Computer seems to have been hijacked by search-for-you.com
My computer seems to have been hijacked by 'search-for-you.com'. I
have all the usual adware/spyware removal tools installed plus Sophos
anti-virus but nothing seems to help in getting rid of this. Hoping
someone out there can help?
I have scanned with 'HijackThis' and removed all obvious references to
the above but would appreciate someone having a look at the remaining
log and advising what is safe to delete.
Thanks in advance
Logfile of HijackThis v1.97.7
Scan saved at 09:38:00, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Re: Computer seems to have been hijacked by search-for-you.com
Hi Angie
When you say that your computer has been hijacked by 'search-for-you.com',
what exactly do you see when you turn your PC on?
When you open internet explorer, is 'search-for-you.com' the first page you
see? If this is the case, then it is possible that your Home Page has been
set to point to this page. To correct this problem, simply follow these
steps:
1) open Internet Explorer
2) Click on the 'tools' option in the menu bar at the top of the internet
explorer window
3) Click on 'internet options ...' in the drop down menu. A new window will
open displaying your internet options.
4) At the top of this window, you will see an area labelled 'Home page'.
This area contains the address of the default page you will see when you
open internet explorer. You can set this to anything you want (www.msn.com
for example) or can click on 'Use Default' to return it to the default page.
5) Click 'OK' to close the window
6) close internet explorer
I hope this helps!
--
Alan Muller
Software Design Engineer in Test
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Angie" <angie.long@ntlworld.com> wrote in message
news:7e97a04b.0407080056.489d147e@posting.google.c om...
> My computer seems to have been hijacked by 'search-for-you.com'. I
> have all the usual adware/spyware removal tools installed plus Sophos
> anti-virus but nothing seems to help in getting rid of this. Hoping
> someone out there can help?
> I have scanned with 'HijackThis' and removed all obvious references to
> the above but would appreciate someone having a look at the remaining
> log and advising what is safe to delete.
> Thanks in advance
>
> Logfile of HijackThis v1.97.7
> Scan saved at 09:38:00, on 08/07/2004
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\System32\Ati2evxx.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\WINDOWS\system32\Ati2evxx.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\htpatch.exe
> C:\WINDOWS\Dit.exe
> C:\Program Files\Common Files\Real\Update_OB\realsched.exe
> C:\Program Files\Common Files\Microsoft Shared\Works
> Shared\WkUFind.exe
> C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
> C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
> C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
> C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
> C:\WINDOWS\System32\ctfmon.exe
> C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
> C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
> C:\WINDOWS\DitExp.exe
> C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
> C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
> C:\WINDOWS\system32\drivers\KodakCCS.exe
> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
> C:\WINDOWS\System32\ScsiAccess.EXE
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
> C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
> C:\WINDOWS\system32\ZoneLabs\vsmon.exe
> C:\Program Files\RealVNC\WinVNC\WinVNC.exe
> C:\WINDOWS\System32\taskmgr.exe
> C:\Program Files\Opera7\opera.exe
> C:\Documents and Settings\Angela\My Documents\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
> Settings,ProxyOverride = localhost
> R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
> http://www.aldi.com/
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
> O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
> c:\windows\googletoolbar1.dll
> O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10}
> - (no file)
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
> c:\windows\googletoolbar1.dll
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
> C:\WINDOWS\System32\msdxm.ocx
> O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
> O4 - HKLM\..\Run: [Dit] Dit.exe
> O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe
> -CheckReg
> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
> Files\Real\Update_OB\realsched.exe" -osboot
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
> Files\QuickTime\qttask.exe" -atboottime
> O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
> Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
> O4 - HKLM\..\Run: [WinVNC] "C:\Program
> Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
> O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE
> /AUTORUN
> O4 - HKLM\..\Run: [RegisterDropHandler]
> C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
> O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
> O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate
> Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
> O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
> Control Panel\atiptaxx.exe
> O4 - HKLM\..\Run: [ntldr] C:\WINDOWS\System32\ntldr.exe
> O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
> Labs\ZoneAlarm\zlclient.exe"
> O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
> /STARTUP
> O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
> Files\Java\j2re1.4.2_04\bin\jusched.exe
> O4 - HKLM\..\RunServices: [RegisterDropHandler]
> C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
> O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
> ActiveSync\WCESCOMM.EXE"
> O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos
> SWEEP for NT\ICMON.EXE
> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> O8 - Extra context menu item: &Google Search -
> res://c:\windows\GoogleToolbar1.dll/cmsearch.html
> O8 - Extra context menu item: Backward &Links -
> res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
> O8 - Extra context menu item: Cac&hed Snapshot of Page -
> res://c:\windows\GoogleToolbar1.dll/cmcache.html
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
> O8 - Extra context menu item: Si&milar Pages -
> res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
> O8 - Extra context menu item: Translate into English -
> res://c:\windows\GoogleToolbar1.dll/cmtrans.html
> O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
> O9 - Extra button: Create Mobile Favorite (HKLM)
> O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
> O9 - Extra button: GetMP3 (HKLM)
> O9 - Extra button: Real.com (HKLM)
> O9 - Extra button: Money Viewer (HKLM)
> O9 - Extra button: Messenger (HKLM)
> O9 - Extra 'Tools' menuitem: Messenger (HKLM)
> O12 - Plugin for .mid: C:\Program Files\Internet
> Explorer\PLUGINS\npqtplugin2.dll
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O16 - DPF: {11111111-1111-1111-1111-111111111123} -
>
ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/111.chm::
/file.exe
> O16 - DPF: {13112111-1224-1141-1451-111111113533} -
> file://c:\temp\setup1.exe
> O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
> http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
> O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
> http://office.microsoft.com/productu...ntent/opuc.cab
> O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} -
> http://acceso.masminutos.com/laaplicacion.cab
> O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
> http://toolbar.google.com/data/GoogleActivate.cab
> O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
> http://v4.windowsupdate.microsoft.co...139.4361574074
> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
> Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
> O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office
> Tools on the Web Control) -
> http://officeupdate.microsoft.com/Te...loads/outc.cab
> O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class)
> - http://www2.incredimail.com/contents...r/imloader.cab
> O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
>
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk
> O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =
>
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk
> O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
>
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk
Re: Computer seems to have been hijacked by search-for-you.com
Alan thanks for the reply. My home page was always set to Google but a
couple of weeks ago this was automatically changed. I have rest it
countless times and deleted everything in the registry that I can find
that relates to this search-for-you.com but it keeps coming back! I'm
not a novice as far as computers go but I don't want to mess with the
registry too much. I just feel that I must have some trojan that has
stuck something somewhere that I can't find (hence the log I posted).
I have checked my Hosts file and there seems nothing untoward there.
Any further help would be greatly appreciated.
Computer seems to have been hijacked by search-for-you.com 
Linear Mode
