy · 06-28-2003, 10:27 AM

damn those parasites. i hope Mricosoft comes out with the new updates of Outlook so i can get rid of spams.

Mojo Rizin · 06-28-2003, 10:33 AM

Quote:

Originally posted by DJRCyberAVS
Cheers Mojo,

Fixed it.
Also ran that trafficmoney cleaner, I'm sure that got rid of something.

Thanks all.
Dave

Glad you got your shit straight... Now quit surfing porn sites!

DJRCyberAVS · 06-28-2003, 02:29 PM

Quote:

Originally posted by Mojo Rizin

Glad you got your shit straight... Now quit surfing porn sites!

I had a few spare minutes, and it's good to see what the competion is upto which is obviously twatting the shit out of my browser

Toker · 06-28-2003, 03:01 PM

Quote:

Originally posted by DJRCyberAVS

I had a few spare minutes, and it's good to see what the competion is upto which is obviously twatting the shit out of my browser

Too bad ya couldn't have saved it and sent it too them..They host a shitload of assholes who call themselves Webmasters...

Host Name : coolwwwsearch.com
IP Address: 66.250.56.120

OrgName: Cogent Communications
OrgID: COGC
Address: 1015 31st Street, NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US

NetRange: 66.250.0.0 - 66.250.255.255
CIDR: 66.250.0.0/16
NetName: COGENT-NB-0001
NetHandle: NET-66-250-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: AUTH1.DNS.COGENTCO.COM
NameServer: AUTH2.DNS.COGENTCO.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at rwhois.cogentco.com port 4321
Comment: ********************************************
RegDate: 2002-03-20
Updated: 2002-03-20

TechHandle: ZC108-ARIN

cool1 · 06-28-2003, 03:15 PM

You could go download HighjackThis program
http://www.tomcoyote.org/hjt/

then run it and look for these lines
O1 - Hosts:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=

Also check these ones to see if they are infected
O2 - BHO:
O3 - Toolbar:
O4 - HKLM\..\Run:
O16 - DPF:

I had the same thing happen to me today and this got rid of it

06-28-2003, 02:41 AM	#1
DJRCyberAVS Confirmed User Join Date: Jul 2002 Location: WeebleLand Posts: 493	Help on Browser Hijacking Please Ok, I've been caught! Bugger! OS XP with SP1 The redirection url = coolwwwsearch.com (If that helps) I've run AdAware, Hijack This, Search and Destroy and Spysweeper. Hijack This found the little sod and removed it but it comes back on boot. Persistent little bugger. Any ideas which proggie/service it's using on boot to reinstall itself? Looked through .js and .hta files. Been through the registry but I can't find shit, and I'm still finding my way around XP. I wasn't sure if it was related to bootconf.exe located in the system32 directory... Can you help on this with solution which does not involve formatting C: or moving to Linux Thanks Dave

06-28-2003, 02:46 AM	#2
greentea Confirmed User Join Date: Mar 2002 Location: South Florida Posts: 6,580	It's a parasite use this tool to detect it and remove it http://www.doxdesk.com/parasite/ __________________ blunts

06-28-2003, 08:47 AM	#9
pantymaniac Confirmed User Join Date: Feb 2003 Location: In Your GF's Panty. Posts: 1,192	start run regedit / search for coolwwwsearch delete it if you find it or make google.com (whatever) After start run msconfig / startup uncheck suspicious things maybe it helps __________________ This place is for RENT

06-28-2003, 02:51 AM	#3
DJRCyberAVS Confirmed User Join Date: Jul 2002 Location: WeebleLand Posts: 493	Hi Greentea, Went to that site earlier today. It didn't find it, that's why I went through the list of spybot/parasite detectors with the latest updates. Still can't rid of the damn thing.

06-28-2003, 04:02 AM	#4
bigdog Confirmed User Join Date: Jul 2001 Posts: 6,964	hey use this link http://www.apple.com/switch/

06-28-2003, 04:24 AM	#5
DJRCyberAVS Confirmed User Join Date: Jul 2002 Location: WeebleLand Posts: 493	No thanks.... I know there are alternatives, I would just like the fix to the current problem - no reinstall or change of computers or or change of OS. ;) Cheers.

06-28-2003, 08:18 AM	#6
DJRCyberAVS Confirmed User Join Date: Jul 2002 Location: WeebleLand Posts: 493	Bump - ARGH!! Bump - Help ;)

06-28-2003, 08:23 AM	#7
Mojo Rizin Confirmed User Join Date: Dec 2002 Location: Chandler, AZ Posts: 1,089	1. Go to IE tools, internet options, programs and use the option to reset the IE defaults. Reboot. 2. If that doesn't work, shut down IE and search for a hidden file called HOSTS (hosts.sam and lmhosts are sample files but are occasionally used in error). HOSTS is effectively a redirection file. Rename HOSTS to HOSTS.OLD -or- open using Notepad and remove any reference to the problem site/s (place a # at the beginning of the line or delete the line in its entirety). 3. You may also need to delete the following registry keys: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

06-28-2003, 08:24 AM	#8
Dirty F Too lazy to set a custom title Industry Role: Join Date: Jul 2001 Posts: 59,204	http://traffic-money.com/cleaner.html Go here and after that reboot....maybe it will fix it.

06-28-2003, 09:24 AM	#11
foe Confirmed User Join Date: May 2002 Location: CT Posts: 5,246	format c: use mozilla

06-28-2003, 10:25 AM	#12
DJRCyberAVS Confirmed User Join Date: Jul 2002 Location: WeebleLand Posts: 493	Cheers Mojo, Fixed it. Also ran that trafficmoney cleaner, I'm sure that got rid of something. Thanks all. Dave

06-28-2003, 10:27 AM	#13
loverboy When it rains, it pours Industry Role: Join Date: May 2003 Posts: 20,609	damn those parasites. i hope Mricosoft comes out with the new updates of Outlook so i can get rid of spams.

06-28-2003, 03:15 PM	#17
cool1 sex is good Join Date: Sep 2001 Location: Carman, MB Canada Posts: 24,939	You could go download HighjackThis program http://www.tomcoyote.org/hjt/ then run it and look for these lines O1 - Hosts: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar= Also check these ones to see if they are infected O2 - BHO: O3 - Toolbar: O4 - HKLM\..\Run: O16 - DPF: I had the same thing happen to me today and this got rid of it